https://DevOpsCloud.io -- Cloud Monk Losang Jinpa

Derivation: This single-packet attack was named for “land”, the program originally published by the cracker who invented this exploit. Perhaps that name was chosen because the inventor thought of multi-packet (i.e., flooding) attacks as arriving by sea.

([[Fair Use]] [[Source]]: [[RFC 4949])

Language of Temporal Ordering Specification (LOTOS)

(N) A language (ISO 8807-1990) for formal specification of computer network protocols; describes the order in which events occur.

([[Fair Use]] [[Source]]: [[RFC 4949])

lattice

(I) A finite set together with a partial ordering on its elements such that for every pair of elements there is a least upper bound and a greatest lower bound.

Example: A lattice is formed by a finite set S of security levels – i.e., a set S of all ordered pairs (x,c), where x is one of a finite set X of hierarchically ordered classification levels X(1), non-hierarchical categories C(1), …, C(M) – together with the “dominate” relation. Security level (x,c) is said to “dominate” (x',c') if and only if (a) x is greater (higher) than or equal to x' and (b) c includes at least all of the elements of c'. (See: dominate, lattice model.)

Tutorial: Lattices are used in some branches of cryptography, both as a basis for hard computational problems upon which cryptographic algorithms can be defined, and also as a basis for attacks on cryptographic algorithms.

([[Fair Use]] [[Source]]: [[RFC 4949])

lattice model

1. (I) A description of the semantic] [[structure formed by a finite set of security levels, such as those used in military organizations. (See: dominate, lattice, security model.)

Shirey Informational Page 180]

RFC 4949 Internet Security Glossary, Version 2 August 2007

2. (I) /formal model/ A model for flow control in a system, based on the lattice that is formed by the finite security levels in a system and their partial ordering. [Denn]

([[Fair Use]] [[Source]]: [[RFC 4949])

Law Enforcement Access Field (LEAF)

(N) A data item that is automatically embedded in data encrypted by devices (e.g., CLIPPER chip) that implement the Escrowed Encryption Standard.

([[Fair Use]] [[Source]]: [[RFC 4949])

Layer 1, 2, 3, 4, 5, 6, 7

(N) See: OSIRM.

([[Fair Use]] [[Source]]: [[RFC 4949])

Layer 2 Forwarding Protocol (L2F)

(N) An Internet protocol (originally developed by Cisco Corporation) that uses tunneling of PPP over IP to create a virtual extension of a dial-up link across a network, initiated by the dial-up server and transparent to the dial-up user. (See: L2TP.)

([[Fair Use]] [[Source]]: [[RFC 4949])

Layer 2 Tunneling Protocol (L2TP)

(N) An Internet client-server protocol that combines aspects of PPTP and L2F and supports tunneling of PPP over an IP network or over frame relay or other switched network. (See: VPN.)

Tutorial: PPP can in turn encapsulate any OSIRM Layer 3 protocol. Thus, L2TP does not specify security services; it depends on protocols layered above and below it to provide any needed security.

([[Fair Use]] [[Source]]: [[RFC 4949])

LDAP

(I) See: Lightweight Directory Access Protocol.

([[Fair Use]] [[Source]]: [[RFC 4949])

least common mechanism

(I) The principle that a security architecture should minimize reliance on mechanisms that are shared by many users.

Tutorial: Shared mechanisms may include cross-talk paths that permit a breach of data security, and it is difficult to make a single mechanism operate in a correct and trusted manner to the satisfaction of a wide range of users.

([[Fair Use]] [[Source]]: [[RFC 4949])

least privilege

(I) The principle that a security architecture should be designed so that each system entity is granted the minimum system resources and authorizations that the entity needs to do its work. (Compare: economy of mechanism, least trust.)

Shirey Informational Page 181]

RFC 4949 Internet Security Glossary, Version 2 August 2007

Tutorial: This principle tends to limit damage that can be caused by an accident, error, or unauthorized act. This principle also tends to reduce complexity and promote modularity, which can make certification easier and more effective. This principle is similar to the principle of protocol layering, wherein each layer provides specific, limited communication services, and the functions in one layer are independent of those in other layers.

([[Fair Use]] [[Source]]: [[RFC 4949])

least trust

(I) The principle that a security architecture should be designed in a way that minimizes (a) the number of components that require trust and (b) the extent to which each component is trusted. (Compare: least privilege, trust level.)

([[Fair Use]] [[Source]]: [[RFC 4949])

legacy system

(I) A system that is in operation but will not be improved or expanded while a new system is being developed to supersede it.

([[Fair Use]] [[Source]]: [[RFC 4949])

legal non-repudiation

(I) See: secondary definition under “non-repudiation”.

([[Fair Use]] [[Source]]: [[RFC 4949])

leap of faith

1. (I) /general security/ Operating a system as though it began operation in a secure state, even though it cannot be proven that such a state was established (i.e., even though a security compromise might have occurred at or before the time when operation began).

2. (I) /COMSEC/ The initial part, i.e., the first communication step, or steps, of a protocol that is vulnerable to attack (especially a man-in-the-middle attack) during that part but, if that part is completed without being attacked, is subsequently not vulnerable in later steps (i.e., results in a secure communication association for which no man-in-the-middle attack is possible).

Usage: This term is listed in English dictionaries, but their definitions are broad and can be interpreted in many ways in Internet contexts. Similarly, the definition stated here can be interpreted in several ways. Therefore, IDOCs that use this term (especially IDOCs that are protocol specifications) SHOULD state a more specific definition for it.

Tutorial: In a protocol, a leap of faith typically consists of accepting a claim of peer id[[entity, data origin, or data integrity without authenticating that claim. When a protocol includes such a step, the protocol might also be designed so that if a man-in- the-middle attack succeeds during the vulnerable first part, then the attacker must remain in the middle for all subsequent

Shirey Informational Page 182]

RFC 4949 Internet Security Glossary, Version 2 August 2007

exchanges or else one of the legitimate parties will be able to detect the attack.

([[Fair Use]] [[Source]]: [[RFC 4949])

level of concern

(N) /U.S. DoD/ A rating assigned to an information system that indicates the extent to which protective measures, techniques, and procedures must be applied. (See: critical, sensitive, level of robustness.)

([[Fair Use]] [[Source]]: [[RFC 4949])

level of robustness

(N) /U.S. DoD/ A characterization of (a) the strength of a security function, mechanism, service, or solution and (b) the assurance (or confidence) that it is implemented and functioning. [Cons, IATF] (See: level of concern.)

([[Fair Use]] [[Source]]: [[RFC 4949])

Liberty Alliance

(O) An international consortium of more than 150 commercial, nonprofit, and govern mental organizations that was created in 2001 to address technical, business, and policy problems of id[[entity and id[[entity-based Web services and develop a standard for federated network id[[entity that supports current and emerging network devices.

([[Fair Use]] [[Source]]: [[RFC 4949])

Lightweight Directory Access Protocol (LDAP)

(I) An Internet client-server protocol (RFC 3377) that supports basic use of the X.500 Directory (or other directory servers) without incurring the resource requirements of the full Directory Access Protocol (DAP).

Tutorial: Designed for simple management and browser applications that provide simple read/write interactive directory service. Supports both simple authentication and strong authentication of the client to the directory server.

([[Fair Use]] [[Source]]: [[RFC 4949])

link

1a. (I) A communication facility or physical medium that can sustain data communications between multiple network nodes, in the protocol layer immediately below IP. (RFC 3753)

1b. (I) /subnet work/ A communication channel connecting subnet work relays (especially one between two packet switches) that is implemented at OSIRM Layer 2. (See: link encryption.)

Tutorial: The relay computers assume that links are logically passive. If a computer at one end of a link sends a sequence of bits, the sequence simply arrives at the other end after a finite time, although some bits may have been changed either accidentally (errors) or by active wire tapping.

Shirey Informational Page 183]

RFC 4949 Internet Security Glossary, Version 2 August 2007

2. (I) /World Wide Web/ See: hyper link.

([[Fair Use]] [[Source]]: [[RFC 4949])

link encryption

(I) Stepwise (link-by-link) protection of data that flows between two points in a network, provided by encrypting data separately on each network link, i.e., by encrypting data when it leaves a host or subnet work relay and decrypting when it arrives at the next host or relay. Each link may use a different key or even a different algorithm. [R1455] (Compare: end-to-end encryption.)

([[Fair Use]] [[Source]]: [[RFC 4949])

liveness

(I) A property of a communication association or a feature of a communication protocol that provides assurance to the recipient of data that the data is being freshly transmitted by its originator, i.e., that the data is not being replayed, by either the originator or a third party, from a previous transmission. (See: fresh, nonce, replay attack.)

([[Fair Use]] [[Source]]: [[RFC 4949])

logic bomb

(I) Malicious logic that activates when specified conditions are met. Usually intended to cause denial of service or otherwise damage system resources. (See: Trojan horse, virus, worm.)

([[Fair Use]] [[Source]]: [[RFC 4949])

login

1a. (I) An act by which a system entity establishes a session in which the entity can use system resources. (See: principal, session.)

1b. (I) An act by which a system user has its id[[entity authenticated by the system. (See: principal, session.)

Usage: Usually understood to be accomplished by providing an identifier and matching authentication information (e.g., a password) to a security mechanism that authenticates the user's id[[entity; but sometimes refers to establishing a connection with a server when no authentication or specific authorization is involved.

Derivation: Refers to “log” file, a security audit trail that records (a) security events, such as the beginning of a session, and (b) the names of the system entities that initiate events.