Network Security Glossary
Network security encompasses a dense vocabulary of technical standards, threat categories, architectural concepts, and regulatory terminology that practitioners, procurement officers, and researchers must navigate with precision. This glossary defines the foundational and advanced terms that appear across network security fundamentals, compliance frameworks, and vendor documentation. Each entry reflects usage as established by NIST, IETF, IEEE, and other named standards bodies. Accurate terminology is operationally significant — misapplied definitions drive misconfigured controls, failed audits, and exploitable gaps.
Definition and scope
A network security glossary functions as a controlled vocabulary reference for the discipline that governs the confidentiality, integrity, and availability of data in transit and at rest across interconnected systems. The scope spans physical layer protocols through application-layer controls, including the regulatory and compliance terminology mandated by frameworks such as NIST SP 800-53, ISO/IEC 27001, and the NIST Cybersecurity Framework (CSF).
Core term classifications:
- Architectural terms — concepts that define how a network is structured for security purposes (e.g., DMZ, segmentation, zero trust, microsegmentation)
- Protocol and encryption terms — standards governing how data is transmitted securely (e.g., TLS, IPsec, DNSSEC, SSH)
- Threat and attack terms — named categories of adversarial action (e.g., lateral movement, DDoS, MITM, botnet)
- Control and countermeasure terms — tools and mechanisms deployed to detect or prevent threats (e.g., IDS, IPS, SIEM, WAF, NAC)
- Regulatory and compliance terms — statutory and framework-derived designations (e.g., CUI, FedRAMP, CMMC, PCI DSS scope)
NIST's Computer Security Resource Center (CSRC) maintains the authoritative federal glossary for cybersecurity terminology, drawing on over 60 source documents. Definitions below align with NIST CSRC where applicable.
How it works
Network security terminology operates as a shared reference layer across three functional domains: technical implementation, risk governance, and regulatory compliance. A term used imprecisely across these domains — for example, conflating "vulnerability" with "threat" or "risk" — produces errors in risk assessments, audit reports, and architecture documentation.
Key definitional pairs and distinctions:
- Threat vs. Vulnerability vs. Risk: Per NIST SP 800-30 Rev 1, a threat is any circumstance or event with the potential to adversely impact operations; a vulnerability is a weakness in a system that can be exploited; risk is the likelihood and impact of a threat exploiting a vulnerability.
- Authentication vs. Authorization: Authentication verifies identity; authorization determines what an authenticated entity is permitted to do. These map to distinct control families in NIST SP 800-53 Rev 5 — IA (Identification and Authentication) and AC (Access Control) respectively.
- Encryption vs. Hashing: Encryption is a reversible transformation requiring a key; hashing is a one-way function used for integrity verification. Both appear in network encryption protocols but serve structurally different security functions.
- IDS vs. IPS: An Intrusion Detection System (IDS) passively monitors and alerts; an Intrusion Prevention System (IPS) actively blocks detected threats inline. The architectural and operational distinctions are detailed under intrusion detection and prevention systems.
- Stateful vs. Stateless Firewall: A stateful firewall tracks active connection state tables; a stateless firewall evaluates each packet independently against static rules. See firewall types and selection for deployment criteria.
Selected glossary entries (NIST CSRC-aligned unless otherwise noted):
| Term | Definition | Source |
|---|---|---|
| Access Control List (ACL) | A mechanism that implements access control for a system resource by enumerating the system entities authorized to access the resource | NIST SP 800-53 |
| Botnet | A network of compromised computers controlled by a command-and-control server to carry out coordinated attacks | NIST CSRC |
| CIDR (Classless Inter-Domain Routing) | An IP addressing scheme that replaces class-based addressing, enabling more efficient IP block allocation (e.g., 192.168.1.0/24) | IETF RFC 4632 |
| DMZ (Demilitarized Zone) | A network segment placed between an internal network and an untrusted external network to expose services without exposing the internal network directly | NIST SP 800-41 |
| Egress Filtering | The practice of filtering outbound traffic from a network to prevent data exfiltration and stop spoofed packets from leaving the network | IETF BCP 38 |
| Ingress Filtering | Filtering inbound traffic to block packets with spoofed source IP addresses, per IETF BCP 38 recommendations | IETF RFC 2827 |
| Lateral Movement | Techniques by which an adversary progressively moves through a network after initial access to reach high-value targets | MITRE ATT&CK Framework |
| Microsegmentation | Granular network segmentation applied at the workload level using software-defined policies, detailed at microsegmentation | NIST SP 800-207 |
| NAC (Network Access Control) | A set of policies controlling device access to network resources based on compliance posture, identity, and context | IEEE 802.1X; NIST SP 800-53 |
| SIEM (Security Information and Event Management) | A platform aggregating and correlating log data from network sources to detect anomalous events in near-real time | NIST SP 800-92 |
| TLS (Transport Layer Security) | A cryptographic protocol providing communications security over a network; TLS 1.3 is the current version per IETF RFC 8446 | IETF RFC 8446 |
| Zero Trust | A security model assuming no implicit trust for any user or device inside or outside the network perimeter, per NIST SP 800-207 | NIST SP 800-207 |
Common scenarios
Terminology confusion most frequently surfaces in 4 operational contexts:
- Audit and compliance documentation — Auditors under frameworks such as FedRAMP, CMMC 2.0, or PCI DSS 4.0 apply precise definitional standards. A control described as providing "encryption" when it delivers only encoding (a non-keyed transformation) fails audit review.
- Incident response reporting — CISA's Federal Incident Notification Guidelines require categorizing incidents by type (e.g., denial of service, unauthorized access, malicious code). Misclassification delays escalation timelines.
- RFP and procurement language — Vendors and buyers operating in the network security sector attach contract performance obligations to specific terms. "Next-generation firewall" (NGFW) implies application-layer inspection and identity-based policy — a specification with distinct functional requirements beyond a stateful firewall.
- Network architecture design reviews — Architecture review boards at federal agencies follow terminology from NIST SP 800-160 and CNSSI 4009. A proposal using "segmentation" to describe what is technically "isolation" can result in inadequate control approval.
Decision boundaries
Selecting the precise term requires understanding the boundary conditions that differentiate closely related concepts:
Segmentation vs. Isolation vs. Microsegmentation:
Network segmentation divides a network into logical zones using VLANs or subnets; isolation completely prevents communication between zones; microsegmentation enforces policy at the individual workload or process level. NIST SP 800-207 (Zero Trust Architecture) treats microsegmentation as a distinct zero trust implementation pattern, not a synonym for VLAN-based segmentation.
Encryption at rest vs. encryption in transit:
Data at rest encryption protects stored data on disk or media; encryption in transit protects data moving across network links. Regulatory frameworks including HIPAA Security Rule (45 CFR §164.312) and PCI DSS Requirement 4 address these as separate technical safeguard categories.
Vulnerability vs. Exposure vs. Finding:
In the context of network vulnerability scanning, a vulnerability is a documented weakness with a CVE identifier; an exposure is a condition that allows vulnerability access; a finding is the output of a specific scan or assessment. The Common Vulnerability Scoring System (CVSS), maintained by FIRST.org, provides standardized severity scoring across these classifications.
Active vs. Passive network security monitoring:
Active monitoring injects traffic (e.g., synthetic transactions, ping sweeps) to assess state; passive monitoring captures and analyzes existing traffic without generating additional packets. The distinction carries implications for network security monitoring operational policy and network performance impact.
Stateful inspection vs. deep packet inspection (DPI):
Stateful inspection tracks connection state at the transport layer (Layer 4); DPI examines packet payload at the application layer (Layer 7). DPI enables application identification and content filtering but introduces latency and privacy considerations that must be addressed in organizational policy.
For comprehensive compliance terminology across frameworks, the network security compliance frameworks reference covers NIST CSF, ISO 27001, CIS Controls, and sector-specific regulations including NERC CIP for operational technology environments.
References
- NIST Computer Security Resource Center (CSRC) Glossary
- [NIST SP 800-