A method that limits the use of a resource to authorized entities.
Address Resolution Protocol (ARP)
A protocol that translates IP addresses to physical Ethernet addresses.
aggregation switch
A switch that you use to combine multiple traffic flows into a single flow. This single traffic flow can then be analyzed by your intrusion devices running in promiscuous mode. An aggregation switch is commonly used in conjunction with a network tap.
anomaly signature
A signature that triggers when a defined normal level is exceeded (for example, exceeding a defined amount of Internet Control Message Protocol [ICMP] traffic on the network).
atomic signature
A signature that triggers on the contents of a single packet or event. The entire attack signature for an atomic signature occurs in a single packet or event and does not require an Intrusion Detection System (IDS)/Intrusion Prevention System (IPS) to maintain state.
authentication
The verification of a person's or process' identity.
behavior-based signature
A signature that triggers on traffic that deviates from what is considered normal (for example, an e-mail application invoking the command.com executable).
block signature action
Involves an IDS/IPS device that initiates an ACL on another device to block offending traffic.
buffer
A portion of computer memory that temporarily stores data.
Cisco Security Agent (CSA)
A software agent that runs on a host and prevents attacks against the host from malicious applications.
client-server architecture
An architecture in which multiple client system access applications run on a single server system.
content-addressable memory (CAM) table
Maintains a mapping between Ethernet MAC addresses and the switch port on which that traffic was observed.
day zero attack
Attacks that appear in the wild before the vulnerability being exploited is published.
demilitarized zone (DMZ)
A network that is partially protected by a firewall but still provides access to the protected systems from external systems.
denial-of-service (DoS)
A situation in which the goal of the attack is to prevent regular users from accessing a specific resource or application.
distributed denial-of-service (DDoS)
Results when thousands of zombie systems are targeted at a single system or network.
drop signature action
Occurs when an inline sensor drops network traffic (after analyzing it) because it does not forward the traffic that it receives on one of its interfaces.
encryption
Process whereby data is coded so that unauthorized people or processes cannot understand it.
EtherChannel
A functionality that some Cisco switches provide that enables you to configure multiple trunk lines to be members of the same VLAN so that traffic can be load balanced across the multiple trunk lines.
event correlation
Means you develop a complete picture of all the events or attacks that occur on the network (based on time, location, and so on).
event horizon
The maximum amount of time over which you can successfully detect an attack signature.
exploit
A piece of software that takes advantage of a system vulnerability. The result of an exploit can include a DoS, a system compromise, or the theft of data.
false negative
A situation in which an intrusion system fails to generate an alert or alarm after processing attack traffic that it is configured to detect.
false positive
A situation in which an intrusion system generates an alert or alarm after processing normal user traffic.
firewall
A security device that is designed to limit or restrict access to a protected network.
forwarding device
Receives packets on one of its ports and then passes that traffic to another one of its ports based on the destination Ethernet address of the packet (without modifying the packet).
Host Intrusion Prevention(HIP)
Software that runs on computer systems to protect the system. It analyzes activity on the system and prevents attacks from succeeding.
hub
A simple link-layer device. Whenever a device connected to the hub generates network packets, the hub passes that traffic to all the other ports on the hub.
Hypertext Transfer Protocol (HTTP)
A communication protocol that enables a computer to retrieve information across the web from web servers.
incident response
The procedure that you follow when you detect an attack against your network or the compromise of a machine on your network.
inline monitoring
Occurs when you place an IPS sensor as a forwarding device on your network. Because the inline sensor forwards network traffic, it has the ability to drop unwanted traffic that enters or leaves the network.
Internet
The global network that connects millions of computers.
Internet Protocol address(IP address)
An identifier for a computer or device on a TCP/IP network.
Intrusion Detection System
An intrusion monitoring system that passively monitors network traffic looking for malicious activity.
Intrusion Prevention System (IPS)
An intrusion monitoring system that examines network traffic while it acts as a forwarding device for that traffic.
IPS Device Manager (IDM)
A graphical interface that enables you to configure and monitor the operating characteristics of a single Cisco IPS sensor.
kernel
The fundamental part of an operating system that performs basic functions.
keylogger
A hardware device (or software application) that captures the keystrokes that are typed on a system.
log signature action
When a signature fires, the log signature action causes the IPS sensor to record the packets that the attacker generates on the network. The amount of information collected is usually based on either a specified length of time or a specified number of bytes.
malicious code
A piece of code designed to damage a system's availability, integrity, or confidentiality.
managed device
The device that receives and applies the ACL that is generated by a Cisco IPS sensor. The ACL is typically generated in response to signatures configured with the block action.
master blocking sensor
A sensor that controls and initiates the blocking requests for a specific network device.
Microsoft Component Object Model (COM)
A model that defines how objects interact within an application or between applications.
Network Intrusion Prevention (NIP)
Software and hardware that runs on your network. It analyzes network traffic and prevents attacks from damaging the network.
network tap
A device that enables you to split a full duplex connection into two separate traffic flows (each flow representing the traffic originating from one of the two devices).
Network Time Protocol(NTP)
(Refer to RFC 1305);defines a network protocol that enables client systems to synchronize their system clocks by contacting a server system.
normalizing traffic
Involves manipulating the traffic (such as a TCP stream) to prevent or remove anomalies such as out of order packets and malformed Time to Lives (TTLs).
one-time password
A password that is generated for the user that uses a smartcard. It is valid only for a single login and a limited time.
Open Systems Interconnection (OSI) model
A framework of protocols used to facilitate the communication between computers.
out-of-band management
Occurs when you use a network that is dedicated solely to management access (as opposed to using the regular network).
passive monitoring
Occurs when you capture a copy of all the traffic going across a network and analyze the traffic for intrusive activity.
pattern-based signature
A signature that triggers based on a specific pattern (such as a text string or sequence of binary bytes).
peer-to-peer architecture
An architecture in which applications reside on every system, which enables any two systems to interact with each other.
perimeter firewall
The firewall that you use to protect your entire network from the Internet.
personal digital assistant(PDA)
A handheld device that combines computing and possibly networking functionality.
personal firewall
Refers to restrictions that you place on your computer to prevent specific network traffic from accessing your system.
port
An interface through which data passes.
promiscuous monitoring
See passive monitoring.
pull model
An architecture in which the management system retrieves events from an IPS device when it is ready to process them.
push model
An architecture in which events are transmitted from an IPS device to the management system when it the IPS device generates them.
regular expression (regex)
A pattern matching language that enables you to define a flexible search pattern.
remote procedure call(RPC) protocol
Enables one system to run applications on another system across the network.
Remote Switch Port Analyzer (RSPAN)
A mechanism provided on some Cisco switches that enables you to capture network traffic from different devices connected to multiple switches.
rootkit
A collection of tools that an attacker installs on a system to enable him to covertly gain access to the system and monitor its operation.
Secure Shell (SSH)
A secure encrypted protocol that you can use to gain command-line access to systems on your network.
Security Monitor
A graphical interface that enables you to monitor and correlate events from many Cisco IPS devices on your network.
security policy
A set of rules that define the security requirements for a network.
signature
Any distinctive characteristic that identifies something (such as a type of attack).
signature action
Refers to the actions that your IPS/IDS devices and software perform after a signature triggers.
signature trigger
The mechanism that IPS software uses to identify malicious or unwanted traffic.
software bypass
A software mechanism by which an inline sensor handles traffic when its IPS analysis engine is not operating.
spam
Unsolicited electronic messages. Usually, these messages are sent in bulk to many people at the same time (known as spamming). Although various electronic media are subject to spam, the most popular media used to transport spam is e-mail.
stateful signature
A signature that requires analyzing multiple packets or events to identify intrusive behavior. To track the multiple events, the IPS must maintain information about the events/actions that it has already observed.
Structured Query Language(SQL)
A popular relational database query language.
switch
A link-layer device that selectively passes traffic to its ports based on the contents of its CAM table.
Switched Port Analyzer(SPAN)
A mechanism supported on Cisco switches that enables you to configure the switch to capture a copy of selected traffic and pass it to a configured destination port for analysis.
TCP Reset Signature Action
Tries to reset a specific TCP connection when malicious traffic is identified in the TCP connection.
Transmission Control Protocol (TCP)
A connection-oriented protocol that begins with a three-way handshake and ensures reliable delivery of data.
triggering mechanism
Refers to the conditions that cause an intrusion system to generate a signature action.
Trojan
A program that performs an external function and then secretly performs another function in the background. The secret function is often malicious.
unicode
A character encoding standard that is designed to provide a universal way to encode characters of any language.
User Datagram Protocol(UDP)
A connectionless protocol that requires little overhead but does ensure reliable delivery of data.
virtual local-area network(VLAN)
A group of devices on one or more LANs that are configured to appear as if they are on a single network.
virus
A malicious software program that usually requires user intervention to spread to other systems.
VLAN access control list(VACL)
A security feature(available on some Cisco switches) that enables you to use ACLs to redirect a copy of network traffic from multiple VLANs to a destination port for analysis.
vulnerability
A flaw or weakness in a computer system that an attacker can use to attack the system.
worm
A self-replicating computer program that impacts the operation of a system similar to a virus.
zombie system
A system that an attacker compromises (usually without the user's knowledge) and is used for various purposes (such as DDoS attacks and sending spam e-mail).
