Glossary

A symmetric encryption algorithm based on DES that encrypts, decrypts, and then encrypts once again with three independent 56-bit keys, which aggregate to 168 bits.

The Cisco Unity VPN Software Client's connection entries are stored as files in the Profiles folder of the client's installation directory.

Stands for authentication, authorization, and accounting (AAA). Cisco appliances can offload these services to dedicated servers that support RADIUS and TACACS+.

A filter list mechanism used to control the access of a host's or a network's traffic to a device. ACLs are utilized by Cisco Concentrators to distinguish which hosts or networks are permitted to administer the appliance.

A new Federal Information Processing Standard symmetric encryption method that was created to replace DES. It uses symmetric key lengths of 128, 192, and 256 bits.

An interface view for version 4.x of the Cisco Unity Client. Advanced View displays all functions and menu options on the user interface.

The IKE Phase 1 option that establishes a security association that uses less time and fewer packets than the main mode option. Aggressive mode is susceptible to eavesdropping because the key is advertised before a secure channel is established.

An IPSec function that provides protection against replay attacks by utilizing AH and ESP. Anti-replay protects the receiver against replay attacks by rejecting old or duplicate packet sequence numbers.

A dedicated device used to perform a specialized function. An example of this is the VPN 3000 Concentrator, which is dedicated for VPN capabilities.

A firewall policy that reaffirms a specific firewall client is still present and active on the connecting client's workstation. It achieves this by sending AYT messages every thirty seconds. If it does not detect the firewall client, it disconnects the tunnel.

A pair of keys consisting of a public and a private key. Only the public key is given out to others, whereas the private key is kept secret. Data encrypted with the public key can be decrypted only by its corresponding private key.

The process of determining whether an entity is who it claims to be.

Part of the IPSec framework, AH performs an integrity checksum to ensure that the payload was not modified during transit. AH does not provide any data confidentiality or encryption.

The process of determining what service or services a user is permitted to use.

A process defined in the vpnclient.ini file of the Cisco Unity VPN Software Client. When the network interface detects a certain network, it automatically triggers a VPN tunnel to the associated concentrator.

A feature that is enabled on the VPN 3000 Concentrator and pushed to connecting 3002 Hardware Clients. When the Hardware Client connects to the central site, the concentrator sends an update message containing available software revisions and the TFTP address to retrieve the software. If the 3002 Hardware Client does not have the latest software, it automatically updates its software by using the notified TFTP address.

The VPN 3000 Concentrator's capability to police or reserve bandwidth for individual groups, LAN-to-LAN sessions, or an entire interface.

A type of VPN strategy in which VPN tunnels are established over a shared or public infrastructure to connect a company to extranet business partners or other networks that are not part of the corporation.

A PKI design in which a single root CA signs and revokes all certificates. Also known as a flat CA structure.

A security policy for firewall clients that is set and automatically pushed down to the connecting clients from the central location. Configurable rules are centrally associated with a filter, and the resulting pushed policy informs participating firewall clients what protocols and networks are allowed.

A system that can issue and revoke digital certificates. Clients request certificates from a CA, which validates the credentials in the enrollment request, and in return, issues an identity certificate that can be distributed to requesting clients.

A chain of authority wherein one certificate testifies to the authenticity of the previous certificate. A CA must have its certificate signed by a more reliable CA, which in turn may need its certificate signed by a higher-level CA. The root CA is at the end of a certificate hierarchy, which is trusted without a certificate from any other certifying authority.

A document that originates from a certificate authority that lists certificate serial numbers that have been issued but are no longer valid. Authenticating devices can check this list to determine whether an authenticating certificate has been revoked because of organization change, service removal, name change, or security compromise.

An encrypted message that requires decryption before anyone can see the contents of the message.

A firewall software add-on that is integrated with the Cisco VPN Software Client. With this feature, you can receive CPP pushed firewall policies, as well as turn on a stateful firewall that remains on despite VPN connectivity.

This framework entails a consistent specification that encompasses wireless and desktop clients' interaction with VPN Concentrators version 3.0 and up, PIX Firewalls version 6.1 or later, and Routers with IOS version 12.8(T) or later.

Traffic that is sent across an infrastructure without any form of encryption applied to it. If intercepted, clear text can be effortlessly seen and manipulated.

A VPN 3002 Hardware Client operating mode in which devices' IP addresses behind the client are translated to its internal tunnel address before traversing the tunnel. Because all private IPs are translated to the assigned tunnel IP, users behind the hardware client are not visible to the central concentrator's network. Sometimes referred to as PAT mode.

A symmetric algorithm developed by the United States Department of Defense that requires the sender and receiver to use the same 56-bit key for encryption.

A feature that uses IKE keepalives to ensure the remote peer is still present. When no data is being sent over the tunnel, IKE keepalives are sent and an idle timer is initiated. If the timer expires, the tunnel is torn down to save resources.

A small network inside a corporation, located between the Internet network and a secured internal network, and that comprises commonly accessed devices such as FTP and HTTP servers.

The capability to forward DHCP broadcast requests from clients to a DHCP server located on a separate segment. This functionality, defined in RFC 1542, is useful so you do not have to place a DHCP server on every segment requiring DHCP assigned parameters.

A key exchange methodology in which two IKE negotiating devices calculate an identical secret key to be utilized for protecting subsequent IKE communication and providing keying materials for bulk data encryption keys.

Entities used by public key infrastructure to provide universally standardized secure authentication. Binds an entity to a public/private key pair. CA systems and subordinate CA servers issue these to establish user identity and credentials during IKE negotiations.

An asymmetric algorithm that is used solely for digital certificates. It is less common than RSA and is typically used by the U.S. government.

Intended to verify to a recipient the data sender's identity. This is achieved by having the sender perform a hash of the message and encrypt it with its private key. When the recipient receives the message, it decrypts the hash with the sender's public key and performs a similar hash on the message. If the values match, the message must have come from the sender because it is the only owner of that private key.

An asymmetric algorithm created by Certicom that is used in handheld devices with low processing power. ECC is capable of speeding up asymmetric operations because of its remarkable mathematical algorithm that uses elliptical curve equations.

Part of the IPSec framework, ESP ensures data confidentiality with encryption as well as data integrity and authentication. ESP protects the original IP data payload by encrypting it and encapsulating it within an additional ESP header and trailer.

A randomly generated number that is exchanged during IKE negotiations. Using encrypted nonces for authentication is unique to Cisco and entails both parties encrypting the nonce with their peer's public key. After the recipient decrypts the nonce, a hash is performed and sent back to the peer to be validated.

A process of employing several different algorithms of different length-sized keys. Clear text data is input into the algorithm and combined with the key to produce an encrypted text called cipher text. Unless you have the appropriate decrypting key, you cannot effortlessly compromise the message's substance.

A VPN hardware accelerator card that contains digital signaling processing to enhance encryption performance in the VPN 3000 Concentrator models 3015-3080. SEP-E modules specifically enhance DES, 3DES, and also AES encryption.

Any noteworthy incident that the VPN 3000 Concentrator and the VPN 3002 Hardware Client can log, such as alarms, errors, completed tasks, and status changes.

When the VPN Concentrator records events regarding its hardware and software subsystems in nonvolatile memory, it is associated with a class that can be used to filter event logs based on the subsystem you want to troubleshoot.

An extension to IKE that prompts the client for a username and password after device-level authentication occurs in IKE phase 1. This additional step ensures that users have proper credentials to log in to an authentication server before the tunnel is completely initiated.

A protocol residing in the Application layer of the TCP/IP protocol suite that is responsible for transferring data. FTP utilizes TCP for a transport protocol and utilizes ports 20 and 21 for data transfer and authentication.

A filter, which comprises rules, can be applied to interfaces, users/groups, and LAN-to-LAN tunnels. The filter processes each individual rule until a match is made. After a match occurs, the rest of the rules are not processed. If there is no match, the filter performs the default action configured.

A Cisco Unity Client security feature that forces Windows NT, 2000, and XP users to log off the PC and log back in when establishing a tunnel. Upon a successful login, the VPN tunnel reestablishes itself automatically.

Provides message authentication and integrity through the use of cryptographic hash functions. HMACs use a shared secret key to calculate a message digest, which is transmitted along with the message itself. When the recipient performs that same hash value, the hash should be identical. If the values do not match, the message was manipulated in transit and is discarded.

A PKI design subordinate in which the Root CA signs certificates for lower-level subordinate CAs. Subordinate CAs help control certificate distribution as well as certificate revocation. Also known as a tiered CA structure.

The set of rules for exchanging text, graphic images, sound, video, and other multimedia files for Web interfaces and applications. HTTP resides on the Application layer of the TCP/IP protocol suite and utilizes TCP port 80 at the Transport layer.

A type of digital certificate that is utilized to identify the authenticating system. CA servers and subordinate CA servers issue these to establish user identity and credentials during IKE negotiations. Identity certificates typically adhere to the X.509 standard and contain a serial number, validity dates, identity information of the CA and the requestor, the requestor's public key, and the issuing CA's digital signature.

An authentication feature in the VPN 3002 Hardware Client that requires each individual user to authenticate to the central concentrator before he or she is permitted across the tunnel.

A Zone Labs Enterprise server that allows an administrator to manage, enforce, and monitor security policies. The VPN 3000 Concentrator can interact with this server when configured to utilize its corresponding firewall feature.

An authentication feature in the VPN 3002 Hardware Client that protects the central site by requiring a user to provide the Hardware Client's credentials for tunnel establishment.

An error reporting and diagnostic protocol between a host and a gateway. This protocol is utilized by popular utilities such as ping and traceroute.

A hybrid protocol derived from the Internet Security Association and Key Management Protocol (ISAKMP) and the Oakley protocol. IKE automatically handles the preliminary negotiation and authentication between IPSec peers.

IPSec is a framework of protocols that comprises a combination of standards and technologies. IPSec uses Authentication Header (AH) and Encapsulating Security Payload (ESP) protocols for authentication of the sender and encryption of data services.

A dedicated appliance or software that monitors networks or devices for attack signatures to prevent the attack before it has an opportunity to cause substantial damage.

A site-to-site VPN tunnel that connects the concentrator's LAN to another concentrator, firewall, router, or other IPSec-compliant device.

A Layer 2 tunneling protocol that contains features of PPTP from Microsoft and Layer 2 Forwarding protocol from Cisco. L2TP is slowly replacing PPTP as a popular remote access tunneling protocol.

A protocol to locate organizations, individuals, and files in a directory server database such as Novell Directory Services (NDS) or Windows Active Directory (AD).

LEAP is a Cisco proprietary enhancement to the EAP protocol that allows additional security features such as mutual authentication and dynamic WEP keys. LEAP is used to authenticate users to the wireless network by authenticating them to a RADIUS server before distributing a key to encrypt the wireless session.

Consists of three 2-way exchanges during IKE phase 1 to establish IKE SAs, authenticate peers, and perform key exchanges.

A class of statistic parameters that can be monitored by utilizing a network management server (NMS) and the SNMP protocol.

An attack in which the attacker intercepts data between two communicating peers and manipulates or hijacks the session by inserting or changing data.

A small fixed-length representation of data used to verify the authenticity of data. If any bit of the data or digest has been changed, the resulting message digest does not match and the packet is dropped.

An algorithm used for message integrity that utilizes a 128-bit key in the hashing algorithm and produces a 128-bit message digest.

The capability to encapsulate IKE and IPSec packets in UDP or TCP to work in conjunction with intermediary NAT- or PAT-capable devices.

A technology utilized to translate an inside or internal IP address into an outside or public IP address.

A ratified UDP encapsulation standard of NAT transparency that encapsulates IPSec into UDP using port 4500.

A LAN-to-LAN feature that enables a VPN Concentrator to automatically discover a peer's network through the use of RIP.

A VPN 3002 Hardware Client operating mode in which a single site-to-site connection is established that does not utilize PAT for tunnel traffic. The central network has full visibility to the IP addresses assigned to users on the Hardware Client's private network.

A file in the Cisco Unity VPN Software Client that installs the client on a workstation without user intervention.

DH rekeying utilizes portions of the previous key when creating the new key, which could jeopardize subsequent keys if compromised. PFS mitigates this problem by performing a completely new DH exchange.

In a secured network, the perimeter router is the device connecting to the Internet. This device typically implements a packet filter to limit access to the DMZ and the internal network.

A utility that uses ICMP to determine whether there is IP connectivity to an IP device.

A standard specification produced by RSA Laboratories for certificate envelope message syntax.

A standard Layer 2 encapsulation mechanism for transporting multiprotocol packets across point-to-point links. PPP is used to perform functions such as dynamic IP address assignment, compression, and authentication, and can handle synchronous as well as asynchronous communication over different media types.

A Layer 2 protocol that allows PPP frames to be encapsulated in an Ethernet frame for use over multi-access networks, such as Ethernet, DSL, and cable modem.

An extension of the PPP protocol, PPTP is a remote access Layer 2 tunneling protocol developed by Microsoft and other companies.

A form of NAT that overloads an IP address or several IP addresses and forms a NAT association down to the port level.

A form of IKE authentication characterized by having identical keys at each end of the tunnel. This key has to be manually configured in both devices that terminate the tunnel, which makes preshared keys not very scalable in large networks.

A range of IP addresses set aside by the Internet Authority Numbers Association that is never routed out on the public Internet. To route devices containing private addresses, either NAT or PAT must be implemented to translate the IPs into publicly recognized addresses.

A key that is generated for asymmetric encryption and that is never transmitted over the medium. A private key is used to decrypt traffic that was encrypted with its associated public key. The private key is also used to encrypt a message hash to digitally sign data.

A key that is generated for asymmetric encryption and that is openly distributed to peers from whom you want to receive encrypted data. Data that is encrypted with a public key can be decrypted only by its associated private key.

A set of security services that entail the certificate authorities and all their client applications working in a unified framework.

A standard specification produced by RSA Laboratories for identity certificate request message syntax.

A CLI or HTML-based utility that enables you to configure the minimal parameters necessary to initialize the VPN 3000 Concentrator and the VPN 3002 Hardware Client.

IKE phase 2 negotiations operate only in this mode. During quick mode, an IPSec SA is negotiated for the encryption and authentication services that will be provided by IPSec.

A VPN tunnel in which telecommuters and mobile users connect to a network via tunneling protocols such as Layer 2 Tunneling Protocol (L2TP), Point-to-Point Tunneling Protocol (PPTP), and IPSec.

A communication protocol used between a network access server (NAS) and an access control server (ACS) to authenticate, authorize, and audit users. RADIUS utilizes UDP as a layer 4 transport.

A relatively small office that has connectivity back to the central headquarters or enterprise location.

Connecting devices can inject their internal addresses into the concentrator's routing table so that they can be distributed to any other routing device.

A digital certificate that is used to validate an identity certificate. The root certificate is issued from a root CA and contains the public key that is utilized to verify CA-signed identity certificates.

Whether in a flat or tiered PKI hierarchy, the root certificate authority issues digital identity certificates for devices as well as for subordinate CAs. When issuing an identity certificate, it uses its private key to sign it.

A distance vector routing protocol that utilizes hop count as its only metric. RIP can support up to 15 hops.

An asymmetric encryption algorithm that was named after its creators Ron Rivest, Adi Shamir, and Leonard Adleman. RSA's key length varies in size depending on the level of encryption security you want to use. RSA is a public key algorithm used to perform encryption and peer authentication.

Rules are defined on a VPN 3000 Concentrator and are applied to filters. These rules can specify protocols and the networks that are allowed to travel across the VPN tunnel and through interfaces.

A VPN hardware accelerator card that contains digital signaling processing to enhance encryption performance in the VPN 3000 Concentrator models 3015-3080. SEP modules drastically improve throughput for DES and 3DES encryption.

A matching key negotiated during the Diffie-Hellman key exchange. A secret key is calculated by exchanging public keys and mathematically combining that material with the local private key. This key is further used for securing subsequent IKE messages and keying material for bulk encryption keys.

An algorithm used for message integrity that utilizes a 160-bit key in the hashing algorithm and produces a 160-bit message digest.

A standard for remote logins and file transfer that provides strong authentication and secure communications over insecure channels. Secure shell uses TCP Port 22.

A Session layer protocol used by Application layer protocols, such as FTP, HTTP, and LDAP, to create secure message transactions over a public medium.

A negotiated matching policy agreement between two IPSec peers that is established during both stages of IKE. Both peers must have matching supported parameters, such as hash and encryption algorithms, for IKE to continue.

An installation of the Cisco Unity VPN software client in which an edited oem.ini file automatically installs the client without user intervention.

Developed jointly by Verisign and Cisco, this protocol performs automatic enrollment of digital identity certificates by generating certificate requests and downloading the resulting identity certificate from an issuing CA.

An Application Layer protocol of the TCP/IP protocol suite that is utilized for outgoing mail transfer. It uses TCP port 25 for a layer 4 transport.

An Application Layer protocol of the TCP/IP protocol suite that is utilized for proactively managing and monitoring supported devices. It uses UDP port 161 for a layer 4 transport.

A condensed interface view for version 4.0 of the Cisco Unity Client. Simple View displays limited controls and menus on the user interface for basic VPN connectivity.

A VPN solution that entails a tunnel connecting two separate office networks that are within the same company. Site-to-site intranet VPNs offer a great deal more scalability and are relatively cheaper than traditional networking options such as leased lines.

A small office environment in which there are few users connecting back to the central headquarters.

The capability to send encrypted traffic destined for the tunnel network, while sending traffic destined for the Internet and local LAN in clear text.

A packet filtering technology in which session connection information (IP, ports, flags, and sequence numbers) is logged and maintained by a state table. All traffic session data is compared against the state table. If the connection information does not match the entries in the state table, the packets are dropped.

A digital certificate issuing server in a PKI hierarchy. A subordinate certificate authority's identity certificate is signed by another subordinate CA or by the root CA, forming a certificate chain.

Symmetric keys utilize an identical key pair. Data is encrypted and decrypted with the same key.

A reboot feature in the VPN 3000 Concentrator and VPN 3002 Hardware Client in which you can reboot the appliance at a scheduled time and perform requested configuration saves.

An Application Layer protocol of the TCP/IP protocol suite that is utilized to initiate and maintain a virtual console session into a supported device. It can also be used to transmit raw protocol commands. It uses TCP port 23 as a layer 4 transport.

An authentication protocol used by remote-access servers to forward user logon credentials to an external authentication server. TACACS+ utilizes TCP as a Layer 4 transport.

A set of security parameters and rules that are negotiated during IKE phase 2.

A connection-oriented protocol that operates at Layer 4 of the TCP/IP protocol stack. TCP offers reliable end-to-end transport in addition to error correction and flow control.

An IPSec mode that is negotiated in IKE phase 2 and that maintains the original IP header and protects only the upper-layer payload.

An Application layer connectionless protocol of the TCP/IP protocol suite that is utilized to transfer files without any initial password or authentication requirements. It uses UDP port 69 as a Layer 4 transport.

An IPSec mode that is negotiated in IKE Phase 2 and that consists of encrypting and authenticating the entire original payload.

Another name for the Cisco VPN client that is part of the Cisco Unified Client Framework.

A connectionless protocol that operates at Layer 4 of the TCP/IP protocol stack. Although it lacks reliability, UDP has less overhead than TCP and is relatively faster.

A protocol to maintain a virtual group of parallel concentrators for performing load balancing. VCA is used by non-master concentrators to report their current load value to the master, who, in turn, can redirect connecting clients to underutilized concentrators.

A secure point-to-point connection between two or more networks across a public infrastructure.

A protocol used to maintain a virtual group of parallel concentrators to perform concentrator redundancy. VRRP entails other concentrators acting as backups in case of the failure of a master concentrator.

The HTML-based configuration interface for the VPN 3000 Concentrator.

The HTML-based configuration interface for the VPN 3002 Hardware Client.

A hardware encryption module that enables a Cisco PIX firewall to increase encryption performance.

A global profile file that the Cisco Unity Software Client uses to perform Auto-initiation of VPN tunnels.

A type of local area network in which wireless (radiated) transmissions are utilized for network connectivity, as opposed to traditional cabling methodologies.

A recommended ITU standard for defining digital certificates.