Glossary

Previous page
Table of content
Next page

Words in italics are cross-references to other terms in this glossary. You may find it helpful to check such cross-references because many terms in networking and security are interrelated.

asset

An item of value to the organization. An information asset is a device, its software, and/or its content (data) that has value. If an asset is lost or stolen, or if its integrity is compromised, the organization will suffer a loss.



Authentication, Authorization, and Accounting ( AAA )

The process of validating the identity (authentication) and rights (authorization) of a user logging in to a system. The third A, accounting, refers to the record keeping of user account activity, such as login start and stop times, and (depending on how accounting is configured) what actions were performed by that account. AAA sometimes refers to the processes just described and sometimes to the server that provides them; the applicable meaning is generally clear from the context.



branch

A network that is topologically separate but organizationally part of a larger system. A branch can be as large as a midsize or medium network, while still being organizationally subordinate to and administered by a larger enterprise. Contrast with standalone.



campus

The protected heart of a network. Within the campus, trust is usually implicit. Contrast with edge .



Certificate Authority ( CA )

A trusted source that provides and digitally signs certificates for other devices.



Certificate Revocation List ( CRL )

A list maintained by the CA of certificates that have been revokedthat is, certificates that are no longer valid although they have not yet expired . When using certificates for authentication, it is important to check a certificate presented against a current copy of the CRL, to be sure that the certificate (though technically current because it has not reached its expiration date and time) is still valid.



Cisco Discovery Protocol ( CDP )

A proprietary protocol used on Cisco networking devices to discover neighbors and learn about them. It operates at Layer 2 using SNAP and SNMP MIBs in the messages that are transmitted to neighbors. CDP is not routable and thus provides information about directly connected devices. The information exchanged includes device type, software running, the connecting port, its IP address, and so on. A topology can be derived by obtaining CDP information from networking devices. Cisco recommends disabling CDP throughout the network, if possible, or at least on all devices that connect to the outside world.



CiscoSecure Access Control System ( CS ACS )

The server package from Cisco to provide AAA for a network. CS ACS is supported on Windows and Solaris (although the latter is being phased out). It provides both Remote Access Dial-In User Service (RADIUS) and Terminal Access Controller Access Control System (TACACS+) AAA .



CiscoWorks VPN/Security Management Solution ( VMS )

The multi-OS VPN management package from Cisco. It is used to configure policies and VPN tunnel parameters into preset configurations. It is a GUI-based manager that uses HTTP and HTTPS.



community string

The name given to a set of devices that has been grouped logically. It is used by the Simple Network Management Protocol (SNMP) .



dead peer detection ( DPD )

A Cisco-proprietary mechanism for keeping tunnels open with less overhead than IKE keepalives. Tunnels need to be kept open , but there is no need to send keepalives if traffic is being actively transferred. DPD sends keepalives only when there has been no traffic for a configurable time period. Cisco has proposed DPD to the IETF as a draft Internet Standard.



defense in depth

The security stance that protects a network with layers of defenses rather than one hard shell outside (and a soft, unprotected inside). Defense in depth employs several technologies at different layers of the network; when a hacker or unauthorized user penetrates one layer, he faces another and different challenge to penetrate the next .

The task of penetrating and abusing resources is vastly more difficult, though at a price of more management complexity.



Demilitarized Zone ( DMZ )

A device or group of devices within the edge made readily available to the public. This ready availability necessarily exposes them to hackers. Therefore, they are heavily protected and have limited functions and access to internal (campus) resources.



Denial of Service ( DoS )

An attack intended to consume all or most of a critical resource. DoS can be conducted by one or a few hosts against a single target or a few targets. DoS is often used as a catchall for both single-attacker and multiple-attacker (DDoS) variants.



Diffie-Hellman Group ( DH Group )

The number of bits to be used in the public-private key pairs that are used to develop a symmetric key for encryption/decryption using IPSec. DH group 1 uses a 768-bit key, group 2 uses a 1024-bit key, group 5 uses a 1536-bit key, and group 7 uses a different algorithm (elliptic curve cryptography, which does not create a key in the same fashion). Groups 1 and 2 are available on all Cisco devices capable of using IPSec, but groups 5 and 7 are available only on devices that can be configured by the VMS .



Distributed Denial of Service ( DDoS )

An attack by many hosts against one (or a few) host(s). The goal of the attack is to consume so much of a critical resource that others ( especially legitimate users) cannot access the denied service.



eavesdropping

Snooping on network traffic to which one does not have legitimate access. This can consist of electronic interception or old-fashioned human sneakiness (such as the aptly named "shoulder surfing": looking over the shoulder of the person to see what is being typed).



edge

The periphery of a network, or where it interacts with devices not under this network administration's control. Within the edge, trust must be explicit ( distrust is implicit). Contrast with campus .



extended authentication ( XAUTH )

Authentication that provides a user-level challenge-and-reply authentication during IPSec tunnel establishment (after the IKE SA has been established in IKE phase 1 and before the creation of the IPSec SA in IKE phase 2).



false positive and false negative

False positives are intrusion-detection system (IDS) matches that are, in fact, legitimate traffic. False negatives are failures of the IDS to recognize real attack traffic.



hardware VPN client option

One of the four options in the remote-user network model. This option uses the hardware VPN client to terminate the tunnel, but, like the software VPN client option, it does not include a stateful firewall. If there is need for a firewall to protect an Internet connection (especially when this is used in a branch), a separate device is required. The hardware VPN client can provide other networking services to the hosts behind it, such as acting as a DHCP server and providing Network Address Translation (NAT) or Port Address Translation (PAT) .



headend

The end of an IPSec tunnel at the larger organization. This is the location that most often has the administrative oversight of the tunnel and is responsible for its proper configuration and performance.



host intrusion-detection system ( HIDS )

Host-based IDS (see intrusion-detection system [IDS] ).



Identity-Based Networking Services ( IBNS )

An integrated solution from Cisco to provide authentication, access control, and user policies to secure network connectivity and resources. It is built on the 802.1 x port-based authentication originally developed for wireless networks interoperating with wired networks. IBNS is implemented on the CS ACS .



improve

The fourth stage of Cisco's security wheel. This is the stage in which the results of the test stage are examined and the changes needed to meet them are planned. The planned network security stance is improved to meet the new challenges it faces; implementing the improvements is the task of the next iteration of the secure stage.



Internet Key Exchange ( IKE )

A hybrid protocol that implements the Oakley and SKEME key exchanges. It provides peer authentication and negotiates the IPSec keys and the IPSec SA parameters. IKE is often confused with the Internet Security Association and Key Management Protocol (ISAKMP) .



Internet Protocol Security ( IPSec )

A framework of open standards for securing unicast IP communications between two hosts. IPSec provides assurance of peer authentication, message confidentiality, and message integrity. Tunnels are created using security associations ( SAs ). These can be manually specified in all their parameters, but this is both prone to error and difficult to manage (because there must be an equally secure means of distributing the parameters to be configured). Dynamic (on demand) tunnel creation is performed using Internet Key Exchange (IKE) .



Internet Security Association and Key Management Protocol ( ISAKMP )

The protocol framework defining the information exchange parameters (formats and mechanics) for IPSec tunnels. Often confused with Internet Key Exchange (IKE) .



Internet service provider ( ISP )

A company or other organization that provides access to the Internet for other entities. Access benefits and costs vary greatly (with the costs generally related to the set of benefits contracted for). Smaller ISPs typically aggregate many users and submit their traffic to a larger-scale ISP. There is a vague concept of hierarchy in carriers and service providers, often denoted by tier number: Tier 1 carriers are the "deepest" into the core of the Internet. They also are typically described as the "default-free zone" because they do not use default routes; if they do not know a next hop to a packet's destination, there is no higher authority to which they can pass off the traffic. Tier 2 providers interconnect with Tier 1s, and typically have a default route for traffic into a Tier 1 provider's network.



intrusion-detection system ( IDS )

A monitoring device or software package that compares passing traffic with the characteristics of known attacks. IDS software can be placed on a single host ( host intrusion-detection system , or HIDS ) or it can monitor all traffic for a network segment ( network intrusion-detection system , or NIDS ). The actions to be taken by an IDS upon detecting a match to a known attack signature generally include sending an alarm, dropping the offending traffic, and resetting the connection (for TCP traffic).



intrusion prevention

A newer technology to mitigate intrusions by behavioral analysis methods rather than requiring a match for a prestored profile. The behavior to be caused by the traffic is the trigger instead of a profile match; this facilitates prevention of a zero-day attack .



ip audit

The process by which traffic is compared to known attack profiles in a Cisco NIDS. ip audit is the command set for creating the rules and applying them to an interface in a specific direction.



IP spoofing

Falsifying the IP source address in a packet to create the impression that it belongs on the network.



IP telephony ( IPT )

Packet-switched telephony (see public switched telephone network [PSTN] ) that uses IP for packet transport. It can use the Internet for transport, but this is generally not recommended because of the difficulty in managing the quality of the connection.



malware

A shortened form of the phrase malicious software . Malware is software intended to do or cause harm, or to perform activities that have not been authorized by the appropriate authority. Malware comes in several varieties, with viruses and trojan horses (or just trojans) being the most well known. Other types are keystroke loggers (to capture passwords and encryption keys) and port redirectors. Some people include packet sniffers in the list of malware types, while others contend that sniffers are a valid network-diagnostic tool that hackers abuse.



Management Information Base ( MIB )

A hierarchical database of objects that provide information about or settings for networking devices over the Simple Network Management Protocol (SNMP) . Although the entire database is properly called the MIB, individual elements or objects within it are typically called MIBs when they are discussed. This is an example of an individual MIB (a trap, in this case): 

 
 952376332 1 Mon Mar 06 15:58:52 2000 10.31.1.150 - 1=20 2=2    3=Syslog Trap 4=101003: (Secondary) Failover cable not connected (this unit)    5=1400;1 .1.3.6.1.4.1.9.9.41.2.0.1 0

The trap identifier is .1.3.6.1.4.1.9.9.41.2.0.1 , and its meaning is listed just above the MIB ID in the message.



man-in-the-middle attack

An attack on communications in which a third party interposes himself between the two principals. The third party poses as B to A, intercepting A's messages and replayingperhaps accurately, perhaps in altered formB's actual replies. The same thing occurs in the other direction: The third party poses as A to B, intercepting B's messages and replaying (accurately or in altered form) A's replies. Instead of A B, the conversation is A third party B.



MODCFG

An IKE extension that carries additional configuration data to remote users via the tunnel. It provides not only an IP address and addresses for DNS and WINS servers, but also authorization data concerning the authenticated remote user's accesses .



monitor

The second stage of Cisco's security wheel. It includes the observation of how well the security devices and procedures on the network are delivering the intended results. The monitor stage also includes the steps you take to improve performance when a problem is detected .



Network Address Translation ( NAT )

The process of rewriting the source address (for outgoing traffic) or the destination address (for incoming traffic) from one set of addresses to another. NAT is often used to hide the actual addresses used by valuable hosts, or to make use of private IP addresses (per RFC 1918). In the latter case, many inside host addresses can use a smaller number of outside addresses. This can be done on the basis that not all inside hosts need simultaneous outside access (such as overprovisioning bandwidth), or via Port Address Translation (PAT) .

See also [RFC 1918 filtering]


network intrusion-detection system ( NIDS )

Network IDS (see intrusion-detection system [IDS] ).



network-management station ( NMS )

A workstation used to monitor and configure networking devices. It can use SNMP or other forms of connectivity, such as Telnet, Secure Shell (SSH), or a connection via a terminal server using reverse Telnet.



Network Time Protocol ( NTP )

A protocol used for the maintenance of the correct time on a networked device. Now in version 3 (which offers authenticated time references), it uses port 123.



network topology discovery

The process of creating a topology based on information gleaned from hosts or other parties, including via social engineering . Information of use in topology discovery includes address blocks as well as individual host addresses, names and naming conventions, neighbor relationships, and device hardware and software information.



one-time password ( OTP )

A password that is valid for only one use; after it has been used once, is it flagged or discarded. Obviously, a system for generating such passwords is required, and the user and the AAA server must use the same system.



out-of- band management ( OOB )

A separate network (or segment of the network) dedicated to management traffic only (if the two traffic types share the network, management is "in-band"). OOB has the advantage of not being subject to traffic problems on the main network, as well as being easier to secure from casual misuse and hackers. However, it adds to complexity and expense, and its performance cannot be used to judge network performance.



overload

Applying more inside addresses to fewer outside addresses via Port Address Translation (PAT) . The overload command is used on the PIX to indicate that the Network Address Translation (NAT) process should use PAT, distinguishing internal traffic by port number used.



packet sniffer

A software package that places the NIC into promiscuous mode. The NIC then accepts all traffic detected on the wire instead of only the traffic addressed to its address (whether its own address or a broadcast or multicast group to which it belongs).



password attack

An attempt to learn the password associated with a particular user account via trial and error or a match of the recovered hash. Trial and error can use a dictionary, logical choices based on social engineering , or a brute-force approach in which a script simply tries all possible bit combinations of the appropriate length. The last is generally unfeasible against strong passwords . To match a recovered hash, the hacker obtains a copy of the hashed passwords (via the SAM data on Windows machines or from the /etc/shadow file in Unix and Unix-like systems). Offline, the hacker runs a script that creates passwords until it finds a match for the hash and then records the password that creates the same hash (the hashing algorithms used by various operating systems are well known).



path MTU discovery ( PMTUD )

Used to determine the smallest maximum transmission unit (MTU) size along a planned network path. Because tunneling increases overhead, it is important to determine this in advance and to size the original packets accordingly . Otherwise , fragmentation will occur at some point midstream, which causes complications with the encryption and authentication processes.



perfect forward secrecy ( PFS )

When IPSec SAs are about to expire, a new security association (SA) is negotiated with fresh keys. Normally, the new keys depend partly on the old keys, but this weakens the level of security. PFS prevents the weakening by requiring a completely fresh key development, at the cost of more computational effort (on both ends of the SA, of course).



ping sweep

A reconnaissance method that consists of sending ping packets to a series of IP addresses (often an entire address block). Often run by relatively inexperienced hackers ( script kiddies ), a ping sweep is a relatively clumsy probe because the increase in traffic is relatively observable by monitoring systems such as an IDS.



Port Address Translation ( PAT )

The process by which multiple inside host addresses share a smaller number of outside host addresses. The translating device maps traffic flows to ports (at Layer 4) and maintains a table of which flows (by port) belong to which inside address. Similar to Network Address Translation (NAT) .



port scan

Like a ping sweep , but directed at multiple ports instead of (or possibly in addition to) multiple IP addresses.



provider-provisioned VPN ( PPVPN )

A virtual private network (VPN) that is set up entirely by the service provider using its equipment, addresses, and protocols after the customer's traffic arrives in the provider's network. It might or might not use IPSec; it usually provides only an extra IP header for the provider's internal routing.



public switched telephone network ( PSTN )

The traditional telephone network. The PSTN started as an analog network, moved to digital, and has become more of a packet-switched network in recent years (note that not all packets are IPmost of the PSTN carriers still run voice circuits over ATM). Voice over IP (VOIP) is a form of packet-switched telephony; some carriers are adopting this in the PSTN, while others offer it over their data networks. Dialup network traffic travels over the PSTN.



reconnaissance

The process of discovering information about a network and/or the hosts residing on it. Information of interest includes addressing and naming, operating system installed and patch status, software installed and its version (as a means to know which vulnerabilities to exploit), internal directory structures, and so on.



Remote Access Dial-In User Service ( RADIUS )

An AAA protocol optimized (originally) for supporting dialup clients . It is readily customizable by vendors and encrypts less of the information exchanged during authentication than TACACS+ . A RADIUS server uses one module for the authentication and authorization processes, and a separate module for the accounting process.



remote site broadband router option

One of the four options in the remote-user network model. This option uses a router, which might or might not also be the broadband access device, to terminate the tunnel and provide firewalling to the host or hosts behind it. If the router is also the broadband access device, it must be managed and configured by the networking organization. This is not always the case, in which event another tunnel-termination and protective device must be used. The reason is simple: No one else has an interest in protecting your data; however, someone might have an interest in having a copy of it.



remote site firewall option

One of the four options in the remote-user network model. This option uses a stateful firewall to protect the remote host or hosts; the firewall provides the tunnel termination. A stateful firewall can keep Internet traffic and tunnel traffic separate, so split tunneling is reasonable, depending on the parent organization's policies and operational considerations, such as bandwidth utilization.



resource overload

The situation that occurs when a resource is tasked with more operations than it can perform in a given block of time or assets. This can occur when more traffic needs transport than the wire can carry, when a process requires more CPU cycles to finish than it is allocated, or when the memory space set aside (such as an input buffer) is insufficient to hold the data presented to it. The failure that results from a resource overload is not easily predictable; this is responsible for the critical nature of many vulnerabilities in modern software.



RFC 1918 filtering

Filtering to prevent the passage of traffic whose addresses should never be used on the Internet. The addresses to be used in only private-access networks (and thus can be reused in any number of networks globally) are 10/8, 172.16/12, and 192.18/16. Because those addresses should never appear in public traffic, any traffic entering from a public space that has them as the source address is bogus traffic (source address spoofed) and should be dropped. If the network uses OOB, you can use a separate private address block for the different traffic types (production vs. network management). In this case, RFC 1918 filtering is appropriate internally as well as on network ingress.



RFC 2827 filtering

Used to protect against source address spoofing by comparing the source address to the network segment for the egress interface: If the source address ought to come from the egress interface, it should not have entered the router or firewall. For instance, if the destination is via interface ethernet0, the traffic should not have a source address from that network or segment because such traffic should arrive on ethernet0but the traffic would never arrive at the interface because it would be handled by the segment. Such traffic has had its source IP address spoofed and thus is bogus.



script kiddies

A pejorative term for unskilled hackers who run scripts developed by those who do have skill and understanding. Script kiddies (sometimes also called "lamers") are often clumsy and give away their presence with silly mistakes, such as entering Windows commands at a Unix prompt.



secure

The first stage of Cisco's security wheel. It includes the actual implementation of the security devices and procedures on the network: Hardware is deployed and existing device configurations can be changed, access controls can be tightened, and so on.



security association ( SA )

A peering relationship between two devices (or two processes within those devicesthat is, there can be more than one SA operational between the same two devices) that establishes the parameters by which traffic will be secured. An IKE SA manages the connection and is bidirectional; it is separate from the (unidirectional) pair of IPSec SAs that actually handle the data flow.



security policy

A formal statement of the organizational management's commitment to protecting its information assets. It includes a definition of the assets, threats against which the organization will protect the assets, protection means, various usage policies (acceptable use, Internet use, remote use, and so on), audit procedures, and how the organization will respond to violations of the policy.



security wheel

A model used by Cisco Systems to describe the ongoing process of security. It consists of four iterative stages: secure, monitor, test , and improve (followed by the next iteration of secure, monitor, test, improve, and so on). Certain activities are typical of the various stages.



Simple Network Management Protocol ( SNMP )

A protocol used to obtain information about and to manage network devices remotely. SNMP uses a Management Information Base (MIB) that is hierarchically ordered. Devices are grouped for management into communities, identified by their name (the community string ). The community string serves as a weak password for access to a device. Communities can be read-only (ro) or read-write (rw). SNMP messages are traps (autonomously generated information reports ), gets (information requests ), and sets (configuration commands).



small, midsize, and remote-user networks ( SMR )

Networks that are smaller than a full-scale enterprise. They are not designed for resiliency or for e-commerce applications.



social engineering

The process of obtaining network information by asking someone for it (usually politely and with a very friendly and personable approach). In this case, the network's security is compromised by human willingness to help another person, assuming that the person has appropriate credentials or a valid reason to know such information. Social engineering attacks often obtain network access information (passwords, ATM PINs, and so on) and reconnaissance data that would otherwise take more hazardous means to discover.



software access option

One of the four options in the remote-user network model. The software access option depends entirely on using the software VPN client on a host for tunneling; no other device is involved. Because of the host's exposure, a personal software firewall on that host is strongly recommended, and enabling split tunneling is discouraged.



split tunneling

The process of separating traffic from a branch or remote user into two discrete flows. Traffic bound for the headend is tunneled, while traffic bound for other destinations (such as the Internet) is not tunneled. Bandwidth and CPU savings could be significant; however, unless the separation is performed by a stateful firewall, there is significant risk of malicious traffic crossing into the tunnel from the Internet.



stale SA

A situation that occurs when one end of the tunnel is maintaining tunnel state (keeping the SAs active) while the other is not (for many possible reasons, including equipment failure anywhere along the path). A stale SA can be prevented with IKE keepalive traffic or dead peer detection (DPD) .



standalone

A network that is independent of others, although it is connected to them. It is not related to or a part of any other organization. Contrast with branch .



stratum

A level of device in the Network Time Protocol system. Stratum 0 refers to the device that provides true time (as nearly as humans can obtain it), such as an atomic clock or a GPS receiver ( unfortunately , not the typical over-the-counter GPS receiver). A stratum 1 server directly attaches to the stratum 0 device and obtains time from it. The stratum 1 server then provides time to stratum 2 servers (which are clients to it), and they provide time to stratum 3 servers, and so on. Most publicly accessible servers are stratum 2.



strong passwords

Passwords that are less vulnerable to attack. This results from a combination of password length and composition. Longer is stronger: An 8-character password uses 16 more bits than a 6-character password, resulting in 256 times as many potential bit strings. If the password is complex, using numbers , uppercase and lowercase letters , and special characters , it is much more difficult to crack than if it is a word from a dictionary (hackers have copies of the encrypted hashes of dictionary wordsbreaking those passwords is a matter of minutes, not more). Use at least eight-character complex passwords.



target discovery

The process of gathering the most possible information about a specific target, usually a particular host. The more information is obtained, the more precisely and efficiently the host can be attacked . For instance, different versions of operating systems and different versions of different applications have specific and known vulnerabilities. A hacker who knows he has found a mail server with certain vulnerabilities will tailor the attack to exploit those vulnerabilities and compromise the host with less effort and less likelihood of detection.



Terminal Access Controller Access Control System ( TACACS+ )

An Authentication, Authorization, and Accounting (AAA) protocol, now in its third generation (TACACS and XTACACS preceded it, but they are considered obsolete and are not supported by Cisco). TACACS+ encrypts the entire data stream during authentication (rather than just the password, as with RADIUS ), and it uses separate modules for all three processes (a module each for authentication, authorization, and accounting).



test

The third stage of Cisco's security wheel. This stage is about testing against new and improved threats, not those against which the existing configuration was intended to work (that goes on routinely as part of the monitoring stage). Because new threats develop and new vulnerabilities are uncovered constantly, the test stage is about examining how well the network is secured against these new problems.



trust exploitation

Taking advantage of a working relationship between two systems. A host might have been instructed (via applications) to accept and honor requests from certain other hosts (such as a database server accepting requests from certain clients but not from any other hosts). If a hacker can inject a request that appears to be from a trusted client, he can gain access to the database, perhaps retrieving significant (or all) data within it in the guise of a legitimate request. Servers often need to trust other servers for their applications to perform useful functions; they also need to trust their clients. Network devices might need to trust management workstations. Trust exploitation abuses that relationship for malicious purposes.



TTY line

A locally wired connection on a router (such as the console or aux ports). TTY originally stood for teletypewriter, an early form of input terminal.



Unicast RPF ( URPF )

Filtering to drop traffic that ought not to enter a router or firewall via a particular interface. It depends on the Forwarding Information Base (FIB) developed by Cisco Express Forwarding (CEF) and thus requires the latter to be configured. URPF is used to counter source address spoofing.



VMS
See [CiscoWorks VPN/Security Management Solution]
VTY line

A virtual TTY line . It enters the router over a network connection, such as a Telnet session over Ethernet. Note that VTYs can be in-band or OOB.



wireless access point ( WAP )

A device that connects the wireless portion of a network to the wired portion. Wireless devices (such as laptops and PDAs) communicate with the WAP, which then passes their data (if so configured) to the wired network.



XAUTH
See [extended authentication]
zero-day attack

An attack that is completely unknown. It exploits an OS or application characteristic that was not previously known to be a vulnerability. Zero-day attacks are nightmares for the victims because they are new, what comes next is unpredictable, and the response must be developed and implemented simultaneously .




Previous page
Table of content
Next page
CSI Exam Cram 2 (Exam 642-541)
CCSP CSI Exam Cram 2 (Exam Cram 642-541)
ISBN: 0789730243
EAN: 2147483647
Year: 2002
Pages: 177
Authors: Annlee Hines
BUY ON AMAZON
CompTIA Project+ Study Guide: Exam PK0-003
Lotus Notes and Domino 6 Development (2nd Edition)
The New Solution Selling: The Revolutionary Sales Process That Is Changing the Way People Sell [NEW SOLUTION SELLING 2/E]
Web Systems Design and Online Consumer Behavior
VBScript in a Nutshell, 2nd Edition
Python Programming for the Absolute Beginner, 3rd Edition
flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net
Privacy policy