Appendix A. Glossary of Terms

 

3DES

Triple DES. for further details.

See also [DES]

 

AAA

Authentication, authorization, and accounting (pronounced "triple a").

 

ACK

Acknowledgment bit in a TCP frame.

 

ACL

Access control list. A list of rules that can be applied to traffic entering a network device or other computing resource. These rules are most often enforced based on the Layer 3 (L3) and Layer 4 (L4) information in a packet.

 

AES

Advanced Encryption Standard. The newest standard for data confidentiality from the U.S. government. Over time, this will replace DES in most deployments.

 

APNIC

Asia Pacific Network Information Center. A nonprofit Internet registry organization for the Asia Pacific region.

 

ARIN

American Registry for Internet Numbers. A nonprofit organization that dispenses IP addresses in North and South America, the Caribbean, and sub-Saharan Africa.

 

BCP

Best common practices. Generally accepted guidelines for the implementation of a specific feature or function on the network.

 

BIND

Berkeley Internet Name Domain. The most commonly used Domain Name System (DNS) software.

 

BPDU

Bridge protocol data unit. A Spanning-Tree Protocol (STP) message unit that describes the attributes of a switch port, such as its Media Access Control (MAC) address, priority, and cost to reach.

 

CDP

Cisco Discovery Protocol. Media- and protocol-independent device-discovery protocol that runs on most equipment manufactured by Cisco Systems, including routers and switches

 

CERT

Computer Emergency Response Team. A group of people in a specific organization who coordinate their response to breaches of security or other computer emergencies such as breakdowns and disasters. CERT is also a federally funded organization out of Carnegie Mellon University that aids in distributing information about computer security vulnerabilities.

 

CIA

Confidentiality, integrity, and availability. Three core elements used in computer security.

 

Ciphertext

Data that has been coded (enciphered, encrypted, encoded) for security purposes.

 

Cleartext

Normal text that has not been encrypted and is readable by text editors and word processors. Also known as plaintext.

 

CLI

Command-line interface. The text-based method of configuring a device.

 

DDoS

Distributed denial of service.

See also [DoS]

 

DES

Data Encryption Standard. The original U.S. government standard for data confidentiality now replaced by AES.

 

DHCP

Dynamic Host Configuration Protocol. Software that automatically assigns IP addresses to client stations logging on to a TCP/IP network.

 

DMZ

Demilitarized zone. A middle ground between an organization's trusted internal network and an untrusted external network such as the Internet.

 

DNS

Domain Name System. Name resolution software that lets users locate computers on a TCP/IP network by name.

 

DoS

Denial of service. An assault on a network that floods it with so many additional requests that regular traffic is either slowed or completely interrupted.

 

EXEC

A phrase that is commonly used to refer to the interactive command processor of Cisco IOS.

 

Extranet

A separate portion of a network designed to facilitate commerce between a vendor and its customers and suppliers.

 

Firewall

A network device that has the capability to implementing access control or other security techniques to enforce a particular traffic policy at a given point in the network.

 

FTP

File Transfer Protocol. A protocol used to transfer files over a TCP/IP network.

 

HIDS

Host intrusion detection system.

See also [IDS]

 

HTTP

Hypertext Transfer Protocol. The communications protocol used to connect to web servers.

 

HTTPS

Hypertext Transfer Protocol Secure. The protocol for accessing a web server employing Secure Sockets Layer (SSL)/Transport Layer Security (TLS) encryption. Using HTTPS in a URL instead of HTTP directs the message to a secure port number rather than the default web port number of 80. The session is then managed by a security protocol.

 

ICMP

Internet Control Message Protocol. A TCP/IP protocol used to send error and control messages.

 

IDS

Intrusion detection system. Software that watches for attack traffic to a computer system or network.

 

IEEE

Institute of Electrical and Electronics Engineers. The standards body behind Ethernet and 802.11, among others.

 

IETF

Internet Engineering Task Force. The standards body responsible for much of the Internet's protocols including TCP/IP.

 

IKE

Internet Key Exchange. A method for establishing a security association (SA) that authenticates users, negotiates the encryption method, and exchanges the secret key.

 

IMAP

Internet Message Access Protocol. A standard mail protocol commonly used on the Internet.

 

INFOSEC

Information security.

 

Intranet

An in-house network that serves the employees of an organization.

 

IOS

Internetwork Operating System. An operating system from Cisco Systems that is the primary control program used in Cisco routers and many switches.

 

IP

Internet Protocol. The network layer protocol in the TCP/IP communications protocol suite.

 

IPsec

IP Security. A security protocol from the Internet Engineering Task Force (IETF) that can provide authentication and encryption at Layer 3.

 

IPT

IP telephony.

 

ISP

Internet service provider.

 

IT

Information technology.

 

L2

Layer 2.

See also [Layer 2]

 

L3

Layer 3.

See also [Layer 3]

 

LAN

Local area network.

 

Layer 2

The communications protocol that contains the data-link address of a client or server station such as a Media Access Control (MAC) address in Ethernet.

 

Layer 3

The communications protocol that contains the network layer address of a client or server station such as an IP address in TCP/IP.

 

LDAP

Lightweight Directory Access Protocol. A protocol used to access a directory listing.

 

MAC

Media Access Control. The unique identifier used in Ethernet and Token Ring adapters that identifies a specific network card.

 

NAS

Network access server. Hardware and/or software that functions as a junction point between an external and internal network. Typically NAS refers to a dial-up gateway to access an organization.

 

NETOPS

Network operations.

 

NIDS

Network intrusion detection system.

See also [IDS]

 

NTP

Network Time Protocol. A protocol used to synchronize the real-time clock in a computer.

 

OSPF

Open Shortest Path First. A routing protocol that determines the best path for routing IP traffic over a TCP/IP network based on distance between nodes and several quality parameters.

 

OTP

One-time password.

 

POP3

Post Office Protocol version 3. A standard mail protocol commonly used on the Internet.

 

Proxy server

Also called a "proxy" or "application level gateway," an application that terminates and reestablishes the connection between sender and receiver, often performing security checks at this step.

 

PSTN

Public-Switched Telephone Network. The global voice telephone network.

 

QoS

Quality of service. The ability to define a level of performance in a data communications system.

 

RADIUS

Remote Authentication Dial-In User Service. An access control protocol that uses a challenge/response method for authentication.

 

RFC

Request for Comments. A document that describes the specifications for a recommended technology. RFCs are used by the Internet Engineering Task Force (IETF).

 

RIP

Routing Information Protocol. A simple routing protocol that is part of the TCP/IP protocol suite.

 

Router

A device that forwards data packets at Layer 3 from one LAN or WAN to another.

 

RSA

Rivest-Shamir-Adleman. A cryptography method by RSA Data Security, Inc. It uses a two-part key. The private key is kept by the owner; the public key is made available.

 

Script kiddie

An amateur that tries to illegally intrude into a system by taking the path of least resistance.

 

SMTP

Simple Mail Transfer Protocol. The standard e-mail delivery protocol on the Internet.

 

SNMP

Simple Network Management Protocol. A widely used network monitoring and control protocol.

 

SQL

Structured Query Language. Pronounced "SQL" or "see qwill," a language used to interrogate and process data in a relational database.

 

SSH

Secure Shell. Provides secure logon for many popular operating systems and network devices. SSH can replace Telnet, FTP, and other remote logon utilities as a cryptographically protected alternative.

 

SSL

Secure Sockets Layer. The leading security protocol on the Internet. When an SSL session is started, the server sends its public key to the browser, and the browser uses that key to send a randomly generated secret key back to the server to have a secret key exchange for that session. SSL is slowly being replace by Transport Layer Security (TLS), though the functionality remains very similar.

 

Syslog

System Log protocol. A framework for sending event messages for a host, potentially across an IP network.

 

TACACS+

Terminal Access Controller Access Control System Plus. An access control protocol used in many Cisco devices.

 

TCP

Transmission Control Protocol. The reliable, connection-oriented protocol within TCP/IP.

 

Telnet

A terminal emulation protocol commonly used on TCP/IP-based networks.

 

TFTP

Trivial File Transfer Protocol. A lightweight file transfer protocol used for sending data between two end stations. Directory traversal and authentication are not supported.

 

TLS

Transport Layer Security. A security protocol from the Internet Engineering Task Force (IETF) that is the evolution of Secure Sockets Layer (SSL).

 

UDP

User Datagram Protocol. A protocol within the TCP/IP protocol suite that is used in place of TCP when a reliable delivery is not required.

 

URL

Uniform Resource Locator. The address that defines the route to a file on the web or any other Internet facility.

 

VLAN

Virtual LAN. A VLAN is a logical subgroup within a local area network that is created by using software rather than physically separate networks.

 

VoIP

Voice over IP.

 

VPN

Virtual private network. A logical private network that is configured within a public network but that maintains the same security and availability characteristics of a physically private network.

 

WAN

Wide area network. A communications network that covers a wide geographic area.

 

WLAN

Wireless LAN.

 

WWW

World Wide Web.

 


Part I. Network Security Foundations

Network Security Axioms

Security Policy and Operations Life Cycle

Secure Networking Threats

Network Security Technologies

Part II. Designing Secure Networks

Device Hardening

General Design Considerations

Network Security Platform Options and Best Deployment Practices

Common Application Design Considerations

Identity Design Considerations

IPsec VPN Design Considerations

Supporting-Technology Design Considerations

Designing Your Security System

Part III. Secure Network Designs

Edge Security Design

Campus Security Design

Teleworker Security Design

Part IV. Network Management, Case Studies, and Conclusions

Secure Network Management and Network Security Management

Case Studies

Conclusions

References

Appendix A. Glossary of Terms

Appendix B. Answers to Applied Knowledge Questions

Appendix C. Sample Security Policies

INFOSEC Acceptable Use Policy

Password Policy

Guidelines on Antivirus Process

Index



Network Security Architectures
Network Security Architectures
ISBN: 158705115X
EAN: 2147483647
Year: 2006
Pages: 249
Authors: Sean Convery

Similar book on Amazon

Flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net