Glossary

Authentication, authorization, and accounting.

Tracking and logging what a user does once he is authenticated.

The permit or deny statement within an access list. ACLs can contain one or more ACEs.

The final packet in TCP's three-way handshake used to establish a connection between peers.

A list kept by routers to control access to or from the router for a number of services.

Character mode access to a router's aux, CTY, TTY, or VTY ports.

Requires only one packet to be inspected to identify an alarm condition.

Detects attacks attempted into the protected network, such as denial-of-service (DoS) attempts or the execution of illegal commands during an FTP session.

In security, the verification of the identity of a person or a process.

The various methods that can authenticate a user such as local methods, Terminal Access Controller Access Control System + (TACACS+), Remote Authentication Dial-In User Service (RADIUS), or token cards.

A Cisco IOS Firewall feature that allows network administrators to apply specific security policies on a per-user basis.

Allowing or disallowing access to users for network services.

What services require authorization. Some of the keywords can be network , exec , commands , and configuration .

Entity that issues digital certificates ( especially X.509 certificates) and vouches for the binding between the data items in a certificate.

List that enumerates digital certificates which have been invalidated by their issuers prior to when they were scheduled to expire.

Access to a router's aux, CTY, TTY, or VTY ports.

The stateful firewall built into the VPN Client.

Data that has been transformed by encryption and is no longer intelligible.

A family of comprehensive network-management tools.

Signatures that detect complex patterns in packets.

Prevents the viewing of data while traffic is traveling between peers. Encryption is one method used to ensure data confidentiality.

Data transfer without the existence of a virtual circuit.

Data transfer that requires the establishment of a virtual circuit.

Access to a router's console port using a terminal-emulation application such as HyperTerminal.

Session that is used to pass commands and error information between the client and the server.

Defines which IP traffic will be protected by cryptography and which traffic will not.

A means for delivering data from one point to another.

The default action an intrusion detection system (IDS) takes when it detects a malicious packet. Both the IOS routers and PIX Firewalls have a default signature action of alarm.

An explicit attempt by attackers to prevent legitimate users of a service from using that service.

Certificate in the form of a digital data object. A digital signature value is also appended to the digital certificate.

Value computed with a cryptographic algorithm and appended to a data object in such a way that any recipient of the data can use the signature to verify the data's origin and integrity.

Compromises multiple hosts and enslaves them to send vast amounts of traffic to a target host.

A computer or small subnetwork that sits between a trusted internal network and an untrusted external network.

Policy template that you use when you do not fully know a remote peer's IP Security (IPSec) parameters.

Enhancement to the IOS that allows Cisco routers, PIX Firewalls, and VPN Hardware and Software Clients to act as remote VPN devices.

Enhancement to the IOS that allows Cisco routers, PIX Firewalls, and VPN Concentrators to act as headend VPN devices.

A connection attempted but not completed that has not yet seen data. When working with Cisco equipment, embryonic concerns TCP's three-way handshake.

Application of an algorithm to data so that the data is no longer intelligible.

The completion of TCP's three-way handshake.

An attack against a vulnerability in an application, operating system, or device.

A threat posed to an organization by an individual who was not given explicit rights to access the organization's resources.

For TCP, the state of the session that has not reached the established state. Therefore, the three-way handshake has not been completed. For UDP, "half-open" implies that CBAC has detected traffic from one direction only.

Reducing data of an arbitrary size into a fixed size. The data that is output into a fixed size is no longer intelligible.

A mechanism for message authentication that can be used with any iterative cryptographic hash function, such as MD5 or SHA-1, in combination with a secret shared key.

The certificates that identify specific systems or hosts.

Detects malicious packets traversing a network.

Establishes a shared security policy and authenticates keys for services (such as IPSec) that require keys.

Allow the IPSec headend device to send DPD messages to the remote device.

Sets up an authenticated secure connection that can be used for Phase 2 negotiations.

Negotiates the IPSec security associations (SAs).

Packets that are entering a router's interface.

Detects information-gathering activities.

A message that tells the receiver to ignore and delete any old connection information that has been maintained for a newly connecting peer. An initial contact message is sent when a client or router is connecting to another Cisco gateway for the first time.

Ensures that data received by the destination device is identical to the data sent by the source device.

A threat posed to an organization by an individual who was given explicit rights to access the organization's resources.

Occurs when an attacker outside your network pretends to be a trusted user, either by using an IP address that is within the range of IP addresses for your network or by using an authorized external IP address that you trust.

A framework of open standards that provides data confidentiality, data integrity, and data authentication between participating peers.

The insertion of a TCP header into an IPSec packet so that IPSec communication can work properly when traversing a network using network address translation (NAT), port address translation (PAT), or a firewall.

The insertion of a User Datagram Protocol (UDP) header into an IPSec packet so that IPSec communication can work properly when traversing a network using NAT or PAT.

Tunneling protocol developed by Cisco that can encapsulate a wide variety of protocol packet types inside IP tunnels, creating a virtual point-to-point link between Cisco routers. When using IPSec with GRE, non-IP packets are encapsulated into IP packets and then protected by IPSec and sent across the IPSec tunnel.

A trusted third party that performs secure verification of users and services. Kerberos is based on this concept.

The RFC 821 section 4.5.1 commands that Context-Based Access Control (CBAC) is compliant with.

Authentication using passwords or usernames and passwords configured on a router.

Form of active wiretapping attack in which the attacker intercepts and selectively modifies communicated data to masquerade as one or more of the entities involved in a communication association.

The point at which the Easy VPN Remote requests configuration parameters from the Easy VPN Server, after IPSec extended authentication is finished.

Cisco platform that interfaces between a packet network and a circuit network.

Packet mode access through a router using Basic Rate Interface (BRI), Primary Rate Interface (PRI), async, or group -async ports.

Verifies that data originated from a specific source.

Packets that are leaving a router's interface.

Packet mode access through a router using BRI, PRI, async, or group-async ports.

A program that can record all network packets that travel past a given network interface, on a given computer, on a network.

Allows you to customize TCP or UDP port numbers for network services or applications.

Specifies the current privilege level for command authorization as a number from 0 to 15.

Usually the corporate LAN. Access to this network is usually given to authorized personnel only.

Entries that define user access privileges.

The maximum number of items, packets or messages, that can be held before being discarded.

A server that acts as a proxy for the CA so that CA functions can continue when the CA is offline.

Database used with AAA for remote access sessions and for tracking connection time.

Used for encryption and authentication for all communication between the RADIUS client and the server.

Responsible for recording or verifying some or all of the information needed by a CA to issue certificates and CRLs and to perform other certificate-management functions.

Used by the VPN concentrator to automatically add static routes to the routing table and announce these routes to the concentrator's private network or border routers using Open Shortest Path First (OSPF) or Routing Information Protocol (RIP).

A document that provides guidance to system and network administrators on how to address security issues within the Internet community.

The self-signed public-key certificate at the top of a certification hierarchy.

Provides a standard way to enroll network devices with a CA.

Parameters related to a data conversation that might include source and destination addresses, port numbers, TCP sequencing information, and flags.

Used with IDS devices to determine whether a packet is malicious.

What an IDS device can do in response to a packet matching a signature. The usual reactions are alarms, TCP resets, drops , and automatic blocking.

Allows a VPN client to continue using its existing Internet connection for non-VPN “related traffic.

The maximum number of unassembled packets that the router will allocate memory for.

The creation of state table entries and the updating of those entries based on the traffic being inspected.

Inspection system that is a sophisticated packet-filtering system and that operates at Layer 3 of the Open Systems Interconnect (OSI) model. Is is also a method of access control that analyzes packets in terms of traffic sessions.

The logging of session information, including source and destination addresses, port numbers, TCP sequencing information, and flags, into a table.

At least eight characters that contains both uppercase and lowercase letters , numbers, and special characters.

A hacker who knows applications and operating systems intimately, can write hacking programs, and knows potential vulnerabilities.

Crypto access lists used by IPSec peers that should be mirror images and that protect the same IP addresses, protocols, and applications.

The only flag set in a TCP packet that is attempting to initiate a connection.

A TCP packet sent in response to a connection request with both the SYN flag and the ACK flag set.

Proprietary Cisco enhancement to TACACS. Provides additional support for AAA.

Character string used by the TACACS+ protocol for authentication and encryption.

Procedures used to lessen the impact of hacking attacks against a network.

Process whereby two protocol entities synchronize during connection establishment.

A card about the size of a credit card and programmed to a specific user. Each user has a unique PIN that can generate a password keyed strictly to the corresponding card.

An acceptable combination of security protocols, algorithms, and other settings to apply to IPSec-protected traffic.

The list of IPSec methods used for a data flow to provide data authentication, data confidentiality, and data compression.

Allows secure transmission between the VPN client and a secure gateway through a router serving as a firewall.

An SA trusted by communicating entities with respect to specific security-related activities.

An attack where an individual takes advantage of a trust relationship within a network.

Packets that have been fragmented and not made whole.

A hacker who does not know applications and operating systems intimately and who can't write hacking programs. This type of hacker can download programs to launch attacks. Sometimes, these individuals are called script kiddies .

Access to a router's VTY lines using, for example, Telnet or SSH.

A weakness in an application, operating system, or device. Hackers use exploits to take advantage of vulnerabilities.

Allows all Cisco IOS software AAA authentication methods to perform user authentication in a separate phase after the IKE authentication Phase 1 exchange.