3DES is a symmetric encryption algorithm based on DES that uses three separate 56-bit keys that aggregate to a 168-bit encryption key.


This stands for authentication, authorization, and accounting. Cisco equipment uses AAA services to provide a method of authenticating, authorizing, and accounting services for traffic traveling across or access into the PIX.

AAA Floodguard

An attack guard is used to protect the PIX firewall against excessive AAA requests that can result in a denial-of-service attack.

access attack

An attack that involves exploiting vulnerabilities in the network or systems to gain access to secure information.

access control list ( ACL )

A filter list mechanism used to identify hosts , ports, or networks on a device.

access- group

A command used to attach an access list to an interface.

activation keys

The PIX firewall uses activation keys to enable features in the software.

Adaptive Security Algorithm ( ASA )

It controls all traffic flow through the PIX firewall, performing stateful inspection of packets, and creates remembered entries in connections and translations to allow return traffic to pass through the firewall to the requested host.

Advanced Encryption Standard ( AES )

AES is a new Federal Information Processing Standard encryption method that enables encryption for IPSec with a cipher block chaining mode.


Provides protection against replay attacks with AH and ESP.


A dedicated device used to perform a single function, such as a PIX firewall that is dedicated for firewall capabilities.

asymmetric keys

A pair of keys consisting of a public key and a private key. The public key is given to others and the private key is kept secret. Data encrypted with the public key can be decrypted only by the private key, and data encrypted with the private key can be decrypted only with the corresponding public key.

attack guards

Attack guards allow the PIX firewall to monitor and reject requests or messages sent to commonly used applications or protocols that hackers commonly attack.

authentication headers ( AHs )

A component of IPSec used to provide data integrity, authentication, and antireplay features. AH does not provide any data confidentiality functions; the IPSec ESP component provides this function.

bastion hosts

Bastion hosts are systems that are typically within the demilitarized zone (DMZ). These hosts are typically hardened with lock-down procedures and all possible service packs to help keep them as secure as possible.

cable-based failover

This is the PIX firewall configuration that requires a special serial cable from Cisco to interconnect the firewalls and allow stateful or non-stateful failover. However, the serial cable replicates only configuration information and not stateful information. Cable-based does provide a means of power outage detection of the other device, whereas LAN-based failover does not.


Can also be known as a digital certificate and is used to bind an entity to a public key providing a mechanism to help authenticate and identify a user or device. Certificates typically come from issuing CA systems.

certification authority ( CA )

A system that can issue, distribute, and maintain information about digital certificates. Clients request certificates from a CA, which validates the information given and in return issues a certificate that can be distributed to requesting clients.

Challenge Handshake Authentication Protocol ( CHAP )

A commonly used authentication method that sends a hashed form of a user's password to the access server that uses a three-way handshake. CHAP is an improvement over PAP authentication, which sends passwords as clear text.

Cisco Secure Access Control Server ( CSACS )

Used to manage AAA services with RADIUS and TACACS+ security protocols. CSACS can use its own internal user database or connect to an external database using the RADIUS or TACACS+ security protocol.

Cisco Secure Scanner

A Cisco tool used to test and identify security holes. This tool can be used to support the monitoring component of the Cisco Security Wheel.

Cisco Security Wheel

A graphic representation of the continuously evolving process of updating a security policy. The wheel contains five main parts : the security policy, securing the network, monitoring, testing, and improving.

command-line interface ( CLI )

A text-based interface used to configure and display settings in the PIX firewall. You can use the console port, Telnet, or SSH to connect to the firewall and access the CLI interface.


This command makes an exception in the ASA to permit or deny specific traffic from lower security level interfaces to pass to higher security level interfaces. This command is being replaced by the access-list command.

configuration mode

The mode in the CLI that allows access to configure interfaces, VPNs, DHCP servers, hostnames, settings, and so on.

connection table

A table that contains layer 4 TCP or UDP sessions between internal and external hosts.

crypto maps

A collection of parameters used in phase 2 of an IKE/IPSec connection to establish a command security association with a peer.

cut-through proxy

This enables you to control HTTP, FTP, and Telnet services through the PIX firewall. It requires a username and password before allowing access.

DDoS attack

A distributed denial-of-service attack involves several systems all attacking a single network or host in an effort to slow or disable the service.

demilitarized zone ( DMZ )

A portion of the network containing hosts that need to be accessed from untrusted areas. For example, a Web server in the DMZ, known as a bastion host, can be accessed by people on the Internet.


The Data Encryption Standard (DES) was originally developed by IBM as an encryption algorithm. It requires the sender and receiver to use the same key for encryption and decryption and is commonly used in IPSec. DES provides 56-bit encryption.

Diffie-Hellman ( D-H )

A process that uses asymmetric public and private keys to generate a secret key in IKE Phase 1 process.


A protection mechanism that prevents DoS attacks and UDP session hijacking by closing the UDP port after the first received DNS response. This guard cannot be turned off.

domain name system ( DNS )

A hierarchal naming structure that maps or associates hostnames to IP addresses, or vice versa.

DoS attack

A denial-of-service attack involves sending useless, malformed , or malicious data to a network or computer port in an effort to slow down or disable a system. For example, embryonic half- open connections waste resources on a computer by causing it to wait for a response that never occurs. Flooding a computer with ping requests can slow it down or even disable it, which is another form of DoS.

dynamic mapping

Dynamic mapping is the process that network address translation (NAT) and NAT overloading (PAT) use to dynamically map an internal address to an outside or external address.

embryonic connection

A half-open TCP three-way handshake connection that could be left open intentionally by a hacker to create a DoS attack.

Encapsulating Security Payload ( ESP )

One of two protocols that can be used with IPSec. It provides data authentication, antireplay, and data confidentiality (encryption) functionality.

external threats

Threats originating from individuals who are operating outside an organization's internal network.

File Transfer Protocol ( FTP )

A commonly used protocol for transferring files from one host to another. In addition, it uses TCP to guarantee delivery of the data. FTP can be configured to operate in either active or passive mode.


A set of features that performs what is known as application inspection on a limited number of advanced protocols. Fixups try to make connections as secure as possible by dynamically opening only the ports needed to support protocols such a FTP, SMTP, and multimedia applications.

Fragmentation Guard ( FragGuard )

A monitoring mechanism used to track the number of fragments. Hackers might send hundreds or thousands of fragmented packets in an effort to disguise an attack or just cause a DoS. FragGuard places a limit on the number of fragments the PIX accepts.


A complicated hybrid protocol that can be used for VoIP, video, and data. The protocol is actually a suite of other protocols put together to make the desired connections. Programs such as Cisco Multimedia Conference Manager, Microsoft NetMeeting, CU-SeeMe Meeting Point and Pro, Intel Video Phone, VocalTec Internet Phone, and Gatekeeper use H.323. This protocol requires application inspection using the PIX fixup protocol to operate correctly.

hash value

When data, a key, and an algorithm are combined, a fixed result is generated; this is called a hash value. Hashes are typically used for data integrity checks.


The process of placing data and a key into a mathematical algorithm to produce a fixed-length value called a hash.

internal threats

Threats that typically come from users who have legitimate access to the computers or networks they want to harm.

Internet Control Message Protocol ( ICMP )

A protocol used to send control and error messages between devices. Two utilities that use ICMP are ping and trace route. The PIX firewall has an object group ACL type specifically used for ICMP.

Internet Key Exchange ( IKE )

IKE is a hybrid protocol used to authenticate end points and create a secure connection to exchange security keys and establish a security association for IPSec.

Internet Protocol Security ( IPSec )

An open VPN standard defining a group of security protocols used together to form a secure connection between two peers.

Internet service provider ( ISP )

A company that provides connectivity to the Internet.

intrusion detection system ( IDS )

The process of monitoring networks for traffic patterns or traffic signatures that might be causing harm to a network. They can be integrated with the PIX firewall to shun potential attackers .

ISAKMP policies

The Internet Security Association and Key Management Protocol (ISAKMP) is synonymous with IKE in the Cisco world. ISAKMP policies are those parameters that are used to negotiate security associations.

LAN-based failover

Enables the use of a dedicated Ethernet interface to perform the same functions as the serial cable-based failover without the 6- foot distance limitation. However, LAN-based failover cannot detect power outages of the other device as cable-based configuration can.

Layer Two Tunneling Protocol ( L2TP )

VPN is an enhancement of the Cisco Layer 2 Forwarder (L2F) mechanism that works only at layer 2 to forward IP, IPX, and AppleTalk traffic. L2TP builds on L2F to make it routable across IP networks. IPSec is used with L2TP to make it secure.

MAC address

A physical burned-in address that cannot be changed on a device. This address helps identify the device for layer two protocols in the OSI model.

Mail Guard (also called MailGuard)

A fixup protocol is used to protect Simple Mail Transfer Protocol (SMTP) servers from known, potentially harmful security problems. Mail Guard inspects SMTP traffic and allows only the seven commands defined in RFC 821 section 4.5.1 to pass. These commands are DATA , HELO , MAIL , NOOP , QUIT , RCPT , and RSET . All other commands result in a 500 command unrecognized response to the client, and the packet is discarded before the SMTP server ever receives it.

Message Digest 5 ( MD5 )

A hashing algorithm commonly used to authenticate or validate that data has not been modified in transit. It is known as a one-way hashing alogrithm that produces a fixed-length result called a message digest. MD5 uses 512-bit blocks as inputs to produce a 128-bit message digest.

Microsoft Challenge Handshake Authentication Protocol ( MS-CHAP )

A protocol that is similar to CHAP but does not need the reversible encrypted password requirement that CHAP does. Microsoft has created MS-CHAP version 1 and version 2, which is more secure.

monitor mode

This special mode allows the PIX to perform maintenance features that are sometimes not available during normal operation. When in this mode, images for an operating system and PDM software can be uploaded to flash memory.


The process of using one source to send information to several destinations without sending the data more than once. It is used to send data to subnets of IP networks and not just a single host.

NAT overloading

The process of translating many internal IP addresses to one external (global) IP address by using port numbers to uniquely identify each internal address. NAT overloading is sometimes called port address translation (PAT) and performs a many-to-one mapping.

Network Address Translation ( NAT )

The process of translating one IP address to a different IP address, creating a one-to-one mapping of the two addresses. NAT overloading (PAT) performs many-to-one address mappings by uniquely identifying internal addresses by modifying the port numbers.

Network Time Protocol ( NTP )

NTP works off a hierarchy wherein one master clock server dictates the time settings and sends them down to several NTP servers, which synchronize with the master server. Devices such as the PIX firewall can synchronize their clocks to a common time server.

non-stateful failover

Non-stateful failover is a basic solution that allows for a secondary standby firewall to take over if the primary firewall fails. The non-stateful dictates that only configuration information is maintained and not xlate or connection table information, causing all connections inside the primary to be lost when the secondary takes over.

one-time passwords ( OTP )

A system that helps to protect against passive attacks that capture passwords. OTP systems change passwords on every login, helping prevent captured passwords from being used to log in.

packet filters

A basic filtering mechanism that inspects layer 3 and 4 information. These filters allow traffic to pass through provided that the source and destination information match the configured rule.

Password Authentication Protocol ( PAP )

An authentication protocol that uses a two-way clear-text handshake to pass usernames and passwords.

PIX Device Manager ( PDM )

A Java Web-based interface that enables you to configure the single PIX firewall via a secure HTTPS connection.

Point-to-Point Protocol ( PPP )

A standard method of encapsulating Network layer protocol information over point-to-point links. PPP is capable of supporting multiple layer 3 protocols.

Point-to-Point Protocol over Ethernet ( PPPoE )

A layer 2 protocol based on PPP, it's typically used on digital subscriber lines. PPPoE allows ISPs to authenticate users connecting via Ethernet for Internet service.

port redirection

The process of redirecting incoming traffic on PAT-enabled devices to a specific internal port number to create access via an outside device.

private addresses

Address that have been reserved from use on the Internet. These addresses are intended for use in the private sector to help conserve public addresses. The address ranges are “, “, and “ Private addresses are not routable on the public Internet.

private key

One of two keys used in an asymmetric algorithm that is kept by the host and used to encrypt and decrypt data. The private key has a corresponding public key that is shared with other users.

privileged mode

Also known as EXEC mode or enable mode. Privileged mode gives you the full set of available commands that can be used to view restricted settings and enable you to enter configuration mode to configure the PIX firewall.

proxy filters

Also known as application proxy servers, these sit between the client and the destination working as middlemen between the two communicating parties. They extend beyond the reach of packet filters by examining information from layer 4 to layer 7. However, they can be quite slow.

public key

One of two keys used in an asymmetric algorithm, it is sent by the host to a peer and used to encrypt and decrypt data. The public key has a corresponding private key that is maintained on the owner's system only.

Real Time Streaming Protocol ( RTSP )

A real-time audio and video protocol used by several multimedia applications, such as RealPlayer, Cisco IP/TV, QuickTime 4, Netshow, and VDO Live. The PIX firewall requires application inspection using fixup protocols to enable these protocols to work across the device.

reconnaissance attack

An attack that involves probing a network or system in an effort to discover what exists. Port scanners and network sniffers are tools that could be used to help discover a network or system.

Remote Authentication Dial-in User Services ( RADIUS )

The RADIUS protocol was originally developed by Livingston Enterprises, Inc., as an access protocol. RADIUS provides authentication and accounting services using the connectionless UDP protocol.

Remote Shell ( RSH )

Originally created for Unix systems as an easy-to-use remote console that doesn't need a login, as Telnet does. RSH is inherently insecure and is being phased out; therefore, it should be avoided.


Stands for remote-office- branch-office locations. The PIX 506 has been designed specifically to meet the needs of the ROBO environments.

Routing Information Protocol ( RIP )

A common distance vector protocol used by routers to periodically exchange routing table information. RIP uses a hop count metric to determine the best possible path through the network. Although the PIX does not forward routing updates, it can be configured to forward its default route or update its local routing table with routes received from routers using RIP.


An asymmetric public-key encryption technology developed by RSA Data Security, Inc. The acronym stands for Rivest, Shamir, and Adelman, the inventors of the technique, which uses varying key lengths depending on the required encryption levels.

script kiddies

Hackers who don't make their own tools but use prebuilt tools, programs, or scripts readily available on the Internet.

Secure Hash Algorithm 1 ( SHA-1 )

A hashing algorithm that creates a 160-bit hash value output. It's commonly used on IPSec for data integrity.

Secure Shell ( SSH )

A secure virtual terminal similar to Telnet, it provides protected data transfer over a public media. Because Telnet cannot be used to access the PIX from the outside interface, SSH is often used to overcome this and provide a secure channel.

Secure Sockets Layer ( SSL )

A method for protecting Web traffic, it was developed by Netscape. The SSL security protocol provides data encryption, message integrity, and server authentication for application layer protocols such as HTTP.

security association ( SA )

A result of a successful IKE and IPSec negotiation that defines all security parameters used to provide data integrity, confidentiality, and a secure connection.

security policy

A core document or set of procedures used to describe how an organization's information, data, and services will be protected.

Session Initiation Protocol ( SIP )

A VoIP protocol that allows connections between audio devices using IP. The caller contacts a VoIP gateway that locates the destination phone and the caller and helps the two connect. This advanced protocol requires PIX fixup protocols to allow traffic to pass through the firewall device.


The process of blocking addresses from entering the firewall, it's typically done dynamically by an IDS.

Simple Mail Transport Protocol ( SMTP )

A mail messaging system used between devices to deliver mail.

Simple Network Management Protocol ( SNMP )

An Application layer protocol that is used to exchange management information between network devices. Network devices are called agents and can either be polled for information or sent to what is called a network management station. Although the PIX supports SNMP versions 1 and 2, its built-in security feature allows SNMP to read and monitor the PIX.

Skinny Client Control Protocol ( SCCP )

Typically it's just called Skinny, and it was created by Cisco. Cisco uses this simplified protocol for its VoIP phones and CallManager servers. This advanced protocol requires PIX fixup protocols to allow traffic to pass through the firewall device.


Stands for small-office-home-office locations. The PIX 501 model is most suitable for SOHO environments.


A method used to gain unauthorized access to computers, in which the hacker sends packets to a computer with a source IP address, indicating that the message is coming from a trusted host.

SQL*Net Protocol

A protocol used to query SQL databases by Oracle clients and servers. This advanced protocol requires PIX fixup protocols to allow traffic to pass through the firewall device.

stateful failover

Stateful failover behaves in a similar way to non-stateful failover when a failover occurs. However, xlate and connection table information is maintained continually across a second, dedicated Ethernet connection between the firewalls. This helps users by not requiring reestablishment of the connection after a failover.

stateful packet filters

These monitor traffic similar to packet filters, but they record the traffic into a connection and xlate table and allow only requested traffic back into the system. The PIX uses stateful packet filters.

static mapping

Creates a binding or permanent mapping from an internal address to a global address when using NAT.

structured threats

Structured threats are threats done by skilled attackers who have the ability and skills to develop their own new methods of attack against unknown vendor vulnerabilities.

symmetric key

Also known as a shared secret key. This symmetric key is used by two peers for encrypting and decrypting data or to produce a result in a hash.

SYN Floodguard

A PIX guard used to protect hosts from half-open TCP SYN attacks by limiting the number of half-open connections allowed. The PIX also protects against flooding DoS attacks by ensuring that AAA services are still available during times of high traffic.

Syslog server

Typically the primary location to log data. These servers can store and log messages to disk for later review.

TCP intercepts

Work with embryonic connections to intercept TCP three-way handshakes to determine whether they are valid requests before forwarding them to the actual host. The PIX performs the three-way handshake with the external host in an attempt to determine whether the external host's intentions are genuine .


A standard protocol and application used to provide a virtual terminal from a remote device.

Terminal Access Controller Access Control System Plus ( TACACS+ )

The TACACS+ protocol is used to provide a reliable TCP connection between the client and the server for AAA service requests. These requests are more secure than RADIUS because the body of the transaction is always encrypted and more reliable than RADIUS, which employs UDP.

transform sets

The modes or methods the two peers use to protect user data ”for instance, AH, ESP, or both when using IPSec.

translation table

A table used for IP address-to-IP address mapping as IP packets traverse the firewall. This table is commonly known as the xlate table.

Transmission Control Protocol ( TCP )

A layer 4 connection-oriented protocol that guarantees delivery of data by using acknowledgements and windowing.

Trivial File Transfer Protocol ( TFTP )

A protocol that allows transferring of data using the User Datagram Protocol (UDP). However, it does not provide any security features. It is often used by servers to boot diskless workstations or upload and download images and configurations to routers and firewalls. TFTP is typically used on trusted parts of a network.

trojan horse

A destructive program disguised as a normal, safe application. Trojan horses do not usually replicate themselves like viruses do; however, they can be just as destructive.

tunnel mode

Tunnel mode transports packets between two networks by encapsulating that data. Tunnel mode refers to encapsulating data from one point to another. IPSec can use either tunnel mode or transport mode. Tunnel mode is commonly used for site-to-site VPNs, whereas transport mode is typically used for remote access.

Turbo ACLs

Turbo ACLs decrease the time it takes to scan through large access lists by compiling them and creating an index of the list. Turbo ACLs are not supported on the PIX 501 because of their memory requirement.

unprivileged mode

This is the first access mode you come to when entering the CLI, and it allows only a very small subset of the available commands.

unstructured threats

Unstructured threats caused by individuals commonly known as script kiddies . These are people who are not skilled in hacking but who can do damage by using prebuilt tools, programs, or scripts readily available on the Internet to launch attacks.

URL filtering

An integrated feature that allows the PIX firewall to work with content filtering services. These services allow the capturing of World Wide Web requests to support the enforcement of policies or monitoring of user traffic.

User Datagram Protocol ( UDP )

UDP is a connectionless layer 4 transport protocol. This protocol does not use acknowledgments or sessions like TCP does and lacks guaranteed delivery of data. However, UDP is fast and commonly used by multimedia applications.

Virtual HTTP

Allows browser and Web server authentication to work correctly with the PIX when authentication with the cut-through proxy is problematic .

virtual private network ( VPN )

A method of encapsulating traffic to traverse a common media in a secure manner. Several types of VPNs exist, including IPSec, PPTP, and L2TP, to name a few.

virtual Telnet

Allows users to preauthenticate using a virtual Telnet session before executing the application that needs to pass through the PIX. Typically, it's used when nonstandard port access is needed. HTTP, FTP, and Telnet are the standard ports.


A piece of code or program that has been loaded on a computer that runs against your will, possibly causing damage.

Voice of IP ( VoIP )

A method of using hardware and software to enable communication, such as telephone calls, across IP networks.

VPN accelerator card ( VAC )

The Cisco PIX firewall is a hardware-based accelerator designed to provide higher-performance tunneling and encryption for DES and 3DES by offloading the encryption processing to the VPN accelerator card.

well-known ports

A set of ports ranging from 1 to 1,023 that are reserved for specific TCP/IP protocols and services.

wide area network ( WAN )

This connects two sites by using the layer 2 protocol to transmit data.

CSPFA Exam Cram 2 (Exam 642-521)
CCSP CSPFA Exam Cram 2 (Exam Cram 642-521)
ISBN: 0789730235
EAN: 2147483647
Year: 2003
Pages: 218 © 2008-2017.
If you may any questions please contact us: