Triple Data Encryption Standard. A stronger version of DES, which is the default encryption method for SSH version 1.5. Used when establishing an SSH session with the sensor. It can be used when the sensor is managing a device.
A
aaa
authentication, authorization, and accounting. A Cisco IOS software and PIX Firewall command for controlling how users can log in to a router or a PIX Firewall.
AAA
authentication, authorization, and accounting. Pronounced "triple a."
ACE
Access Control Entry. An entry in the ACL that describes what action should be taken for a specified address or protocol. The sensor adds/removes ACE to block hosts.
ACL
Access Control List. A list of ACEs that control the flow of data through a router. There are two ACLs per router interface for inbound data and outbound data. Only one ACL per direction can be active at a time. ACLs are identified by number or by name. ACLs can be standard, enhanced, or extended. You can configure the sensor to manage ACLs.
action
The sensor's response to an event. An action only happens if it is not filtered. Possible actions include TCP reset, block host, block connection, IP logging, and capturing the alert trigger packet.
active ACL
The ACL created and maintained by NAC and applied to the router block interfaces.
alarm channel
The IPS software module that processes all signature events generated by the inspectors. Its primary function is to generate alerts for each event it is passed.
alert
Specifically, an IPS event type; it is written to the Event Store as an evidsAlert. In general, an alert is an IPS message that indicates a network exploit in progress or a potential security problem occurrence. Also known as an alarm.
analysis engine
The IPS software module that handles sensor configuration. It maps the interfaces and also the signature and alarm channel policy to the configured interfaces.
application
Any program (process) designed to run in the Cisco IPS environment.
application instance
A specific application running on a specific piece of hardware in the IPS environment. An application instance is addressable by its name and the IP address of its host computer.
application partition image
A full IPS image used to reimage a sensor's application partition.
atomic attack
Represent exploits contained within a single packet. For example, the "ping of death" attack is a single, abnormally large ICMP packet.
attack
An assault on system security that derives from an intelligent threat, that is, an intelligent act that is a deliberate attempt (especially in the sense of method or technique) to evade security services and violate the security policy of a system.
authentication
Process of verifying that a user has permission to use the system, usually by means of a password key or certificate.
AuthenticationApp
A component of the IPS. It verifies that users have the correct permissions to perform CLI, IDM, or RDEP actions.
B
base version
A software release that must be installed before a follow-on release such as a service pack or signature update can be installed. Major and minor version upgrades are base version releases.
BIOS
Basic Input/Output System The program which starts the sensor and communicates between the devices in the sensor and the system.
block
The ability of the sensor to direct a network device to deny entry to all packets from a specified network host or network.
block interface
The interface on the network device that the sensor manages.
bypass mode
Mode that lets packets continue to flow through the sensor even if the sensor fails. Bypass mode is only applicable to inline-paired interfaces.
C
CA
certification authority. Entity that issues digital certificates (especially X.509 certificates) and vouches for the binding between the data items in a certificate. Sensors use self-signed certificates.
CA certificate
Certificate for one CA issued by another CA.
cidDump
A script that captures a large amount of information including the IPS processes list, log files, OS information, directory listings, package information, and configuration files.
CIDMEF
Cisco Intrusion Detection System Message Exchange Format. The published message exchange format for IDS architecture data. The specification of CIDMEF is an XML/1.0 schema document.
cipher key
The secret binary data used to convert between clear text and cipher text. When the same cipher key is used for both encryption and decryption, it is called symmetric. When it is used for either encryption or decryption (but not both), it is called asymmetric.
CLI
Command Line Interface. A shell provided with the sensor for configuration and control of the sensor applications.
command and control interface
The interface on the sensor that communicates with the IPS manager and other network devices. This interface has an assigned IP address.
composite attack
Spans multiple packets in a single session. Examples include most conversation attacks such as FTP, Telnet, and most Regex-based attacks.
connection block
NAC blocks traffic from a given source IP address to a given destination IP address and destination port.
console
A terminal or laptop computer used to monitor and control the sensor.
console port
An RJ45 or DB9 serial port on the sensor that is used to connect to a console device.
control interface
When NAC opens a Telnet or SSH session with a network device, it uses one of the device's routing interfaces as the remote IP address. This is the control interface.
control transaction
An IPS message containing a command addressed to a specific application instance. Example control transactions include start, stop, getConfig.
cookie
A piece of information sent by a web server to a web browser that the browser is expected to save and send back to the web server whenever the browser makes additional requests of the web server.
CTR
Cisco Threat Response. See Threat Response.
D
Database Processor
See DBP.
DBP
Database Processor. Maintains the signature state and flow databases.
Deny Filters Processor
See DFP.
DES
Data Encryption Standard. A strong encryption method where the strength lies in a 56-bit key rather than an algorithm.
DFP
Deny Filters Processor. Handles the deny attacker functions. It maintains a list of denied source IP addresses.
DoS
Denial of Service. An attack whose goal is just to disrupt the operation of a specific system or network.
disk image
A complete image of the IPS appliance hard-disk drive. This includes the OS, additional drivers, third-party software, and the IPS software.
DNS
Domain Name System. An Internet-wide hostname to IP address mapping. DNS enables you to convert human-readable names into the IP addresses needed for network packets
E
encryption
Application of a specific algorithm to data to alter the appearance of the data making it incomprehensible to those who are not authorized to see the information.
engine
A component of the sensor designed to support many signatures in a certain category. Each engine has parameters that can be used to create signatures or tune existing signatures.
enterprise network
Large and diverse network connecting most major points in a company or other organization. Differs from a WAN in that it is privately owned and maintained.
ESD
Electrostatic discharge. Electrostatic discharge is the rapid movement of a charge from one object to another object, which produces several thousand volts of electrical charge that can cause severe damage to electronic components or entire circuit card assemblies.
event
An IPS message that contains an alert, a block request, a status message, or an error message.
Event Server
One of the components of the IPS.
Event Store
One of the components of the IPS. A fixed-size, indexed store used to store IPS events.
evIdsAlert
The XML entity written to the Event Store that represents an alert.
F
false negative
A signature is not fired when offending traffic is detected.
false positive
Normal traffic or a benign action causes a signature to fire.
fileXferd
Legacy proprietary file transfer mechanism.
firewall
A security device that protects the perimeter of the network.
fragmentation
IP fragmentation involves breaking a single IP packet into multiple segments that are all below the maximum transmission size for the network.
Fragment Reassembly Processor
See FRP.
FRP
Fragment Reassembly Processor. Reassembles fragmented IP datagrams. It is also responsible for normalization of IP fragments when the sensor is in inline mode.
FTP
File Transfer Protocol. Application protocol, part of the TCP/IP protocol stack, used for transferring files between network nodes. FTP is defined in RFC 959.
FTP server
File Transfer Protocol server. A server that uses the FTP protocol for transferring files between network nodes.
FWSM
FireWall Security Module. A module that can be installed in a Catalyst 6500 series switch. It uses the shun command to block. You can configure the FWSM in either single mode or multi-mode.
G
GMT
Greenwich Mean Time. Time zone at zero degrees longitude. Now called Coordinated Universal Time (UTC).
H
handshake
Sequence of messages exchanged between two or more network devices to ensure transmission synchronization.
host block
NAC blocks all traffic from a given IP address.
HTTP
Hypertext Transfer Protocol. The stateless request/response media transfer protocol used in the IPS architecture for remote data exchange.
HTTPS
An extension to the standard HTTP protocol that provides confidentiality by encrypting the traffic from the website. By default this protocol uses TCP port 443.
I
ICMP
Internet Control Message Protocol. Network layer Internet protocol that reports errors and provides other information relevant to IP packet processing. Documented in RFC 792.
IDAPI
Intrusion Detection Application Programming Interface. Provides a simple interface between IPS architecture applications. IDAPI reads and writes event data and provides a mechanism for control transactions.
IDIOM
Intrusion Detection Interchange and Operations Messages. A data format standard that defines the event messages that are reported by intrusion detection systems as well as the operational messages that are used to configure and control intrusion detection systems.
IDMEF
Intrusion Detection Message Exchange Format. The IETF Intrusion Detection Working Group draft standard.
IDM
IPS Device Manager. A web-based application that lets you configure and manage your sensor. The web server for IDM resides on the sensor. You can access it through Netscape or Internet Explorer Web browsers.
IPS
Intrusion Prevention System. A system that alerts the user to the presence of an intrusion on the network through network traffic analysis techniques.
IPS data or message
Describes the messages transferred over the command and control interface between IPS applications.
IDSM-2
Intrusion Detection System Module. A switching module that performs intrusion detection in the Catalyst 6500 series switch.
IDS MC
Management Center for IDS Sensors. A web-based IDS manager that can manage configurations for up to 300 sensors.
inline mode
All packets entering or leaving the network must pass through the sensor.
interface group
Refers to the logical grouping of sensing interfaces. Multiple sensing interfaces can be assigned to a logical interface group. Signature parameters are tuned on a per logical interface group basis.
intrusion detection system
A security service that monitors and analyzes system events for the purpose of finding and providing real-time or near real-time warning of attempts to access system resources in an unauthorized manner.
IP address
32-bit address assigned to hosts using TCP/IP. An IP address belongs to one of five classes (A, B, C, D, or E) and is written as 4 octets separated by periods (dotted decimal format). Each address consists of a network number, an optional subnetwork number, and a host number. The network and subnetwork numbers together are used for routing, and the host number is used to address an individual host within the network or subnetwork. A subnet mask is used to extract network and subnetwork information from the IP address.
IP spoofing
IP spoofing attack occurs when an attacker outside your network pretends to be a trusted user either by using an IP address that is within the range of IP addresses for your network or by using an authorized external IP address that you trust and to which you want to provide access to specified resources on your network. Should an attacker get access to your IPSec security parameters, that attacker can masquerade as the remote user authorized to connect to the corporate network.
iplog
A log of the binary packets to and from a designated address. Iplogs are created when the log EventAction is selected for a signature. Iplogs are stored in a libpcap format, which can be read by Ethereal and TCPDump.
L
Layer 2 Processor
See L2P.
L2P
Layer 2 Processor. Processes layer 2-related events. It also identifies malformed packets and removes them from the processing path.
Logger
One of the components of the IPS.
logging
Logging of security information is performed on two levels: logging of events (such as IPS commands, errors, and alerts), and logging of individual IP session information.
M
MainApp
The main application in the IPS. The first application to start on the sensor after the operating system has booted.
maintenance partition image
A full IPS image used to reimage the maintenance partition of the IDSM-2.
major update
A base version that contains major new functionality or a major architectural change in the product.
managed
Legacy service that manages and monitors network devices (routers and packet filters.
manufacturing image
Full IPS system image used by manufacturing to image sensors.
MBS
master blocking sensor. A remote sensor that controls one or more devices. Blocking forwarding sensors send blocking requests to the master blocking sensor and the master blocking sensor executes the blocking requests.
minor update
A minor version that contains minor enhancements to the product line. Minor updates are incremental to the major version, and are also base versions for service packs.
monitoring interface
See sensing interface.
MSFC, MSFC2
Multilayer Switch Feature Card. An optional card on a Catalyst 6000 supervisor engine that performs L3 routing for the switch.
N
NAT
Native Address Translation. A network device can present an IP address to the outside networks that is different from the actual IP address of a host.
Network Access Controller
One of the components of the IPS. A software module that provides block/unblock functionality where applicable.
never block address
Hosts and networks you have identified that should never be blocked.
never shun address
See never block address.
network device
A device that controls IP traffic on a network and is capable of blocking an attacking host. An example of a network device is a Cisco router or PIX Firewall.
NM-CIDS
A network module that integrates IPS functionality into the branch office router.
node
A physical communicating element on the command and control network. For example, an appliance, an IDSM-2, or a router.
NSDB
Network Security Database. A database of security information that explains the signatures the IPS uses along with the vulnerabilities on which these signatures are based. The NSDB contains a description for each attack signature that the sensor can detect.
NTP server
Network Timing Protocol server. A server that uses NTP. NTP is a protocol built on top of TCP that ensures accurate local time-keeping with reference to radio and atomic clocks located on the Internet. This protocol is capable of synchronizing distributed clocks within milliseconds over long time periods.
P
packetd
Legacy service that provided intrusion detection; packetd was used when the sensor itself was capturing packets directly from the network.
PAT
Port Address Translation. A more restricted translation scheme than NAT in which a single IP address and different ports are used to represent the hosts of a network.
PFC
Policy Feature Card. An optional card on a Catalyst 6000 supervisor engine that supports VACL packet filtering.
PIX Firewall
Private Internet Exchange Firewall. A Cisco network security device that can be programmed to block/enable addresses and ports between networks.
PKI
Public Key Infrastructure. Authentication of HTTP clients using the clients' X.509 certificates.
Post-ACL
Designates an ACL from which NAC should read the ACL entries, and where it places entries after all deny entries for the addresses being blocked.
Pre-ACL
Designates an ACL from which NAC should read the ACL entries, and where it places entries before any deny entries for the addresses being blocked.
promiscuous mode
A passive interface for monitoring packets of the network segment. The monitoring interface does not have an IP address assigned to it and is therefore invisible to attackers.
R
rack mounting
Refers to mounting a sensor in an equipment rack.
recovery partition image
An IPS image file that includes the full application image and installer used for recovery on appliances.
RDEP
Remote Data Exchange Protocol. The published specification for remote data exchange over the command and control network using HTTP and TLS.
regex
See regular expression.
regular expression
A mechanism by which you can define how to search for a specified sequence of characters in a data stream or file. Regular expressions are a powerful and flexible notation almost like a mini-programming language that allow you to describe text. In the context of pattern matching, regular expressions allow a succinct description of any arbitrary pattern.
ROMMON
Read-Only-Memory Monitor. It lets you TFTP system images onto the sensor for recovery purposes.
RR
Risk Rating.
RSM
Router Switch Module. A router on a module that is installed in a Catalyst 5000 switch. It functions exactly like a standalone router.
S
SAP
Signature Analysis Processor. Dispatches packets to the inspectors that are not stream-based and that are configured for interest in the packet in process.
SCEP
Simple Certificate Enrollment Protocol. The Cisco Systems PKI communication protocol that leverages existing technology by using PKCS#7 and PKCS#10. SCEP is the evolution of the enrollment protocol.
SDP
Slave Displatch Processor.
SEAP
Signature Event Action Processor. Processes event actions. Event actions can be associated with an event risk rating (RR) threshold that must be surpassed for the actions to take place.
Security Monitor
Monitoring Center for Security. Provides event collection, viewing, and reporting capability for network devices. Used with the IDS MC.
sensing interface
The interface on the sensor that monitors the desired network segment. The sensing interface is in promiscuous mode; it has no IP address and is not visible on the monitored segment.
sensor
The sensor is the intrusion detection engine. It analyzes network traffic searching for signs of unauthorized activity.
sensorApp
One of the components of the IPS. Performs packet capture and analysis. SensorApp analyzes network traffic for malicious content. Packets flow through a pipeline of processors fed by a producer designed to collect packets from the network interfaces on the sensor.
service pack
Used for the release of bug fixes with no new enhancements. Service packs are cumulative following a base version release (minor or major).
session command
Command used on routers and switches to provide either Telnet or console access to a module in the router or switch.
shun command
Enables a dynamic response to an attacking host by preventing new connections and disallowing packets from any existing connection. It is used by NAC when blocking with a PIX.
Signature Analysis Processor
See SAP.
signature engine
A component of the sensor that supports many signatures in a certain category. An engine is composed of a parser and an inspector. Each engine has a set of legal parameters that have allowable ranges or sets of values.
Signature Event Action Processor
See SEAP.
signature update
Executable image that updates the IPS signature analysis engine (SensorApp) and the NSDB. Applying an IPS signature update is like updating virus definitions on a virus scanning program. Signature updates are released independently and have their own versioning scheme.
Slave Displatch Processor
See SDP.
sniffing interface
See sensing interface.
source
An application that produces IPS messages, such as AGM.
SP
Statistics Processor. Keeps track of the system statistics such as packet counts and packet arrival rates.
SPAN
Switched Port Analyzer. Feature of the Catalyst 5000 switch that extends the monitoring abilities of existing network analyzers into a switched Ethernet environment. SPAN mirrors the traffic at one switched segment onto a predefined SPAN port. A network analyzer attached to the SPAN port can monitor traffic from any other Catalyst switched port.
SRP
Stream Reassembly Processor. Reorders TCP streams to ensure the arrival order of the packets at the various stream-based inspectors. It is also responsible for normalization of the TCP stream. The normalizer engine lets you enable or disable alert and deny actions
SSH
Secure Shell. A utility that uses strong authentication and secure communications to log in to another computer over a network.
SSL
Secure Socket Layer. Encryption technology for the Internet used to provide secure transactions, such as the transmission of credit card numbers for e-commerce.
Statistics Processor
See SP.
Stream Reassembly Processor
See SRP.
STRING engine
A signature engine that provides regular expression-based pattern inspection and alert functionality for multiple transport protocols, including TCP, UDP, and ICMP.
subsignature
A more granular representation of a general signature. It typically further defines a broad scope signature.
surface mounting
Refers to attaching rubber feet to the bottom of a sensor when it is installed on a flat surface. The rubber feet allow proper airflow around the sensor and they also absorb vibration so that the hard-disk drive is less impacted.
SYN flood
Denial of Service attack that sends a host more TCP SYN packets (request to synchronize sequence numbers, used when opening a connection) than the protocol implementation can handle.
system image
The full IPS application and recovery image used for reimaging an entire sensor.
T
TACACS+
Terminal Access Controller Access Control System Plus. Proprietary Cisco enhancement to Terminal Access Controller Access Control System (TACACS). Provides additional support for authentication, authorization, and accounting.
TCP
Transmission Control Protocol. Connection-oriented transport layer protocol that provides reliable full-duplex data transmission. TCP is part of the TCP/IP protocol stack.
tcpdump
The tcpdump utility is a free network protocol analyzer for UNIX and Windows. It lets you examine data from a live network or from a capture file on disk. You can use different options for viewing summary and detail information for each packet. See http://www.tcpdump.org/ for more information.
TCP Normalizer engine
Rresponsible for normalization of the TCP stream. The normalizer engine lets you enable or disable alert and deny actions.
TCP reset interface
The interface on the IDS-4250-XL and IDSM-2 that can send TCP resets. On most sensors the TCP resets are sent out on the same sensing interface on which the packets are monitored, but on the IDS-4250-XL and IDSM-2 the sensing interfaces cannot be used for sending TCP resets. On the IDS-4250-XL the TCP reset interface is the onboard 10/100/100 TX interface, which is normally used on the IDS-4250-TX appliance when the XL card is not present. On the IDSM-2 the TCP reset interface is designated as port 1 with Catalyst software, and is not visible to the user in Cisco IOS software. The TCP reset action is only appropriate as an action selection on those signatures that are associated with a TCP-based service.
Telnet
Standard terminal emulation protocol in the TCP/IP protocol stack. Telnet is used for remote terminal connection, enabling users to log in to remote systems and use resources as if they were connected to a local system. Telnet is defined in RFC 854.
terminal server
A router with multiple, low speed, asynchronous ports that are connected to other serial devices. Terminal servers can be used to remotely manage network equipment, including sensors.
TFTP
Trivial File Transfer Protocol. Simplified version of FTP that lets files be transferred from one computer to another over a network, usually without the use of client authentication (for example, username and password).
Threat Response
Works with Cisco sensors to provide an efficient intrusion protection solution. Threat Response virtually eliminates false alarms, escalates real attacks, and aids in the remediation of costly intrusions.
threshold
A value, either upper- or lower-bound that defines the maximum/minimum allowable condition before an alarm is sent.
Time Processor
See TP.
TLS
Transport Layer Security. The protocol used over stream transports to negotiate the identity of peers and establish encrypted communications.
TP
Time Processor. Processes events stored in a time-slice calendar. Its primary task is to make stale database entries expire and to calculate time-dependent statistics
traffic analysis
Inference of information from observable characteristics of data flow(s), even when the data is encrypted or otherwise not directly available. Such characteristics include the identities and locations of the source(s) and destination(s), and the presence, amount, frequency, and duration of occurrence.
Transaction Server
One of the components of the IPS.
Transaction Source
One of the components of the IPS.
tune
Adjusting signature parameters to modify an existing signature.
U
UDP
User Datagram Protocol. Connectionless transport layer protocol in the TCP/IP protocol stack. UDP is a simple protocol that exchanges datagrams without acknowledgments or guaranteed delivery, requiring that error processing and retransmission be handled by other protocols. UDP is defined in RFC 768.
unblock
To direct a router to remove a previously applied block.
UTC
Coordinated Universal Time. Time zone at zero degrees longitude. Formerly called Greenwich Mean Time (GMT) and Zulu time.
V
VACL
VLAN ACL. An ACL that filters all packets (both within a VLAN and between VLANs) that pass through a switch. Also known as security ACLs.
virtual sensor
A logical grouping of sensing interfaces and the configuration policy for the signature engines and alarm filters to apply to them. In other words, multiple virtual sensors running on the same appliance, each configured with different signature behavior and traffic feeds. IPS 5.x supports only one virtual sensor.
virus update
A signature update specifically addressing viruses.
VLAN
Virtual Local Area Network. A logical division of a LAN into different broadcast domains.
VMS
CiscoWorks VPN/Security Management Solution. A suite of network security applications that combines web-based tools for configuring, monitoring, and troubleshooting enterprise VPN, firewalls, network intrusion detection systems and host-based intrusion prevention systems.
vulnerability
One or more attributes of a computer or a network that permit a subject to initiate patterns of misuse on that computer or network.
W
Web Server
One of the components of the IPS.
Wireshark
Wireshark is a free network protocol analyzer for UNIX and Windows. It lets you examine data from a live network or from a capture file on disk. You can interactively browse the capture data, viewing summary and detail information for each packet. Wireshark has several powerful features, including a rich display filter language and the ability to view the reconstructed stream of a TCP session. For more information, see http://www.wireshark.org.
X
X.509
Standard that defines information contained in a certificate.
XML
eXtensible Markup Language. Textual file format used for data interchange between heterogeneous hosts.
Feedback