Triple DES. An encryption algorithm that uses three 56-bit DES encryption keys (effectively 168 bits) in quick succession. An alternative 3DES version uses just two 56-bit DES keys, but uses one of them twice, resulting effectively in a 112-bit key length. Legal for use only in the United States. See DES.
authentication, authorization, and accounting. Pronounced "triple-A."
information entered into the configuration which allows you to specify what type of traffic to permit or deny into an the interface. By default, traffic that is not explicitly permitted is denied. Access control rules are composed of access control entries (ACEs).
access control entry.
access control list. A mechanism on a device that specifies which entities are permitted to access that device or the networks behind that device.
Cisco Secure Access Control Server. Software running on a RADIUS server used to store policy databases used in a NAC implementation to control access to the network.
A mode of establishing ISAKMP SAs that simplifies IKE authentication negotiation (phase 1) between two or more IPSec peers. Aggressive mode is faster than main mode, but is not as secure. See main mode, quick mode.
Authentication Header. This is an older IPSec protocol that is less important in most networks than ESP. AH provides authentication services but does not provide encryption services. It is provided to ensure compatibility with IPSec peers that do not support ESP, which provides both authentication and encryption.
Authentication Header with the MD5 (HMAC variant) hash algorithm.
Authentication Header with the SHA (HMAC variant) hash algorithm.
Authentication Header Protocol. A protocol that provides source host authentication, and data integrity. AHP does not provide secrecy.
A logical sequence of steps for solving a problem. Security algorithms pertain to either data encryption or authentication.
DES and 3DES are two examples of data encryption algorithms.
Examples of encryption-decryption algorithms include block cipher, CBC, null cipher, and stream cipher.
Authentication algorithms include hashes such as MD5 and SHA.
alternate mark inversion.
Address Resolution Protocol—A low-level TCP/IP protocol that maps a node hardware address (called a MAC address) to its IP address.
Adaptive Security Algorithm. Allows one-way (inside to outside) connections without an explicit configuration for each internal system and application.
Also called public key systems, this approach allows anyone to obtain access to anyone else's public key and therefore send an encrypted message to that person using the public key.
A pair of mathematically related cryptographic keys. The public key encrypts information that only the private key can decrypt, and vice versa. Additionally, the private key signs data that only the public key can authenticate.
Asynchronous Transfer Mode. International standard for cell relay in which multiple service types (such as voice, video, and data) are conveyed in fixed-length (53-byte) cells. Fixed-length cells allow cell processing to occur in hardware, thereby reducing transit delays.
To establish the truth of an identity.
In security, the verification of the identity of a person or process. Authentication establishes the integrity of a data stream, ensuring that it was not tampered with in transit, and providing confirmation of the data stream's origin.
A fixed-length sequence of bits.
An encryption algorithm that uses a 64-bit symmetric cipher to operate on data blocks of a fixed size. See cipher.
Bootstrap Protocol. The protocol used by a network node to determine the IP address of its Ethernet interfaces to affect network booting.
certification authority. A trusted third-party entity that issues and/or revokes digital certificates. Sometimes referred to as a notary or a certifying authority. Within a given CA's domain, each device needs only its own certificate and the CA's public key to authenticate every other device in that domain.
A digital certificate granted to one certification authority (CA) by another certification authority.
A temporary repository of information accumulated from previous task executions that can be reused, decreasing the time required to perform the tasks.
Context-based Access Control. Protocol that provides internal users with secure access control for each application and for all traffic across network perimeters. CBAC scrutinizes both source and destination addresses and tracks each application connection status.
Cisco Discovery Protocol. A media- and protocol-independent device-discovery protocol that runs on all Cisco-manufactured equipment including routers, access servers, bridges, and switches. Using CDP, a device can advertise its existence to other devices and receive information about other devices on the same LAN or on the remote side of a WAN.
Certificate Enrollment Protocol. A certificate management protocol. CEP is an early implementation of Certificate Request Syntax (CRS), a standard proposed to the Internet Engineering Task Force (IETF). CEP specifies how a device communicates with a CA, including how to retrieve the public key of the CA, how to enroll a device with the CA, and how to retrieve a certificate revocation list (CRL). CEP uses PKCS (Public Key Cryptography Standards) 7 and 10 as key component technologies. The public key infrastructure working group (PKIX) of the IETF is working to standardize a protocol for these functions, either CRS or an equivalent. When an IETF standard is stable, Cisco will add support for it. CEP was jointly developed by Cisco Systems and VeriSign, Inc.
An X.509 certificate contains within it information regarding the identity of whichever device or entity possesses that certificate. The identification information is then examined during each subsequent instance of peer verification and authentication. However, certificate identities can be vulnerable to spoofing attacks.
Cisco Encryption Technology. Proprietary network layer encryption introduced in Cisco IOS Release 11.2. CET provides network data encryption at the IP packet level and implements the following standards: DH, DSS, and 40- and 56-bit DES.
Challenge Handshake Authentication Protocol. Security feature supported on lines using PPP encapsulation that prevents unauthorized access. CHAP does not itself prevent unauthorized access, it merely identifies the remote end. The router or access server then determines whether that user is allowed access. See also PAP.
Character Generation. Via TCP, a service that sends a continual stream of characters until stopped by the client. Via UDP, the server sends a random number of characters each time the client sends a datagram.
Computational method for checking the integrity of transmitted data, computed from a sequence of octets taken through a series of arithmetic operations. The recipient recomputes the value and compares it for verification.
An encryption-decryption algorithm.
Encrypted, unreadable data, prior to its decryption.
A clear channel is one through which non-encrypted traffic can flow. Clear channels place no security restrictions on transmitted data.
Decrypted text. Also called plaintext.
command-line interface. The primary interface for entering configuration and monitoring commands to the router. Refer to the Configuration Guide for the router you are configuring for information on what commands you can enter from the CLI.
Term used to describe distributed computing (processing) network systems in which transaction responsibilities are divided into two parts: client (front end) and server (back end). Also called distributed computing. See also RPC.
Cisco Networking Services. A suite of services that support scalable network deployment, configuration, service-assurance monitoring, and service delivery.
An IP compression algorithm.
Configuration, Config, Config File
The file on the router that holds the settings, preferences, and properties you can administer using SDM.
A cookie is a web browser feature which stores or retrieves information, such as a user's preferences, to persistent storage. In Netscape and Internet Explorer, cookies are implemented by saving a small text file on your local hard drive. The file can be loaded the next time you run a Java applet or visit a website. In this way information unique to you as a user can be saved between sessions. The maximum size of a cookie is approximately 4KB.
customer premises equipment.
certificate revocation list. A list maintained and signed by a certificate authority (CA) of all the unexpired but revoked digital certificates.
Mathematical and scientific techniques for keeping data private, authentic, unmodified, and non-repudiated.
In SDM, crypto maps specify which traffic should be protected by IPSec, where IPSec-protected traffic should be sent, and what IPSec transform sets should be applied to this traffic.
The result of data encryption that prevents the disclosure of information to unauthorized individuals, entities, or processes. This information can be either data at the application level, or communication parameters. See traffic flow confidentiality or traffic analysis.
The presumed accuracy of transmitted data — signifying the sender's authenticity and the absence of data tampering.
data origin authentication
One function of a non-repudiation service.
Reverse application of an encryption algorithm to encrypted data, thereby restoring that data to its original, unencrypted state.
The gateway of last resort. The gateway to which a packet is routed when its destination address does not match any entries in the routing table.
Data Encryption Standard. Standard cryptographic algorithm developed and standardized by the U.S. National Institute of Standards and Technology (NIST). Uses a secret 56-bit encryption key. The DES algorithm is included in many encryption standards.
Dynamic Host Configuration Protocol. Provides a mechanism for allocating IP addresses to hosts dynamically, so that addresses can be reused when hosts no longer need them.
A public key cryptography protocol that allows two parties to establish a shared secret over insecure communications channels. Diffie-Hellman is used within Internet Key Exchange ( IKE) to establish session keys. Diffie-Hellman is a component of Oakley key exchange.
Diffie-Hellman key exchange
A public key cryptography protocol that allows two parties to establish a shared secret over insecure communication channels. Diffie-Hellman is used within Internet Key Exchange ( IKE) to establish session keys. Diffie-Hellman is a component of Oakley key exchange. Cisco IOS software supports 768-bit and 1024-bit Diffie-Hellman groups.
The output of a hash function.
A cryptographically signed, digital representation of user or device attributes that binds a key to an identity. A unique certificate attached to a public key provides evidence that the key has not been compromised. A certificate is issued and signed by a trusted certification authority, and binds a public key to its owner. Certificates typically include the owner's name, the owner's public key, the certificate's serial number, and the certificate's expiration date. Other information might also be present. See X.509.
An authentication method that permits the easy discovery of data forgery, and prevents repudiation. Additionally, the use of digital signatures allows for verification that a transmission has been received intact. Typically includes a transmission time stamp.
A shared cryptographic key that is divided into pieces, with each piece provided to a different participant.
data-link connection identifier. In Frame Relay connections, the identifier for a particular data link connection between two endpoints.
Dynamic multipoint virtual private network. A virtual private network in which routers are arranged in a logical hub and spoke topology, and in which the hubs have point-to-point GRE over IPSec connections with the hub. DMVPN uses GRE and NHRP to enable the flow of packets to destinations in the network.
A router with a single DMVPN configuration has a connection to one DMVPN hub, and has one configured GRE tunnel for DMVPN communication.The GRE tunnel addresses for the hub and spokes must be in the same subnet.
demilitarized zone. A DMZ is a buffer zone between the Internet, and your private networks. It can be a public network typically used for Web, FTP and E-Mail servers that are accessed by external clients on the Internet. Placing these public access servers on a separate isolated network provides an extra measure of security for your internal network.
Distinguished Name. A unique identifier for a Certification Authority customer, included in each of that customer's certificates received from that Certification Authority. The DN typically includes the user's common name, the name of that user's company or organization, the user's two-letter country code, an e-mail address used to contact the user, the user's telephone number, the user's department number, and the city in which the user resides.
Domain Name System (or Service). An Internet service that translates domain names, which are composed of letters, into IP addresses, which are composed of numbers.
The familiar, easy-to-remember name of a host on the Internet that corresponds to its IP address.
dynamic random access memory. RAM that stores information in capacitors that must be periodically refreshed.
digital subscriber line access multiplexer.
digital signature standard. Also called digital signature algorithm (DSA), the DSS algorithm is part of many public-key standards for cryptographic signatures.
Routing that adjusts automatically to network topology or traffic changes. Also called adaptive routing.
Extensible Authentication Protocol over User Datagram Protocol. Sometimes shortened to EOU. The protocol used by a client and a NAD to perform posture validation.
A centralized VPN management solution based on the Cisco Unified Client Framework.A Cisco Easy VPN consists of two components: a Cisco Easy VPN Remote client, and a Cisco Easy VPN server.
Enhanced Interior Gateway Routing Protocol. Advanced version of IGRP developed by Cisco Systems. Provides superior convergence properties and operating efficiency, and combines the advantages of link state protocols with those of distance vector protocols.
Wrapping of data in a particular protocol header. For example, Ethernet data is wrapped in a specific Ethernet header before network transit. Also, when bridging dissimilar networks, the entire frame from one network is simply placed in the header used by the data link layer protocol of the other network.
To crytographically produce ciphertext from plaintext.
Application of a specific algorithm to data so as to alter the appearance of the data, making it incomprehensible to those who are not authorized to see the information.
enrollment proxy host
The proxy server for a certificate enrollment server.
The enrollment URL is the HTTP path to a certification authority (CA) that your Cisco IOS router should follow when sending certificate requests. The URL includes either a DNS name or an IP address, and may be followed by a full path to the CA scripts.
Encapsulating Security Payload. An IPSec protocol that provides both data integrity and confidentiality. Also known as Encapsulating Security Payload, ESP provides confidentiality, data origin authentication, replay-detection, connectionless integrity, partial sequence integrity, and limited traffic flow confidentiality.
ESP with the 160-bit key SEAL (Software Encryption Algorithm) encryption algorithm. This feature was introduced in 12.3(7)T. The router must not have hardware IPSec encryption enabled in order to use this feature.
ESP (Encapsulating Security Payload) transform with the 168-bit DES encryption algorithm (3DES or Triple DES).
ESP (Encapsulating Security Payload) transform with the 56-bit DES encryption algorithm.
ESP (Encapsulating Security Payload) transform using the MD5-variant SHA authentication algorithm.
ESP (Encapsulating Security Payload) transform that provides no encryption and no confidentiality.
ESP (Encapsulating Security Payload) transform using the HMAC-variant SHA authentication algorithm.
A widely used LAN protocol invented by Xerox Corporation, and developed by Xerox, Intel, and Digital Equipment Corporation. Ethernet networks use CSMA/CD, and run over a variety of cable types at 10 Mbps, or at 100 Mbps. Ethernet is similar to the IEEE 802.3 series of standards.
The expiration date within a certificate or key indicates the end of its limited lifetime. The certificate or key is not trusted after its expiration date passes.
In a NAC implementation, a list of hosts with static addresses that are allowed to bypass the NAC process. These hosts may be placed on the exception list because they do not have posture agents installed, or because they are hosts such as printers or Cisco IP phones.
A type of Access rule. Extended rules extended rules can examine a greater variety of packet fields to determine a match. Extended rules can examine both the packet's source and destination IP addresses, the protocol type, the source and destination ports, and other packet fields.
Secure Device Provisioning. SDP uses Trusted Transitive Introduction (TTI) to easily deploy public key infrastructure ( PKI) between two end devices, such as a Cisco IOS client and a Cisco IOS certificate server.
A software tool for determining whether a person has an account at a particular Internet site. Many sites do not allow incoming finger requests.
The fingerprint of a CA certificate is the string of alphanumeric characters that results from an MD5 hash of the whole CA certificate. Entities receiving a CA certificate can verify its authenticity by comparing it to its known fingerprint. This authentication is intended to ensure the integrity of communication sessions by preventing "man-in-the-middle" attacks.
A router or access server, or several routers or access servers, designated as a buffer between any connected public networks and a private network. A firewall router uses access lists and other methods to ensure the security of the private network.
A memory chip which retains data without power. Software images can be stored in, booted from, and written to Flash as necessary.
Industry standard, switched data link layer protocol that handles multiple virtual circuits using HDLC encapsulation between connected devices. Frame Relay is more efficient than X.25, the protocol for which it is generally considered a replacement.
File Transfer Protocol. Part of the TCP/IP protocol stack, used for transferring files between hosts.
global IKE policy
An IKE policy that is global to a device, rather than affecting only a single interface on that device.
generic routing encapsulation. Tunneling protocol developed by Cisco that can encapsulate a wide variety of protocol packet types inside IP tunnels, creating a virtual point-to-point link to Cisco routers at remote points over an IP internetwork. By connecting multiprotocol subnetworks in a single-protocol backbone environment, IP tunneling using GRE allows network expansion across a single-protocol backbone environment.
GRE over IPSec
This technology uses IPSec to encrypt GRE packets.
Also known as G.991.2, G.SHDSL is an international standard for symmetric DSL developed by the International Telecommunications Union. G.SHDSL provides for sending and receiving high-speed symmetrical data streams over a single pair of copper wires at rates between 192 kbps and 2.31 Mbps.
A standard that enables video conferencing over local-area networks (LANs) and other packet-switched networks, as well as video over the Internet.
One-way process that converts input of any size into checksum output of a fixed size, called a message digest, or just a digest. This process is not reversible, and it is not feasible to create or modify data to result in a specific digest.
A hash algorithm is used to generate a hash value, also known as a message digest, ensures that message contents are not changed during transmission. The two most widely used types of hash algorithms are Secure Hash Algorithm (SHA) and MD5)
High-Level Data Link Control. Bit-oriented synchronous data link layer protocol developed by the International Standards Organization (ISO). HDLC specifies a data encapsulation method on synchronous serial links using frame characters and checksums.
The upstream, transmit end of a tunnel.
Hash-based Message Authentication Code. HMAC is a mechanism for message authentication using cryptographic hash functions. HMAC can be used with any iterative cryptographic hash function, e.g., MD5, SHA-1, in combination with a secret shared key. The cryptographic strength of HMAC depends on the properties of the underlying hash function.
Hashed Message Authentication Codes with MD5 (RFC 2104). A keyed version of MD5 that enables two parties to validate transmitted information using a shared secret.
A computer, such as a PC, or other computing device, such as a server, associated with an individual IP address and optionally a name. The name for any device on a TCP/IP network that has an IP address. Also any network-addressable device on any network. The term node includes devices such as routers and printers which would not normally be called hosts.
Hypertext Transfer Protocol, Hypertext Transfer Protocol, Secure. The protocol used by Web browsers and Web servers to transfer files, such as text and graphic files.
In a DMVPN network, a hub is a router with a point-to-point IPSec connection to all spoke routers in the network. The hub is the logical center of a DMVPN network.
Internet Control Message Protocol. Network layer Internet protocol that reports errors and provides other information relevant to IP packet processing.
Intrusion Detection System. The Cisco IPS performs a real time analysis of network traffic to find anomalies and misuse, using a library of signatures it can compare traffic against. When it finds unauthorized activity or anomalies, it can terminate the condition, block traffic from attacking hosts, and send alerts to the IDM.
An IDS sensor is hardware on with the Cisco IDS runs. IDS sensors can be stand-alone devices, or network modules installed on routers.
IDS Device Manager. IDM is software used to manage an IDS sensor.
Internet Engineering Task Force.
Internet Group Management Protocol. IGMP is a protocol used by IPv4 systems to report IP multicast memberships to neighboring multicast routers
Internet Key Exchange. IKE is a key management protocol standard used in conjunction with IPSec and other standards. IPSec can be configured without IKE, but IKE enhances IPSec by providing additional features, flexibility, and ease of configuration for the IPSec standard. IKE provides authentication of the IPSec peers, negotiates IPSec keys, and negotiates IPSec security associations.
Before any IPSec traffic can be passed, each router/firewall/host must be able to verify the identity of its peer. This can be done by manually entering preshared keys into both hosts or by a CA service. IKE is a hybrid protocol that implements the Oakley key exchange and Skeme key exchange inside the Internet Security Association and Key Management Protocol (ISAKMP) framework. (ISAKMP, Oakley, and Skeme are security protocols implemented by IKE.)
A method for the secure exchange of private keys across non-secured networks.
An access rule automatically created by the router based on default rules or as a result of user-defined rules.
The IP address of a host inside a network as it appears to devices outside the network.
The configured IP address assigned to a host inside the network.
A CBAC inspection rule allows the router to inspect specified outgoing traffic so that it can allow return traffic of the same type that is associated with a session started on the LAN. If a firewall is in place, incoming traffic that is associated with a session started inside the firewall might be dropped if an inspection rule has not been configured.
The physical connection between a particular network and the router. The router's LAN interface connects to the local network that the router serves. The router has one or more WAN interfaces that connect to the Internet.
The global network which uses IP, Internet protocols. Not a LAN. See also intranet.
Intranetwork. A LAN which uses IP, and Internet protocols, such as SNMP, FTP, and UDP. See also network, Internet.
Cisco IOS software. Cisco system software that provides common functionality, scalability, and security for all products under CiscoFusion architecture. Cisco IOS allows centralized, integrated, and automated installation and management of internetworks, while ensuring support for a wide variety of protocols, media, services and platforms.
Cisco IOS Intrusion Prevention System. IOS IPS compares traffic against an extensive database of intrusion signatures, and can drop intruding packets and take other actions based on configuration. Signatures are built in to IOS images supporting this feature, and additional signatures can be stored in local or remote signature files.
Internet Protocol. The Internet protocols are the world's most popular open-system (nonproprietary) protocol suite because they can be used to communicate across any set of interconnected networks and are equally well suited for LAN and WAN communications.
IP version 4 addresses are 32 bits, or 4 bytes, in length. This address "space" is used to designate the network number, the optional subnetwork number, and a host number. The 32 bits are grouped into four octets (8 binary bits), represented by 4 decimal numbers separated by periods or "dots." The part of the address used to specify the network number, the subnetwork number, and the host number is specified by the subnet mask.
A framework of open standards that provides data confidentiality, data integrity, and data authentication between participating peers. IPSec provides these security services at the IP layer. IPSec uses IKE to handle negotiation of protocols and algorithms based on local policy and to generate the encryption and authentication keys to be used by IPSec. IPSec can be used to protect one or more data flows between a pair of hosts, between a pair of security gateways, or between a security gateway and a host.
In SDM, an IPSec policy is a named set of crypto map associated with a VPN connection.
A rule used to specify which traffic is protected by IPSec.
Integrated Routing and Bridging. IRB allows you to route a given protocol between routed interfaces and bridge groups within a single switch router.
The Internet Security Association Key Management Protocol is the basis for IKE. ISAKMP authenticates communicating peers, creates and manages security associations, and defines key generation techniques.
A string of bits used to encrypt or decrypt data, or to compute message digests.
The process whereby two or more parties agree to use the same secret symmetric key.
A trusted third party who holds the cryptographic keys.
The method by which two or more parties exchange encryption keys. The IKE protocol provides one such method.
An attribute of a key pair that specifies a time span, during which the certificate containing the public component of that key pair is considered valid.
The creation, distribution, authentication, and storage of encryption keys.
A trusted method by which encrypted information can be decrypted if the decryption key is lost or destroyed.
Layer 2 Forwarding Protocol. Protocol that supports the creation of secure virtual private dial-up networks over the Internet.
Layer 2 Tunneling Protocol. An Internet Engineering Task Force (IETF) standards track protocol defined in RFC 2661 that provides tunneling of PPP. Based upon the best features of L2F and PPTP, L2TP provides an industry-wide interoperable method of implementing VPDN. L2TP is proposed as an IPSec alternative, but is used sometimes alongside IPSec to provide authentication services.
L2TP access concentrator. Device terminating calls to remote systems and tunneling PPP sessions between remote systems and the LNS.
Local Area Network. A network residing in one location or belonging to one organization, typically, but not necessarily using IP and other Internet protocols. Not the global Internet. See alsointranet, network, Internet.
L2TP network server. Device able to terminate L2TP tunnels from a LAC and able to terminate PPP sessions to remote systems through L2TP data sessions.
Subnetworks are IP networks arbitrarily segmented by a network administrator (by means of a subnet mask) in order to provide a multilevel, hierarchical routing structure while shielding the subnetwork from the addressing complexity of attached networks. The local subnet is the subnet associated with your end of a transmission.
An interface that has been created solely by configuration, and that is not a physical interface on the router. Dialer interfaces and tunnel interfaces are examples of logical interfaces.
In a loopback test, signals are sent and then redirected back toward their source from some point along the communications path. Loopback tests are often used to determine network interface usability.
message authentication code. The cryptographic checksum of the message used to verify message authenticity. See hash.
A 32-bit bit mask which specifies how an Internet address is to be divided into network, subnet, and host parts. The net mask has ones (1's) in the bit positions in the 32-bit address that are to be used for the network and subnet parts, and has zeros (0's) for the host part. The mask should contain at least the standard network portion (as determined by the address class), and the subnet field should be contiguous with the network portion. The mask is configured using the decimal equivalent of the binary value.
Decimal: 255.255.255.0 Binary: 11111111 11111111 11111111 00000000 The first 24 bits provide the network and subnetwork address, and the last 8 provide the host address.
Decimal: 255.255.255.248 Binary: 11111111 11111111 11111111 11111000 The first 29 bits provide the network and subnetwork address, and the last 3 provide the host address.
See also IP Address, TCP/IP, host, host/network.
Message Digest 5. A one-way hashing function that produces a 128-bit hash. Both MD5 and Secure Hashing Algorithm (SHA) are variations on MD4 and are designed to strengthen the security of the MD4 hashing algorithm. Cisco uses hashes for authentication within the IPSec framework. MD5 verifies the integrity and authenticates the origin of a communication.
A string of bits that represents a larger data block. This string defines a data block, based on the processing of its precise content through a 128-bit hash function. Message digests are used in the generation of digital signatures. See hash.
Message Digest 5. A one-way hashing algorithm that produces a 128-bit hash. Both MD5 and Secure Hash Algorithm (SHA) are variations on MD4 and are designed to strengthen the security of the MD4 hashing algorithm. Cisco uses hashes for authentication within the IPSec framework. Also used for message authentication in SNMP v.2. MD5 verifies the integrity of the communication, authenticates the origin, and checks for timeliness.
maximum transmission unit. The maximum packet size, in bytes that an interface can transmit or receive.
Network Admission Control. A method of controlling access to a network in order to prevent the introduction of computer viruses. Using a variety of protocols and software products, NAC assesses the condition of hosts when they attempt to log onto the network, and handles the request based on the host's condition, called its posture. Infected hosts can be placed in quarantine; hosts without up-to-date virus protection software can be directed to obtain updates, and uninfected hosts with up-to-date virus protection can be allowed onto the network. See also ACL, posture, and EAPoUDP.
Network Access Device. In a NAC implementation, the device that receives a host's request to log on to the network. A NAD, usually a router, works with posture agent software running on the host, virus protection software, and ACS and posture/remediation servers on the network to control access to the network in order to prevent infection by computer viruses.
Network Access Server. Platform that interfaces between the Internet and the public switched telephone network (PSTN).
Gateway that connects asynchronous devices to a LAN or WAN through network and terminal emulation software. Performs both synchronous and asynchronous routing of supported protocols.
Network Address Translation
Network Address Translation. Mechanism for reducing the need for globally unique IP addresses. NAT allows an organization with addresses that are not globally unique to connect to the Internet by translating those addresses into globally routable address space.
A feature of some routers that allows them to categorize incoming packets into flows. Because packets in a flow often can be treated in the same way, this classification can be used to bypass some of the work of the router and accelerate its switching operation.
A network is a group of computing devices which share part of an IP address space and not a single host. A network consists of multiple "nodes" or devices with IP address, any of which may be referred to as hosts. See also Internet, Intranet, IP, LAN.
In a subnet mask, the number of bits set to binary 1. A subnet mask of 255.255.255.0 has 24 network bits, because 24 bits in the mask are set to 1. A subnet mask of 255.255.248 has 17 network bits.
A network interface card that is installed in the router chassis to add functionality to the router. Examples are Ethernet network modules, and IDS network modules.
Next Hop Resolution protocol. A client and server protocol used in DMVPN networks, in which the hub router is the server and the spokes are the clients. The hub maintains an NHRP database of the public interface addresses of the each spoke. Each spoke registers its real address when it boots and queries the NHRP database for real addresses of the destination spokes in order to build direct tunnels to them.
A third-party security service that stores evidence for later, possible retrieval, regarding the origin and destination of all data included in a communication — without storing the actual data. This evidence can be used to safeguard all participants in that communication against false denials by any participant of having sent information, as well as false denials by any participant of having received information.
Network Time Protocol. A protocol to synchronize the system clocks on network devices. NTP is a UDP protocol.
A protocol for establishing secret keys for use by authenticated parties, based on Diffie-Hellman and designed to be a compatible component of ISAKMP.
output feedback. An IPSec function that feeds encrypted output (generally, but not necessarily, DES-encrypted) back into the original input. Plaintext is encrypted directly with the symmetric key. This produces a pseudo-random number stream.
The IP address assigned to a host on the outside network by the host's owner. The address was allocated from globally routable address or network space.
The IP address of an outside host as it appears to the inside network. Not necessarily a legitimate address, it was allocated from an address space routable on the inside.
Open Shortest Path First. Link-state, hierarchical IGP routing algorithm proposed as a successor to RIP in the Internet community. OSPF features include least-cost routing, multipath routing, and load balancing.
packet assembler/disassembler. Device used to connect simple devices (like character-mode terminals) that do not support the full functionality of a particular protocol to a network. PADs buffer data and assemble and disassemble packets sent to such end devices.
In cryptosystems, padding refers to random characters, blanks, zeros, and nulls added to the beginning and ending of messages, to conceal their actual length or to satisfy the data block size requirements of some ciphers. Padding also obscures the location at which cryptographic coding actually starts.
Port to Application Mapping. PAM allows you to customize TCP or UDP port numbers for network services or applications. PAM uses this information to support network environments that run services using ports that are different from the registered or well-known ports associated with an application.
Password Authentication Protocol. An authentication protocol that allows peers to authenticate one another. PAP passes the password and hostname or username in unencrypted form. See also CHAP.
A protected and secret character string (or other data source) associated with the identity of a specific user or entity.
Port Address Translation. Dynamic PAT lets multiple outbound sessions appear to originate from a single IP address. With PAT enabled, the router chooses a unique port number from the PAT IP address for each outbound translation slot (xlate). This feature is valuable when an Internet service provider cannot allocate enough unique IP addresses for your outbound connections. The global pool addresses always come first, before a PAT address is used.
In IKE, peers are routers acting as proxies for the participants in an IKE tunnel. In IPSec, peers are devices or entities that communicate securely either through the exchange of keys or the exchange of digital certificates.
perfect forward secrecy. A property of some asymmetric key agreement protocols that allows for the use of different keys at different times during a session, to ensure that the compromising of any single key will not compromise the session as a whole.
A router interface supported by a network module that is installed in the router chassis, or that is part of the router's basic hardware.
An ICMP request sent between hosts to determine whether a host is accessible on the network.
Public Key Cryptography Standard No. 7.
public-key infrastructure. A system of certification authorities (CAs) and registration authorities (RAs) that provides support for the use of asymmetric key cryptography in data communication through such functions as certificate management, archive management, key management, and token management.
Alternatively, any standard for the exchange of asymmetric keys.
This type of exchange allows the recipient of a message to trust the signature in that message, and allows the sender of a message to encrypt it appropriately for the intended recipient. See key management.
Ordinary, unencrypted data.
In a NAC implementation, the condition of a host attempting access to the network. Posture agent software running on the host communicates with the NAD to report on the host's compliance with the network security policy.
Point-to-Point Protocol. A protocol that provides router-to-router, and host-to-network connections over synchronous and asynchronous circuits. PPP has built in security mechanisms, such as CHAP and PAP.
Point-to-Point Protocol over Asynchronous Transfer Mode (ATM). Primarily implemented as part of ADSL, PPPoA relies on RFC1483, operating in either Logical Link Control-Subnetwork Access Protocol (LLC-SNAP) or VC-Mux mode.
Point-to-Point Protocol over Ethernet. PPP encapsulated in Ethernet frames. PPPoE enables hosts on an Ethernet network to connect to remote hosts through a broadband modem.
Point-to-Point Tunneling Protocol. Creates client-initiated tunnels by encapsulating packets into IP datagrams for transmission over TCP/IP-based networks. Can be used as an alternative to the L2F and L2TP tunneling protocols. Proprietary Microsoft protocol.
One of three authentication methods offered in IPSec, with the other two methods being RSA encrypted nonces, and RSA signatures. Pre-shared keys allow for one or more clients to use individual shared secrets to authenticate encrypted tunnels to a gateway using IKE. Pre-shared keys are commonly used in small networks of up to 10 clients. With pre-shared keys, there is no need to involve a CA for security.
The Diffie-Hellman key exchange combines public and private keys to create a shared secret to be used for authentication between IPSec peers. The shared secret can be shared between two or more peers. At each participating peer, you would specify a shared secret as part of an IKE policy. Distribution of this pre-shared key usually takes place through a secure out-of-band channel. When using a pre-shared key, if one of the participating peers is not configured with the same pre-shared key, the IKE SA cannot be established. An IKE SA is a prerequisite to an IPSec SA. You must configure the pre-shared key at all peers.
Digital certification and wildcard pre-shared keys (which allow for one or more clients to use a shared secret to authenticate encrypted tunnels to a gateway) are alternatives to pre-shared keys. Both digital certification and wildcard pre-shared keys are more scalable than pre-shared keys.
An ordered sequence of bits that appears superficially similar to a truly random sequence of the same bits. A key generated from a pseudo random number is called a nonce.
public key encryption
In public key encryption systems, every user has both a public key and a private key. Each private key is maintained by a single user and shared with no one. The private key is used to generate a unique digital signature and to decrypt information encrypted with the public key. In contrast, a user's public key is available to everyone to encrypt information intended for that user, or to verify that user's digital signature. Sometimes called public key cryptography.
permanent virtual circuit (or connection). Virtual circuit that is permanently established. PVCs save bandwidth associated with circuit establishment and tear down in situations where certain virtual circuits must exist all the time. In ATM terminology, called a permanent virtual connection.
Quality of Service. A method of guaranteeing bandwidth to specified types of traffic.
In Oakley, the name of the mechanism used after a security association has been established to negotiate changes in security services, such as new keys.
registration authority. An entity serving as an optional component in PKI systems to record or verify some of the information that certification authorities (CAs) use when issuing certificates or performing other certificate management functions. The CA itself might perform all RA functions, but they are generally kept separate. RA duties vary considerably, but may include assigning distinguished names, distributing tokens, and performing personal authentication functions.
Remote Authentication Dial-In User Service. An access server authentication and accounting protocol that uses UDP as the transport protocol. See also TACACS+
remote copy protocol. Protocol that allows users to copy files to and from a file system residing on a remote host or server on the network. The rcp protocol uses TCP to ensure the reliable delivery of data
Subnetworks are IP networks arbitrarily segmented by a network administrator (by means of a subnet mask) in order to provide a multilevel, hierarchical routing structure while shielding the subnetwork from the addressing complexity of attached networks. A "remote subnet" is the subnet that is not associated with your end of a transmission.
A standard IPSec security feature that combines sequence numbers with authentication, so the receiver of a communication can reject old or duplicate packets in order to prevent replay attacks.
In cryptographic systems, repudiation is the denial by one of the entities involved in a communication of having participated in all or part of that communication.
The password that you provide to a CA when you request that it revoke a router's digital certificate. Sometimes called a challenge password.
RFC 1483 routing
RFC1483 describes two different methods for carrying connectionless network interconnect traffic over an ATM network: routed protocol data units (PDUs) and bridged PDUs. SDM supports the configuration of RFC 1483 routing, and enables you to configure two encapsulation types: AAL5MUX, and AAL5SNAP.
AAL5MUX: AAL5 MUX encapsulation supports only a single protocol (IP or IPX) per PVC.
AAL5SNAP: AAL5 Logical Link Control/Subnetwork Access Protocol (LLC/SNAP) encapsulation supports Inverse ARP and incorporates the LLC/SNAP that precedes the protocol datagram. This allows the multiple protocols to transverse the same PVC.
Routing Information Protocol. A routing protocol that uses the number of routers a packet must pass through to reach the destination, as the routing metric.
Ultimate certification authority (CA), which signs the certificates of the subordinate CAs. The root CA has a self-signed certificate that contains its own public key.
A path through an internetwork.
Route maps enable you to control information that is added to the routing table. SDM automatically creates route maps to prevent NAT from translating specific source addresses when doing so would prevent packets from matching criteria in an IPSec rule.
remote procedure call. RPCs are procedure calls that are built or specified by clients and executed on servers, with the results returned over the network to the clients. See also client/server computing.
Rivest, Shamir, and Adelman, the inventors of this cryptographic key exchange technique, which is based on factoring large numbers. RSA is also the name of the technique itself. RSA may be used for encryption and authentication, and is included in many security protocols.
An RSA asymmetric key pair is a set of matching public and private keys.
One of three authentication methods offered in IPSec, with the other two methods being RSA encrypted nonces, and pre-shared keys. Also, one of the three Federal Information Processing Standards (FIPS)-approved algorithms for generating and verifying digital signatures. The other approved algorithms are DSA and Elliptic Curve DSA.
Cisco Router and Security Device Manager. Cisco SDM is an Internet browser-based software tool designed to configure LAN, WAN, and security features on a router. See Getting Started for more information.
Information added to the configuration to define your security policy in the form of conditional statements that instruct the router how to react to a particular situation.
security association. A set of security parameters agreed upon by two peers to protect a specific session in a particular tunnel. Both IKE and IPSec use SAs, although SAs are independent of one another.
IPSec SAs are unidirectional and are unique in each security protocol. An IKE SA is used by IKE only, and unlike the IPSec SA, it is bidirectional. IKE negotiates and establishes SAs on behalf of IPSec. A user can also establish IPSec SAs manually.
A set of SAs is needed for a protected data pipe, one per direction per protocol. For example, if you have a pipe that supports Encapsulating Security Protocol (ESP) between peers, one ESP SA is required for each direction. SAs are uniquely identified by destination (IPSec endpoint) address, security protocol (AH or ESP), and security parameter index (SPI).
security association ID. Numeric identifier for the SA of a given link.
A string of pseudorandom characters used to enhance cryptographic complexity.
Security Device Event Exchange. A message protocol that can be used to report on security events, such as alarms generated when a packet matches the characteristics of a signature.
Signature Definition File. A file, usually in XML format, containing signature definitions that can be used to load signatures on a security device.
The predetermined length of time in which an SA is in effect.
A key that is used only once.
Some encryption systems use the Secure Hashing Algorithm to generate digital signatures, as an alternative to MD5.
Secure Hashing Algorithm 1. Algorithm that takes a message of less than 264 bits in length and produces a 160-bit message digest. The large message digest provides security against brute-force collision and inversion attacks. SHA-1 [NIS94c] is a revision to SHA that was published in 1994.
The secret key that all users share in a symmetric key-based communication session.
A crytographic key.
See digital signature.
Used to associate your digital signature with your messages or documents, and to ensure that your messages or files are conveyed without changes.
Session Initiation Protocol. Enables call handling sessions, particularly two-party audio conferences, or "calls." SIP works with Session Description Protocol (SDP) for call signaling. SDP specifies the ports for the media stream. Using SIP, the router can support any SIP Voice over IP (VoIP) gateways and VoIP proxy servers.
Typically, a site-to-site VPN is one that connects two networks or subneworks and that meets several other specific criteria, including the use of static IP addresses on both sides of the tunnel, the absence of VPN client software on user end-stations, and the absence of a central VPN hub (as would exist in hub-and-spoke VPN configurations). Site-to-site VPNs are not intended to replace dial-in access by remote or traveling users.
Simple Mail Transfer Protocol. Internet protocol providing e-mail services.
Simple Network Management Protocol. Network management protocol used almost exclusively in TCP/IP networks. SNMP provides a means to monitor and control network devices, and to manage configurations, statistics collection, performance, and security.
Selective Packed Discard. SPD provides priority to routing protocol packets and other important traffic control Layer 2 keepalives during periods of queue congestion.
In a DMVPN network, a spoke router is a logical end point in the network, and has a point-to-point IPSec connection with a DMVPN hub router.
The act of a packet illegally claiming to be from an address from which it was not actually sent. Spoofing is designed to foil network security mechanisms such as filters and access lists.
source-route bridging. Method of bridging originated by IBM and popular in Token Ring networks. In an SRB network, the entire route to a destination is predetermined, in real time, prior to the sending of data to the destination.
Secure Shell. An application running on top of a reliable transport layer, such as TCP/IP, that provides strong authentication and encryption capabilities. Up to five SSH clients are allowed simultaneous access to the router console.
Secure Socket Layer. Encryption technology for the Web used to provide secure transactions, such as the transmission of credit card numbers for e-commerce.
In SDM, a type of access rule or NAT rule. Standard rules compare a packet's source IP address against its IP address criteria to determine a match.Standard rules use a wildcard mask to determine which portions of the IP address must match.
state, stateful, stateful Inspection
Network protocols maintain certain data, called state information, at each end of a network connection between two hosts. State information is necessary to implement the features of a protocol, such as guaranteed packet delivery, data sequencing, flow control, and transaction or session IDs. Some of the protocol state information is sent in each packet while each protocol is being used. For example, a web browser connected to a web server uses HTTP and supporting TCP/IP protocols. Each protocol layer maintains state information in the packets it sends and receives. Routers inspect the state information in each packet to verify that it is current and valid for every protocol it contains. This is called stateful inspection and is designed to create a powerful barrier to certain types of computer security threats
Static Port Address Translation. A static address maps a local IP address to a global IP address. Static PAT is a static address that also maps a local port to a global port. See also PAT.
Route that is explicitly configured and entered into the routing table. Static routes take precedence over routes chosen by dynamic routing protocols.
In IP networks, a network sharing a particular subnet address. Subnetworks are networks arbitrarily segmented by the network administrator in order to provide a multilevel, hierarchical routing structure while shielding the subnetwork from the addressing complexity of attached networks. See also IP address, subnet bits, subnet mask.
32-bit address mask used in IP to indicate the bits of an IP address that are being used for the network and optional subnet address. Subnet masks are expressed in decimal. The mask 255.255.255.0 specifies that the first 24 bits of the address Sometimes referred to simply as mask. See also address mask and IP address.
A symmetric key is used to decrypt information that it previously encrypted.
A T1 link is a data link capable of transmitting data at a rate of 1.5 MB per second.
Terminal Access Controller Access Control System plus.An access server authentication and accounting protocol that uses TCP as the transport protocol.
The downstream, receive end of a tunnel.
Transmission Control Protocol. Connection-oriented transport layer protocol that provides reliable full-duplex data transmission.
TCP Syn Flood Attack
A SYN-flooding attack occurs when a hacker floods a server with a barrage of requests for connection. Because these messages have unreachable return addresses, the connections cannot be established. The resulting volume of unresolved open connections eventually overwhelms the server and can cause it to deny service to valid requests, thereby preventing legitimate users from connecting to a website, accessing e-mail, using FTP service, and so on.
A terminal emulation protocol for TCP/IP networks such as the Internet. Telnet is a common way to control web servers remotely.
Trivial File Transfer Protocol. TFTP is a simple protocol used to transfer files. It runs on UDP and is explained in depth in Request For Comments (RFC) 1350.
traffic flow confidentiality or traffic analysis
Security concept that prevents the unauthorized disclosure of communication parameters. The successful implementation of this concept hides source and destination IP addresses, message length, and frequency of communication from unauthorized parties
Description of a security protocol and its corresponding algorithms.
A transform set is an acceptable combination of security protocols, algorithms and other settings to apply to IPSec protected traffic. During the IPSec security association negotiation, the peers agree to use a particular transform set when protecting a particular data flow.
A virtual channel through a shared medium such as the Internet, used for the exchange of encapsulated data packets.
The process of piping the stream of one protocol through another protocol.
User Datagram Protocol. Connectionless transport layer protocol in the TCP/IP protocol that belongs to the Internet protocol family.
A client of a Unity Easy VPN Server.
Universal Resource Locator. A standardized addressing scheme for accessing hypertext documents and other services using a browser, for example, http://www.cisco.com.
Identity confirmation of a person or process.
virtual channel identifier. A virtual path may carry multiple virtual channels corresponding to individual connections. The VCI identifies the channel being used. The combination of VPI and VCI identifies an ATM connection.
Virtual Fragment Reassembly. VFR enables IOS Firewall to dynamically create ACLs to block IP fragments. IP fragments often do not contain enough information for static ACLs to be able to filter them.
virtual path identifier. Identifies the virtual path used by an ATM connection.
virtual private dial-up network. A system that permits dial-in networks to exist remotely to home networks, while giving the appearance of being directly connected. VPDNs use L2TP and L2F to terminate the Layer 2 and higher parts of the network connection at the home gateway, instead of the network access server (NAS).
Virtual Private Network. Provides the same network connectivity for users over a public infrastructure as they would have over a private network. VPNs enable IP traffic to travel securely over a public TCP/IP network by encrypting all traffic from one network to another. A VPN uses tunneling to encrypt all information at the IP level.
A site-to-site VPN. A site-to-site VPN consists of a set of VPN connections between peers, in which the defining attributes of each connection include the following device configuration information:
- A connection name - Optionally, an IKE policy and pre-shared key - An IPSec peer - A list of one or more remote subnets or hosts that will be protected by the connection - An IPSec rule that defines which traffic is to be encrypted. - A list of transform sets that define how protected traffic is encrypted - A list of the device network interfaces to which the connection is applied
VPN mirror policy
A VPN policy on a remote system that contains values that are compatible with a local policy and that enable the remote system to establish a VPN connection to the local system. Some values in a mirror policy must match values in a local policy, and some values, such as the IP address of the peer, must be the reverse of the corresponding values in the local policy.
You can create mirror policies for remote administrators to use when you configure site-to-site VPN connections. For information on generating a mirror policy, refer to Generate Mirror....
virtual type terminal. Commonly used as virtual terminal lines.
Wide Area Network. A network that serves users across a broad geographical area, and often uses transmission devices provided by common carriers. See also LAN.
A bit mask used in access rules, IPSec rules, and NAT rules to specify which portions of the packet's IP address must match the IP address in the rule. A wildcard mask contains 32 bits, the same number of bits in an IP address. A wildcard bit value of 0 specifies that the bit in that same position of the packet's IP address must match the bit in the IP address in the rule. A value of 1 specifies that the corresponding bit in the packet's IP address can be either 1 or 0, that is, that the rule "doesn't care" what the value of the bit is. A wildcard mask of 0.0.0.0 specifies that all 32 bits in the packet's IP address must match the IP address in the rule. A wildcard mask of 0.0.255.0 specifies that the first 16 bits, and the last 8 bits must match, but that the third octet can be any value. If the IP address in a rule is 10.28.15.0, and the mask is 0.0.255.0, the IP address 10.28.88.0 would match the IP address in the rule, and the IP address 10.28.15.55 would not match.
Windows Internet Naming Service. A Windows system that determines the IP address associated with a particular network computer.
A digital certificate standard, specifying certificate structure. Main fields are ID, subject field, validity dates, public key, and CA signature.
A digital certificate that is structured according to the X.509 guidelines.
X.509 certificate revocation list (CRL)
A list of certificate numbers that have been revoked. An X.509 CRL is one that meets either of the two CRL formatting definitions in X.509.
IKE Extended Authentication. Xauth allows all Cisco IOS software AAA authentication methods to perform user authentication in a separate phase after the IKE authentication phase 1 exchange. The AAA configuration list-name must match the Xauth configuration list-name for user authentication to occur.
Xauth is an extension to IKE, and does not replace IKE authentication.