CCNA TERMS

Numerics

3DES

See DES.

AAA

Authentication, authorization, and accounting. See also TACACS+ and RADIUS.

ABR

Area Border Router. In OSPF, a router with interfaces in multiple areas.

ACE

Access Control Entry. Information entered into the configuration that lets you specify what type of traffic to permit or deny on an interface. By default, traffic that is not explicitly permitted is denied.

Access Modes

The security appliance CLI uses several command modes. The commands available in each mode vary. See also user EXEC mode, privileged EXEC mode, global configuration mode, command-specific configuration mode.

ACL

Access Control List. A collection of ACEs. An ACL lets you specify what type of traffic to allow on an interface. By default, traffic that is not explicitly permitted is denied. ACLs are usually applied to the interface which is the source of inbound traffic. See also rule, outbound ACL.

ActiveX

A set of object-oriented programming technologies and tools used to create mobile or portable programs. An ActiveX program is roughly equivalent to a Java applet.

Address Resolution Protocol

See ARP.

address translation

The translation of a network address and/or port to another network address/or port. See also IP address, interface PAT, NAT, PAT, Static PAT, xlate.

AES

Advanced Encryption Standard. A symmetric block cipher that can encrypt and decrypt information. The AES algorithm is capable of using cryptographic keys of 128, 192 and 256 bits to encrypt and decrypt data in blocks of 128 bits. See also DES.

Authentication Header. An IP protocol (type 51) that can ensure data integrity, authentication, and replay detection. AH is embedded in the data to be protected (a full IP datagram, for example). AH can be used either by itself or with ESP. This is an older IPSec protocol that is less important in most networks than ESP. AH provides authentication services but does not provide encryption services. It is provided to ensure compatibility with IPSec peers that do not support ESP, which provides both authentication and encryption. See also encryption and VPN. Refer to the RFC 2402.

A record address

A stands for address, and refers to name-to-address mapped records in DNS.

APCF

Application Profile Customization Framework. Lets the security appliance handle non-standard applications so that they render correctly over a WebVPN connection.

ARP

Address Resolution Protocol. A low-level TCP/IP protocol that maps a hardware address, or MAC address, to an IP address. An example hardware address is 00:00:a6:00:01:ba. The first three groups of characters (00:00:a6) identify the manufacturer; the rest of the characters (00:01:ba) identify the system card. ARP is defined in RFC 826.

ASA

Adaptive Security Algorithm. Used by the security appliance to perform inspections. ASA allows one-way (inside to outside) connections without an explicit configuration for each internal system and application. See also inspection engine.

ASA

adaptive security appliance.

ASDM

Adaptive Security Device Manager. An application for managing and configuring a single security appliance.

asymmetric encryption

Also called public key systems, asymmetric encryption allows anyone to obtain access to the public key of anyone else. Once the public key is accessed, one can send an encrypted message to that person using the public key. See also encryption, public key.

authentication

Cryptographic protocols and services that verify the identity of users and the integrity of data. One of the functions of the IPSec framework. Authentication establishes the integrity of datastream and ensures that it is not tampered with in transit. It also provides confirmation about the origin of the datastream. See also AAA, encryption, and VPN.

Auto Applet Download

Automatically downloads the WebVPN port-forwarding applet when the user first logs in to WebVPN.

auto-signon

This command provides a single sign-on method for WebVPN users. It passes the WebVPN login credentials (username and password) to internal servers for authentication using NTLM authentication, basic authentication, or both.

Backup Server

IPSec backup servers let a VPN client connect to the central site when the primary security appliance is unavailable.

BGP

Border Gateway Protocol. BGP performs interdomain routing in TCP/IP networks. BGP is an Exterior Gateway Protocol, which means that it performs routing between multiple autonomous systems or domains and exchanges routing and access information with other BGP systems. The security appliance does not support BGP. See also EGP.

BLT stream

Bandwidth Limited Traffic stream. Stream or flow of packets whose bandwidth is constrained.

BOOTP

Bootstrap Protocol. Lets diskless workstations boot over the network as is described in RFC 951 and RFC 1542.

BPDU

Bridge Protocol Data Unit. Spanning-Tree Protocol hello packet that is sent out at configurable intervals to exchange information among bridges in the network. Protocol data unit is the OSI term for packet.

Certificate Authority, Certification Authority. A third-party entity that is responsible for issuing and revoking certificates. Each device with the public key of the CA can authenticate a device that has a certificate issued by the CA. The term CA also refers to software that provides CA services. See also certificate, CRL, public key, RA.

cache

A temporary repository of information accumulated from previous task executions that can be reused, decreasing the time required to perform the tasks. Caching stores frequently reused objects in the system cache, which reduces the need to perform repeated rewriting and compressing of content.

CBC

Cipher Block Chaining. A cryptographic technique that increases the encryption strength of an algorithm. CBC requires an initialization vector (IV) to start encryption. The IV is explicitly given in the IPSec packet.

certificate

A signed cryptographic object that contains the identity of a user or device and the public key of the CA that issued the certificate. Certificates have an expiration date and may also be placed on a CRL if known to be compromised. Certificates also establish non-repudiation for IKE negotiation, which means that you can prove to a third party that IKE negotiation was completed with a specific peer.

CHAP

Challenge Handshake Authentication Protocol.

CIFS

Common Internet File System. It is a platform-independent file sharing system that provides users with network access to files, printers, and other machine resources. Microsoft implemented CIFS for networks of Windows computers, however, open source implementations of CIFS provide file access to servers running other operating systems, such as Linux, UNIX, and Mac OS X.

Citrix

An application that virtualizes client-server applications and optimizes web applications.

CLI

command line interface. The primary interface for entering configuration and monitoring commands to the security appliance.

client/server computing

Distributed computing (processing) network systems in which transaction responsibilities are divided into two parts: client (front end) and server (back end). Also called distributed computing. See also RPC.

Client update

Lets you update revisions of clients to which the update applies; provide a URL or IP address from which to get the update; and, in the case of Windows clients, optionally notify users that they should update their VPN client version.

command-specific configuration mode

From global configuration mode, some commands enter a command-specific configuration mode. All user EXEC, privileged EXEC, global configuration, and command-specific configuration commands are available in this mode. See also global configuration mode, privileged EXEC mode, user EXEC mode.

Compression

The process of encoding information using fewer bits or other information-bearing units than an unencoded representation would use. Compression can reduce the size of transferring packets and increase communication performance.

configuration, config, config file

A file on the security appliance that represents the equivalent of settings, preferences, and properties administered by ASDM or the CLI.

Content Rewriting/Transformation

Interprets and modifies applications so that they render correctly over a WebVPN connection.

A cookie is a object stored by a browser. Cookies contain information, such as user preferences, to persistent storage.

CPU

Central Processing Unit. Main processor.

CRC

Cyclical Redundancy Check. Error-checking technique in which the frame recipient calculates a remainder by dividing frame contents by a prime binary divisor and compares the calculated remainder to a value stored in the frame by the sending node.

CRL

Certificate Revocation List. A digitally signed message that lists all of the current but revoked certificates listed by a given CA. This is analogous to a book of stolen charge card numbers that allow stores to reject bad credit cards. When certificates are revoked, they are added to a CRL. When you implement authentication using certificates, you can choose to use CRLs or not. Using CRLs lets you easily revoke certificates before they expire, but the CRL is generally only maintained by the CA or an RA. If you are using CRLs and the connection to the CA or RA is not available when authentication is requested, the authentication request will fail. See also CA, certificate, public key, RA.

CRV

Call Reference Value. Used by H.225.0 to distinguish call legs signalled between two entities.

cryptography

Encryption, authentication, integrity, keys and other services used for secure communication over networks. See also VPN and IPSec.

crypto map

A data structure with a unique name and sequence number that is used for configuring VPNs on the security appliance. A crypto map selects data flows that need security processing and defines the policy for these flows and the crypto peer that traffic needs to go to. A crypto map is applied to an interface. Crypto maps contain the ACLs, encryption standards, peers, and other parameters necessary to specify security policies for VPNs using IKE and IPSec. See also VPN.

CTIQBE

Computer Telephony Interface Quick Buffer Encoding. A protocol used in IP telephony between the Cisco CallManager and CTI TAPI and JTAPI applications. CTIQBE is used by the TAPI/JTAPI protocol inspection module and supports NAT, PAT, and bi-directional NAT. This enables Cisco IP SoftPhone and other Cisco TAPI/JTAPI applications to communicate with Cisco CallManager for call setup and voice traffic across the security appliance.

cut-through proxy

Enables the security appliance to provide faster traffic flow after user authentication. The cut-through proxy challenges a user initially at the application layer. After the security appliance authenticates the user, it shifts the session flow and all traffic flows directly and quickly between the source and destination while maintaining session state information.

data confidentiality

Describes any method that manipulates data so that no attacker can read it. This is commonly achieved by data encryption and keys that are only available to the parties involved in the communication.

data integrity

Describes mechanisms that, through the use of encryption based on secret key or public key algorithms, allow the recipient of a piece of protected data to verify that the data has not been modified in transit.

data origin authentication

A security service where the receiver can verify that protected data could have originated only from the sender. This service requires a data integrity service plus a key distribution mechanism, where a secret key is shared only between the sender and receiver.

decryption

Application of a specific algorithm or cipher to encrypted data so as to render the data comprehensible to those who are authorized to see the information. See also encryption.

DES

Data encryption standard. DES was published in 1977 by the National Bureau of Standards and is a secret key encryption scheme based on the Lucifer algorithm from IBM. Cisco uses DES in classic crypto (40-bit and 56-bit key lengths), IPSec crypto (56-bit key), and 3DES (triple DES), which performs encryption three times using a 56-bit key. 3DES is more secure than DES but requires more processing for encryption and decryption. See also AES, ESP.

DHCP

Dynamic Host Configuration Protocol. Provides a mechanism for allocating IP addresses to hosts dynamically, so that addresses can be reused when hosts no longer need them and so that mobile computers, such as laptops, receive an IP address applicable to the LAN to which it is connected.

Diffie-Hellman

A public key cryptography protocol that allows two parties to establish a shared secret over insecure communications channels. Diffie-Hellman is used within IKE to establish session keys. Diffie-Hellman is a component of Oakley key exchange.

Diffie-Hellman Group 1, Group 2, Group 5, Group 7

Diffie-Hellman refers to a type of public key cryptography using asymmetric encryption based on large prime numbers to establish both Phase 1 and Phase 2 SAs. Group 1 provides a smaller prime number than Group 2 but may be the only version supported by some IPSec peers. Diffe-Hellman Group 5 uses a 1536-bit prime number, is the most secure, and is recommended for use with AES. Group 7 has an elliptical curve field size of 163 bits and is for use with the Movian VPN client, but works with any peer that supports Group 7 (ECC). See also VPN and encryption.

Note The group 7 command option was deprecated in ASA version 8.0(4).

digital certificate

See certificate.

DMZ

See interface.

Distinguished Name. Global, authoritative name of an entry in the OSI Directory (X.500).

DNS

Domain Name System (or Service). An Internet service that translates domain names into IP addresses.

DoS

Denial of Service. A type of network attack in which the goal is to render a network service unavailable.

DSL

digital subscriber line. Public network technology that delivers high bandwidth over conventional copper wiring at limited distances. DSL is provisioned via modem pairs, with one modem located at a central office and the other at the customer site. Because most DSL technologies do not use the whole bandwidth of the twisted pair, there is room remaining for a voice channel.

DSP

digital signal processor. A DSP segments a voice signal into frames and stores them in voice packets.

DSS

Digital Signature Standard. A digital signature algorithm designed by The US National Institute of Standards and Technology and based on public-key cryptography. DSS does not do user datagram encryption. DSS is a component in classic crypto, as well as the Redcreek IPSec card, but not in IPSec implemented in Cisco IOS software.

Dynamic NAT

See NAT and address translation.

Dynamic PAT

Dynamic Port Address Translation. Dynamic PAT lets multiple outbound sessions appear to originate from a single IP address. With PAT enabled, the security appliance chooses a unique port number from the PAT IP address for each outbound translation slot ( xlate). This feature is valuable when an ISP cannot allocate enough unique IP addresses for your outbound connections. The global pool addresses always come first, before a PAT address is used. See also NAT, Static PAT, and xlate.

ECHO

See Ping, ICMP. See also inspection engine.

EGP

Exterior Gateway Protocol. Replaced by BGP. The security appliance does not support EGP. See also BGP.

EIGRP

Enhanced Interior Gateway Routing Protocol. The security appliance does not support EIGRP.

EMBLEM

Enterprise Management BaseLine Embedded Manageability. A syslog format designed to be consistent with the Cisco IOS system log format and is more compatible with CiscoWorks management applications.

encryption

Application of a specific algorithm or cipher to data so as to render the data incomprehensible to those unauthorized to see the information. See also decryption.

ESMTP

Extended SMTP. Extended version of SMTP that includes additional functionality, such as delivery notification and session delivery. ESMTP is described in RFC 1869, SMTP Service Extensions.

ESP

Encapsulating Security Payload. An IPSec protocol, ESP provides authentication and encryption services for establishing a secure tunnel over an insecure network. For more information, refer to RFCs 2406 and 1827.

failover, failover mode

Failover lets you configure two security appliances so that one will take over operation if the other one fails. The security appliance supports two failover configurations, Active/Active failover and Active/Standby failover. Each failover configuration has its own method for determining and performing failover. With Active/Active failover, both units can pass network traffic. This lets you configure load balancing on your network. Active/Active failover is only available on units running in multiple context mode. With Active/Standby failover, only one unit passes traffic while the other unit waits in a standby state. Active/Standby failover is available on units running in either single or multiple context mode.

Fixup

See inspection engine.

Flash, Flash memory

A nonvolatile storage device used to store the configuration file when the security appliance is powered down.

FQDN/IP

Fully qualified domain name/IP address. IPSec parameter that identifies peers that are security gateways.

FragGuard

Provides IP fragment protection and performs full reassembly of all ICMP error messages and virtual reassembly of the remaining IP fragments that are routed through the security appliance.

FTP

File Transfer Protocol. Part of the TCP/IP protocol stack, used for transferring files between hosts.

GGSN

gateway GPRS support node. A wireless gateway that allows mobile cell phone users to access the public data network or specified private IP networks.

global configuration mode

Global configuration mode lets you to change the security appliance configuration. All user EXEC, privileged EXEC, and global configuration commands are available in this mode. See also user EXEC mode, privileged EXEC mode, command-specific configuration mode.

GMT

Greenwich Mean Time. Replaced by UTC (Coordinated Universal Time) in 1967 as the world time standard.

GPRS

general packet radio service. A service defined and standardized by the European Telecommunication Standards Institute. GPRS is an IP-packet-based extension of GSM networks and provides mobile, wireless, data communications

GRE

Generic Routing Encapsulation described in RFCs 1701 and 1702. GRE is a tunneling protocol that can encapsulate a wide variety of protocol packet types inside IP tunnels, creating a virtual point-to-point link to routers at remote points over an IP network. By connecting multiprotocol subnetworks in a single-protocol backbone environment, IP tunneling using GRE allows network expansion across a single protocol backbone environment.

GSM

Global System for Mobile Communication. A digital, mobile, radio standard developed for mobile, wireless, voice communications.

GTP

GPRS tunneling protocol. GTP handles the flow of user packet data and signaling information between the SGSN and GGSN in a GPRS network. GTP is defined on both the Gn and Gp interfaces of a GPRS network.

H.225

A protocol used for TCP signalling in applications such as video conferencing. See also H.323 and inspection engine.

H.225.0

An ITU standard that governs H.225.0 session establishment and packetization. H.225.0 actually describes several different protocols: RAS, use of Q.931, and use of RTP.

H.245

An ITU standard that governs H.245 endpoint control.

H.320

Suite of ITU-T standard specifications for video conferencing over circuit-switched media, such as ISDN, fractional T-1, and switched-56 lines. Extensions of ITU-T standard H.320 enable video conferencing over LANs and other packet-switched networks, as well as video over the Internet.

H.323

Allows dissimilar communication devices to communicate with each other by using a standardized communication protocol. H.323 defines a common set of CODECs, call setup and negotiating procedures, and basic data transport methods.

H.323 RAS

Registration, admission, and status signaling protocol. Enables devices to perform registration, admissions, bandwidth changes, and status and disengage procedures between VoIP gateway and the gatekeeper.

H.450.2

Call transfer supplementary service for H.323.

H.450.3

Call diversion supplementary service for H.323.

Hash, Hash Algorithm

A hash algorithm is a one way function that operates on a message of arbitrary length to create a fixed-length message digest used by cryptographic services to ensure its data integrity. MD5 has a smaller digest and is considered to be slightly faster than SHA-1. Cisco uses both SHA-1 and MD5 hashes within our implementation of the IPSec framework. See also encryption, HMAC, and VPN.

headend

A firewall, concentrator, or other host that serves as the entry point into a private network for VPN client connections over the public network. See also ISP and VPN.

HMAC

A mechanism for message authentication using cryptographic hashes such as SHA-1 and MD5.

host

The name for any device on a TCP/IP network that has an IP address. See also network and node.

host/network

An IP address and netmask used with other information to identify a single host or network subnet for security appliance configuration, such as an address translation ( xlate) or ACE.

HTTP

Hypertext Transfer Protocol. A protocol used by browsers and web servers to transfer files. When a user views a web page, the browser can use HTTP to request and receive the files used by the web page. HTTP transmissions are not encrypted.

HTTPS

Hypertext Transfer Protocol Secure. An SSL-encrypted version of HTTP.

IANA

Internet Assigned Number Authority. Assigns all port and protocol numbers for use on the Internet.

ICMP

Internet Control Message Protocol. Network-layer Internet protocol that reports errors and provides other information relevant to IP packet processing.

IDS

Intrusion Detection System. A method of detecting malicious network activity by signatures and then implementing a policy for that signature.

IETF

The Internet Engineering Task Force. A technical standards organization that develops RFC documents defining protocols for the Internet.

IGMP

Internet Group Management Protocol. IGMP is a protocol used by IPv4 systems to report IP multicast memberships to neighboring multicast routers.

IKE

Internet Key Exchange. IKE establishes a shared security policy and authenticates keys for services (such as IPSec) that require keys. Before any IPSec traffic can be passed, each security appliance must verify the identity of its peer. This can be done by manually entering preshared keys into both hosts or by a CA service. IKE is a hybrid protocol that uses part Oakley and part of another protocol suite called SKEME inside ISAKMP framework. This is the protocol formerly known as ISAKMP/Oakley, and is defined in RFC 2409.

IKE Extended Authentication

IKE Extended Authenticate (Xauth) is implemented per the IETF draft-ietf-ipsec-isakmp-xauth-04.txt ("extended authentication" draft). This protocol provides the capability of authenticating a user within IKE using TACACS+ or RADIUS.

IKE Mode Configuration

IKE Mode Configuration is implemented per the IETF draft-ietf-ipsec-isakmp-mode-cfg-04.txt. IKE Mode Configuration provides a method for a security gateway to download an IP address (and other network level configuration) to the VPN client as part of an IKE negotiation.

ILS

Internet Locator Service. ILS is based on LDAP and is ILSv2 compliant. ILS was developed by Microsoft for use with its NetMeeting, SiteServer, and Active Directory products.

IMAP

Internet Message Access Protocol. Method of accessing e-mail or bulletin board messages kept on a mail server that can be shared. IMAP permits client e-mail applications to access remote message stores as if they were local without actually transferring the message.

implicit rule

An access rule automatically created by the security appliance based on default rules or as a result of user-defined rules.

IMSI

International Mobile Subscriber Identity. One of two components of a GTP tunnel ID, the other being the NSAPI. See also NSAPI.

inside

The first interface, usually port 1, that connects your internal, "trusted" network protected by the security appliance. See also interface, interface names.

inspection engine

The security appliance inspects certain application-level protocols to identify the location of embedded addressing information in traffic. This allows NAT to translate these embedded addresses and to update any checksum or other fields that are affected by the translation. Because many protocols open secondary TCP or UDP ports, each application inspection engine also monitors sessions to determine the port numbers for secondary channels. The initial session on a well-known port is used to negotiate dynamically assigned port numbers. The application inspection engine monitors these sessions, identifies the dynamic port assignments, and permits data exchange on these ports for the duration of the specific session. Some of the protocols that the security appliance can inspect are CTIQBE, FTP, H.323, HTTP, MGCP, SMTP, and SNMP.

interface

The physical connection between a particular network and a security appliance.

interface ip_address

The IP address of a security appliance network interface. Each interface IP address must be unique. Two or more interfaces must not be given the same IP address or IP addresses that are on the same IP network.

interface names

Human readable name assigned to a security appliance network interface. The inside interface default name is "inside" and the outside interface default name is "outside." Any perimeter interface default names are "intf n", such as intf2 for the first perimeter interface, intf3 for the second perimeter interface, and so on to the last interface. The numbers in the intf string corresponds to the position of the interface card in the security appliance. You can use the default names or, if you are an experienced user, give each interface a more meaningful name. See also inside, intfn, outside.

intf n

Any interface, usually beginning with port 2, that connects to a subset network of your design that you can custom name and configure.

interface PAT

The use of PAT where the PAT IP address is also the IP address of the outside interface. See Dynamic PAT, Static PAT.

Internet

The global network that uses IP. Not a LAN. See also intranet.

intranet

Intranetwork. A LAN that uses IP. See also network and Internet.

Internet Protocol. IP protocols are the most popular nonproprietary protocols because they can be used to communicate across any set of interconnected networks and are equally well suited for LAN and WAN communications.

IPS

Intrusion Prevention Service. An in-line, deep-packet inspection-based solution that helps mitigate a wide range of network attacks.

IP address

An IP protocol address. A security appliance interface ip_address. IP version 4 addresses are 32 bits in length. This address space is used to designate the network number, optional subnetwork number, and a host number. The 32 bits are grouped into four octets (8 binary bits), represented by 4 decimal numbers separated by periods, or dots. The meaning of each of the four octets is determined by their use in a particular network.

IP pool

A range of local IP addresses specified by a name, and a range with a starting IP address and an ending address. IP Pools are used by DHCP and VPNs to assign local IP addresses to clients on the inside interface.

IPSec

IP Security. A framework of open standards that provides data confidentiality, data integrity, and data authentication between participating peers. IPSec provides these security services at the IP layer. IPSec uses IKE to handle the negotiation of protocols and algorithms based on local policy and to generate the encryption and authentication keys to be used by IPSec. IPSec can protect one or more data flows between a pair of hosts, between a pair of security gateways, or between a security gateway and a host.

IPSec Phase 1

The first phase of negotiating IPSec, includes the key exchange and the ISAKMP portions of IPSec.

IPSec Phase 2

The second phase of negotiating IPSec. Phase two determines the type of encryption rules used for payload, the source and destination that will be used for encryption, the definition of interesting traffic according to access lists, and the IPSec peer. IPSec is applied to the interface in Phase 2.

IPSec transform set

A transform set specifies the IPSec protocol, encryption algorithm, and hash algorithm to use on traffic matching the IPSec policy. A transform describes a security protocol ( AH or ESP) with its corresponding algorithms. The IPSec protocol used in almost all transform sets is ESP with the DES algorithm and HMAC-SHA for authentication.

ISAKMP

Internet Security Association and Key Management Protocol. A protocol framework that defines payload formats, the mechanics of implementing a key exchange protocol, and the negotiation of a security association. See IKE.

ISP

Internet Service Provider. An organization that provides connection to the Internet via their services, such as modem dial in over telephone voice lines or DSL.

JTAPI

Java Telephony Application Programming Interface. A Java-based API supporting telephony functions. See also TAPI.

key

A data object used for encryption, decryption, or authentication.

LAN

Local area network. A network residing in one location, such as a single building or campus. See also Internet, intranet, and network.

layer, layers

Networking models implement layers with which different protocols are associated. The most common networking model is the OSI model, which consists of the following 7 layers, in order: physical, data link, network, transport, session, presentation, and application.

LCN

Logical channel number.

LDAP

Lightweight Directory Access Protocol. LDAP provides management and browser applications with access to X.500 directories.

mask

A 32-bit mask that shows how an Internet address is divided into network, subnet, and host parts. The mask has ones in the bit positions to be used for the network and subnet parts, and zeros for the host part. The mask should contain at least the standard network portion, and the subnet field should be contiguous with the network portion.

MCR

See multicast.

MC router

Multicast (MC) routers route multicast data transmissions to the hosts on each LAN in an internetwork that are registered to receive specific multimedia or other broadcasts. See also multicast.

MD5

Message Digest 5. A one-way hashing algorithm that produces a 128-bit hash. Both MD5 and SHA-1 are variations on MD4 and are designed to strengthen the security of the MD4 hashing algorithm. SHA-1 is more secure than MD4 and MD5. Cisco uses hashes for authentication within the IPSec framework. Also used for message authentication in SNMP v.2. MD5 verifies the integrity of the communication, authenticates the origin, and checks for timeliness. MD5 has a smaller digest and is considered to be slightly faster than SHA-1.

MDI

Media dependent interface.

MDIX

Media dependent interface crossover.

Message Digest

A message digest is created by a hash algorithm, such as MD5 or SHA-1, that is used for ensuring message integrity.

MGCP

Media Gateway Control Protocol. Media Gateway Control Protocol is a protocol for the control of VoIP calls by external call-control elements known as media gateway controllers or call agents. MGCP merges the IPDC and SGCP protocols.

Mode

See Access Modes.

Mode Config

See IKE Mode Configuration.

Modular Policy Framework

Modular Policy Framework. A means of configuring security appliance features in a manner to similar to Cisco IOS software Modular QoS CLI.

mobile station. Refers generically to any mobile device, such as a mobile handset or computer, that is used to access network services. GPRS networks support three classes of MS, which describe the type of operation supported within the GPRS and the GSM mobile wireless networks. For example, a Class A MS supports simultaneous operation of GPRS and GSM services.

MS-CHAP

Microsoft CHAP.

MTU

Maximum transmission unit, the maximum number of bytes in a packet that can flow efficiently across the network with best response time. For Ethernet, the default MTU is 1500 bytes, but each network can have different values, with serial connections having the smallest values. The MTU is described in RFC 1191.

multicast

Multicast refers to a network addressing method in which the source transmits a packet to multiple destinations, a multicast group, simultaneously. See also PIM, SMR.

N2H2

A third-party, policy-oriented filtering application that works with the security appliance to control user web access. N2H2 can filter HTTP requests based on destination host name, destination IP address, and username and password. The N2H2 corporation was acquired by Secure Computing in October, 2003.

NAT

Network Address Translation. Mechanism for reducing the need for globally unique IP addresses. NAT allows an organization with addresses that are not globally unique to connect to the Internet by translating those addresses into a globally routable address space.

NEM

Network Extension Mode. Lets VPN hardware clients present a single, routable network to the remote private network over the VPN tunnel.

NetBIOS

Network Basic Input/Output System. A Microsoft protocol that supports Windows host name registration, session management, and data transfer. The security appliance supports NetBIOS by performing NAT of the packets for NBNS UDP port 137 and NBDS UDP port 138.

netmask

See mask.

network

In the context of security appliance configuration, a network is a group of computing devices that share part of an IP address space and not a single host. A network consists of multiple nodes or hosts. See also host, Internet, intranet, IP, LAN, and node.

NMS

network management system. System responsible for managing at least part of a network. An NMS is generally a reasonably powerful and well-equipped computer, such as an engineering workstation. NMSs communicate with agents to help keep track of network statistics and resources.

node

Devices such as routers and printers that would not normally be called hosts. See also host, network.

nonvolatile storage, memory

Storage or memory that, unlike RAM, retains its contents without power. Data in a nonvolatile storage device survives a power-off, power-on cycle or reboot.

NSAPI

Network service access point identifier. One of two components of a GTP tunnel ID, the other component being the IMSI. See also IMSI.

NSSA

Not-so-stubby-area. An OSPF feature described by RFC 1587. NSSA was first introduced in Cisco IOS software release 11.2. It is a non-proprietary extension of the existing stub area feature that allows the injection of external routes in a limited fashion into the stub area.

NTLM

NT Lan Manager. A Microsoft Windows challenge-response authentication method.

NTP

Network time protocol.

Oakley

A key exchange protocol that defines how to acquire authenticated keying material. The basic mechanism for Oakley is the Diffie-Hellman key exchange algorithm. Oakley is defined in RFC 2412.

object grouping

Simplifies access control by letting you apply access control statements to groups of network objects, such as protocol, services, hosts, and networks.

OSPF

Open Shortest Path First. OSPF is a routing protocol for IP networks. OSPF is a routing protocol widely deployed in large networks because of its efficient use of network bandwidth and its rapid convergence after changes in topology. The security appliance supports OSPF.

Organizational Unit. An X.500 directory attribute.

outbound

Refers to traffic whose destination is on an interface with lower security than the source interface.

outbound ACL

An ACL applied to outbound traffic.

outside

The first interface, usually port 0, that connects to other "untrusted" networks outside the security appliance; the Internet. See also interface, interface names, outbound.

PAC

PPTP Access Concentrator. A device attached to one or more PSTN or ISDN lines capable of PPP operation and of handling the PPTP protocol. The PAC need only implement TCP/IP to pass traffic to one or more PNSs. It may also tunnel non-IP protocols.

PAT

See Dynamic PAT, interface PAT, and Static PAT.

PDP

Packet Data Protocol.

Perfmon

The security appliance feature that gathers and reports a wide variety of feature statistics, such as connections/second, xlates/second, etc.

PFS

Perfect Forwarding Secrecy. PFS enhances security by using different security key for the IPSec Phase 1 and Phase 2 SAs. Without PFS, the same security key is used to establish SAs in both phases. PFS ensures that a given IPSec SA key was not derived from any other secret (like some other keys). In other words, if someone were to break a key, PFS ensures that the attacker would not be able to derive any other key. If PFS were not enabled, someone could hypothetically break the IKE SA secret key, copy all the IPSec protected data, and then use knowledge of the IKE SA secret to compromise the IPSec SA setup by this IKE SA. With PFS, breaking IKE would not give an attacker immediate access to IPSec. The attacker would have to break each IPSec SA individually.

Phase 1

See IPSec Phase 1.

Phase 2

See IPSec Phase 2.

PIM

Protocol Independent Multicast. PIM provides a scalable method for determining the best paths for distributing a specific multicast transmission to a group of hosts. Each host has registered using IGMP to receive the transmission. See also PIM-SM.

PIM-SM

Protocol Independent Multicast-Sparse Mode. With PIM-SM, which is the default for Cisco routers, when the source of a multicast transmission begins broadcasting, the traffic is forwarded from one MC router to the next, until the packets reach every registered host. See also PIM.

Ping

An ICMP request sent by a host to determine if a second host is accessible.

PIX

Private Internet eXchange. The Cisco PIX 500-series security appliances range from compact, plug-and-play desktop models for small/home offices to carrier-class gigabit models for the most demanding enterprise and service provider environments. Cisco PIX security appliances provide robust, enterprise-class integrated network security services to create a strong multilayered defense for fast changing network environments.

PKCS12

A standard for the transfer of PKI-related data, such as private keys, certificates, and other data. Devices supporting this standard let administrators maintain a single set of personal identity information.

PNS

PPTP Network Server. A PNS is envisioned to operate on general-purpose computing/server platforms. The PNS handles the server side of PPTP. Because PPTP relies completely on TCP/IP and is independent of the interface hardware, the PNS may use any combination of IP interface hardware including LAN and WAN devices.

Policy NAT

Lets you identify local traffic for address translation by specifying the source and destination addresses (or ports) in an access list.

POP

Post Office Protocol. Protocol that client e-mail applications use to retrieve mail from a mail server.

Pool

See IP pool.

Port

A field in the packet headers of TCP and UDP protocols that identifies the higher level service which is the source or destination of the packet.

PPP

Point-to-Point Protocol. Developed for dial-up ISP access using analog phone lines and modems.

PPTP

Point-to-Point Tunneling Protocol. PPTP was introduced by Microsoft to provide secure remote access to Windows networks; however, because it is vulnerable to attack, PPTP is commonly used only when stronger security methods are not available or are not required. PPTP Ports are pptp, 1723/tcp, 1723/udp, and pptp. For more information about PPTP, see RFC 2637. See also PAC, PPTP GRE, PPTP GRE tunnel, PNS, PPTP session, and PPTP TCP.

PPTP GRE

Version 1 of GRE for encapsulating PPP traffic.

PPTP GRE tunnel

A tunnel defined by a PNS- PAC pair. The tunnel protocol is defined by a modified version of GRE. The tunnel carries PPP datagrams between the PAC and the PNS. Many sessions are multiplexed on a single tunnel. A control connection operating over TCP controls the establishment, release, and maintenance of sessions and of the tunnel itself.

PPTP session

PPTP is connection-oriented. The PNS and PAC maintain state for each user that is attached to a PAC. A session is created when end-to-end PPP connection is attempted between a dial user and the PNS. The datagrams related to a session are sent over the tunnel between the PAC and PNS.

PPTP TCP

Standard TCP session over which PPTP call control and management information is passed. The control session is logically associated with, but separate from, the sessions being tunneled through a PPTP tunnel.

preshared key

A preshared key provides a method of IKE authentication that is suitable for networks with a limited, static number of IPSec peers. This method is limited in scalability because the key must be configured for each pair of IPSec peers. When a new IPSec peer is added to the network, the preshared key must be configured for every IPSec peer with which it communicates. Using certificates and CAs provides a more scalable method of IKE authentication.

primary, primary unit

The security appliance normally operating when two units, a primary and secondary, are operating in failover mode.

privileged EXEC mode

Privileged EXEC mode lets you to change current settings. Any user EXEC mode command will work in privileged EXEC mode. See also command-specific configuration mode, global configuration mode, user EXEC mode.

protocol, protocol literals

A standard that defines the exchange of packets between network nodes for communication. Protocols work together in layers. Protocols are specified in a security appliance configuration as part of defining a security policy by their literal values or port numbers. Possible security appliance protocol literal values are ahp, eigrp, esp, gre, icmp, igmp, igrp, ip, ipinip, ipsec, nos, ospf, pcp, snp, tcp, and udp.

Proxy-ARP

Enables the security appliance to reply to an ARP request for IP addresses in the global pool. See also ARP.

public key

A public key is one of a pair of keys that are generated by devices involved in public key infrastructure. Data encrypted with a public key can only be decrypted using the associated private key. When a private key is used to produce a digital signature, the receiver can use the public key of the sender to verify that the message was signed by the sender. These characteristics of key pairs provide a scalable and secure method of authentication over an insecure media, such as the Internet.

QoS

quality of service. Measure of performance for a transmission system that reflects its transmission quality and service availability.

Registration Authority. An authorized proxy for a CA. RAs can perform certificate enrollment and can issue CRLs. See also CA, certificate, public key.

RADIUS

Remote Authentication Dial-In User Service. RADIUS is a distributed client/server system that secures networks against unauthorized access. RFC 2058 and RFC 2059 define the RADIUS protocol standard. See also AAA and TACACS+.

Refresh

Retrieve the running configuration from the security appliance and update the screen. The icon and the button perform the same function.

registration authority

See RA.

replay-detection

A security service where the receiver can reject old or duplicate packets to defeat replay attacks. Replay attacks rely on the attacker sending out older or duplicate packets to the receiver and the receiver thinking that the bogus traffic is legitimate. Replay-detection is done by using sequence numbers combined with authentication, and is a standard feature of IPSec.

RFC

Request for Comments. RFC documents define protocols and standards for communications over the Internet. RFCs are developed and published by IETF.

RIP

Routing Information Protocol. Interior gateway protocol (IGP) supplied with UNIX BSD systems. The most common IGP in the Internet. RIP uses hop count as a routing metric.

RLLA

Reserved Link Local Address. Multicast addresses range from 224.0.0.0 to 239.255.255.255, however only the range 224.0.1.0 to 239.255.255.255 is available to us. The first part of the multicast address range, 224.0.0.0 to 224.0.0.255, is reserved and referred to as the RLLA. These addresses are unavailable. We can exclude the RLLA range by specifying: 224.0.1.0 to 239.255.255.255. 224.0.0.0 to 239.255.255.255 excluding 224.0.0.0 to 224.0.0.255. This is the same as specifying: 224.0.1.0 to 239.255.255.255.

route, routing

The path through a network.

routed firewall mode

In routed firewall mode, the security appliance is counted as a router hop in the network. It performs NAT between connected networks and can use OSPF or RIP. See also transparent firewall mode.

RPC

Remote Procedure Call. RPCs are procedure calls that are built or specified by clients and executed on servers, with the results returned over the network to the clients.

RSA

A public key cryptographic algorithm (named after its inventors, Rivest, Shamir, and Adelman) with a variable key length. The main weakness of RSA is that it is significantly slow to compute compared to popular secret-key algorithms, such as DES. The Cisco implementation of IKE uses a Diffie-Hellman exchange to get the secret keys. This exchange can be authenticated with RSA (or preshared keys). With the Diffie-Hellman exchange, the DES key never crosses the network (not even in encrypted form), which is not the case with the RSA encrypt and sign technique. RSA is not public domain, and must be licensed from RSA Data Security.

RSH

Remote Shell. A protocol that allows a user to execute commands on a remote system without having to log in to the system. For example, RSH can be used to remotely examine the status of a number of access servers without connecting to each communication server, executing the command, and then disconnecting from the communication server.

RTCP

RTP Control Protocol. Protocol that monitors the QoS of an IPv6 RTP connection and conveys information about the on-going session. See also RTP.

RTP

Real-Time Transport Protocol. Commonly used with IP networks. RTP is designed to provide end-to-end network transport functions for applications transmitting real-time data, such as audio, video, or simulation data, over multicast or unicast network services. RTP provides such services as payload type identification, sequence numbering, timestamping, and delivery monitoring to real-time applications.

RTSP

Real Time Streaming Protocol. Enables the controlled delivery of real-time data, such as audio and video. RTSP is designed to work with established protocols, such as RTP and HTTP.

rule

Conditional statements added to the security appliance configuration to define security policy for a particular situation. See also ACE, ACL, NAT.

running configuration

The configuration currently running in RAM on the security appliance. The configuration that determines the operational characteristics of the security appliance.

security association. An instance of security policy and keying material applied to a data flow. SAs are established in pairs by IPSec peers during both phases of IPSec. SAs specify the encryption algorithms and other security parameters used to create a secure tunnel. Phase 1 SAs ( IKE SAs) establish a secure tunnel for negotiating Phase 2 SAs. Phase 2 SAs ( IPSec SAs) establish the secure tunnel used for sending user data. Both IKE and IPSec use SAs, although SAs are independent of one another. IPSec SAs are unidirectional and they are unique in each security protocol. A set of SAs are needed for a protected data pipe, one per direction per protocol. For example, if you have a pipe that supports ESP between peers, one ESP SA is required for each direction. SAs are uniquely identified by destination ( IPSec endpoint) address, security protocol ( AH or ESP), and Security Parameter Index. IKE negotiates and establishes SAs on behalf of IPSec. A user can also establish IPSec SAs manually. An IKE SA is used by IKE only, and unlike the IPSec SA, it is bidirectional.

SCCP

Skinny Client Control Protocol. A Cisco-proprietary protocol used between Cisco Call Manager and Cisco VoIP phones.

SCEP

Simple Certificate Enrollment Protocol. A method of requesting and receiving (also known as enrolling) certificates from CAs.

SDP

Session Definition Protocol. An IETF protocol for the definition of Multimedia Services. SDP messages can be part of SGCP and MGCP messages.

secondary unit

The backup security appliance when two are operating in failover mode.

secret key

A secret key is a key shared only between the sender and receiver. See key, public key.

security context

You can partition a single security appliance into multiple virtual firewalls, known as security contexts. Each context is an independent firewall, with its own security policy, interfaces, and administrators. Multiple contexts are similar to having multiple stand-alone firewalls.

security services

See cryptography.

serial transmission

A method of data transmission in which the bits of a data character are transmitted sequentially over a single channel.

SGCP

Simple Gateway Control Protocol. Controls VoIP gateways by an external call control element (called a call-agent).

SGSN

Serving GPRS Support Node. The SGSN ensures mobility management, session management and packet relaying functions.

SHA-1

Secure Hash Algorithm 1. SHA-1 [NIS94c] is a revision to SHA that was published in 1994. SHA is closely modeled after MD4 and produces a 160-bit digest. Because SHA produces a 160-bit digest, it is more resistant to brute-force attacks than 128-bit hashes (such as MD5), but it is slower. Secure Hash Algorithm 1 is a joint creation of the National Institute of Standards and Technology and the National Security Agency. This algorithm, like other hash algorithms, is used to generate a hash value, also known as a message digest, that acts like a CRC used in lower-layer protocols to ensure that message contents are not changed during transmission. SHA-1 is generally considered more secure than MD5.

SIP

Session Initiation Protocol. Enables call handling sessions, particularly two-party audio conferences, or "calls." SIP works with SDP for call signaling. SDP specifies the ports for the media stream. Using SIP, the security appliance can support any SIP VoIP gateways and VoIP proxy servers.

site-to-site VPN

A site-to-site VPN is established between two IPSec peers that connect remote networks into a single VPN. In this type of VPN, neither IPSec peer is the destination or source of user traffic. Instead, each IPSec peer provides encryption and authentication services for hosts on the LANs connected to each IPSec peer. The hosts on each LAN send and receive data through the secure tunnel established by the pair of IPSec peers.

SKEME

A key exchange protocol that defines how to derive authenticated keying material, with rapid key refreshment.

SMR

Stub Multicast Routing. SMR allows the security appliance to function as a "stub router." A stub router is a device that acts as an IGMP proxy agent. IGMP is used to dynamically register specific hosts in a multicast group on a particular LAN with a multicast router. Multicast routers route multicast data transmissions to hosts that are registered to receive specific multimedia or other broadcasts. A stub router forwards IGMP messages between hosts and MC routers.

SMTP

Simple Mail Transfer Protocol. SMTP is an Internet protocol that supports email services.

SNMP

Simple Network Management Protocol. A standard method for managing network devices using data structures called Management Information Bases.

split tunneling

Allows a remote VPN client simultaneous encrypted access to a private network and clear unencrypted access to the Internet. If you do not enable split tunneling, all traffic between the VPN client and the security appliance is sent through an IPSec tunnel. All traffic originating from the VPN client is sent to the outside interface through a tunnel, and client access to the Internet from its remote site is denied.

spoofing

A type of attack designed to foil network security mechanisms such as filters and access lists. A spoofing attack sends a packet that claims to be from an address from which it was not actually sent.

SQL*Net

Structured Query Language Protocol. An Oracle protocol used to communicate between client and server processes.

SSH

Secure Shell. An application running on top of a reliable transport layer, such as TCP/IP, that provides strong authentication and encryption capabilities.

SSL

Secure Sockets Layer. A protocol that resides between the application layer and TCP/IP to provide transparent encryption of data traffic.

standby unit

See secondary unit.

stateful inspection

Network protocols maintain certain data, called state information, at each end of a network connection between two hosts. State information is necessary to implement the features of a protocol, such as guaranteed packet delivery, data sequencing, flow control, and transaction or session IDs. Some of the protocol state information is sent in each packet while each protocol is being used. For example, a browser connected to a web server uses HTTP and supporting TCP/IP protocols. Each protocol layer maintains state information in the packets it sends and receives. The security appliance and some other firewalls inspect the state information in each packet to verify that it is current and valid for every protocol it contains. This is called stateful inspection and is designed to create a powerful barrier to certain types of computer security threats.

Static PAT

Static Port Address Translation. Static PAT is a static address that also maps a local port to a global port. See also Dynamic PAT, NAT.

subnetmask

See mask.

TACACS+

Terminal Access Controller Access Control System Plus. A client-server protocol that supports AAA services, including command authorization. See also AAA, RADIUS.

TAPI

Telephony Application Programming Interface. A programming interface in Microsoft Windows that supports telephony functions.

TCP

Transmission Control Protocol. Connection-oriented transport layer protocol that provides reliable full-duplex data transmission.

TCP Intercept

With the TCP intercept feature, once the optional embryonic connection limit is reached, and until the embryonic connection count falls below this threshold, every SYN bound for the effected server is intercepted. For each SYN, the security appliance responds on behalf of the server with an empty SYN/ACK segment. The security appliance retains pertinent state information, drops the packet, and waits for the client acknowledgment. If the ACK is received, then a copy of the client SYN segment is sent to the server and the TCP three-way handshake is performed between the security appliance and the server. If this three-way handshake completes, may the connection resume as normal. If the client does not respond during any part of the connection phase, then the security appliance retransmits the necessary segment using exponential back-offs.

TDP

Tag Distribution Protocol. TDP is used by tag switching devices to distribute, request, and release tag binding information for multiple network layer protocols in a tag switching network. TDP does not replace routing protocols. Instead, it uses information learned from routing protocols to create tag bindings. TDP is also used to open, monitor, and close TDP sessions and to indicate errors that occur during those sessions. TDP operates over a connection-oriented transport layer protocol with guaranteed sequential delivery (such as TCP). The use of TDP does not preclude the use of other mechanisms to distribute tag binding information, such as piggybacking information on other protocols.

Telnet

A terminal emulation protocol for TCP/IP networks such as the Internet. Telnet is a common way to control web servers remotely; however, its security vulnerabilities have led to its replacement by SSH.

TFTP

Trivial File Transfer Protocol. TFTP is a simple protocol used to transfer files. It runs on UDP and is explained in depth in RFC 1350.

TID

Tunnel Identifier.

TLS

Transport Layer Security. A future IETF protocol to replace SSL.

traffic policing

The traffic policing feature ensures that no traffic exceeds the maximum rate (bits per second) that you configure, thus ensuring that no one traffic flow can take over the entire resource.

transform set

See IPSec transform set.

translate, translation

See xlate.

transparent firewall mode

A mode in which the security appliance is not a router hop. You can use transparent firewall mode to simplify your network configuration or to make the security appliance invisible to attackers. You can also use transparent firewall mode to allow traffic through that would otherwise be blocked in routed firewall mode. See also routed firewall mode.

transport mode

An IPSec encryption mode that encrypts only the data portion (payload) of each packet, but leaves the header untouched. Transport mode is less secure than tunnel mode.

TSP

TAPI Service Provider. See also TAPI.

tunnel mode

An IPSec encryption mode that encrypts both the header and data portion (payload) of each packet. Tunnel mode is more secure than transport mode.

tunnel

A method of transporting data in one protocol by encapsulating it in another protocol. Tunneling is used for reasons of incompatibility, implementation simplification, or security. For example, a tunnel lets a remote VPN client have encrypted access to a private network.

Turbo ACL

Increases ACL lookup speeds by compiling them into a set of lookup tables. Packet headers are used to access the tables in a small, fixed number of lookups, independent of the existing number of ACL entries.

UDP

User Datagram Protocol. A connectionless transport layer protocol in the IP protocol stack. UDP is a simple protocol that exchanges datagrams without acknowledgments or guaranteed delivery, which requires other protocols to handle error processing and retransmission. UDP is defined in RFC 768.

UMTS

Universal Mobile Telecommunication System. An extension of GPRS networks that moves toward an all-IP network by delivering broadband information, including commerce and entertainment services, to mobile users via fixed, wireless, and satellite networks

Unicast RPF

Unicast Reverse Path Forwarding. Unicast RPF guards against spoofing by ensuring that packets have a source IP address that matches the correct source interface according to the routing table.

URL

Uniform Resource Locator. A standardized addressing scheme for accessing hypertext documents and other services using a browser. For example, http://www.cisco.com.

user EXEC mode

User EXEC mode lets you to see the security appliance settings. The user EXEC mode prompt appears as follows when you first access the security appliance. See also command-specific configuration mode, global configuration mode, and privileged EXEC mode.

UTC

Coordinated Universal Time. The time zone at zero degrees longitude, previously called Greenwich Mean Time (GMT) and Zulu time. UTC replaced GMT in 1967 as the world time standard. UTC is based on an atomic time scale rather than an astronomical time scale.

UTRAN

Universal Terrestrial Radio Access Network. Networking protocol used for implementing wireless networks in UMTS. GTP allows multi-protocol packets to be tunneled through a UMTS/GPRS backbone between a GGSN, an SGSN and the UTRAN.

UUIE

User-User Information Element. An element of an H.225 packet that identifies the users implicated in the message.

VLAN

Virtual LAN. A group of devices on one or more LANs that are configured (using management software) so that they can communicate as if they were attached to the same physical network cable, when in fact they are located on a number of different LAN segments. Because VLANs are based on logical instead of physical connections, they are extremely flexible.

VoIP

Voice over IP. VoIP carries normal voice traffic, such as telephone calls and faxes, over an IP-based network. DSP segments the voice signal into frames, which then are coupled in groups of two and stored in voice packets. These voice packets are transported using IP in compliance with ITU-T specification H.323.

VPN

Virtual Private Network. A network connection between two peers over the public network that is made private by strict authentication of users and the encryption of all data traffic. You can establish VPNs between clients, such as PCs, or a headend, such as the security appliance.

virtual firewall

See security context.

VSA

Vendor-specific attribute. An attribute in a RADIUS packet that is defined by a vendor rather than by RADIUS RFCs. The RADIUS protocol uses IANA-assigned vendor numbers to help identify VSAs. This lets different vendors have VSAs of the same number. The combination of a vendor number and a VSA number makes a VSA unique. For example, the cisco-av-pair VSA is attribute 1 in the set of VSAs related to vendor number 9. Each vendor can define up to 256 VSAs. A RADIUS packet contains any VSAs attribute 26, named Vendor-specific. VSAs are sometimes referred to as subattributes.

WAN

wide-area network. Data communications network that serves users across a broad geographic area and often uses transmission devices provided by common carriers.

WCCP

Web Cache Communication Protocol. Transparently redirects selected types of traffic to a group of web cache engines to optimize resource usage and lower response times.

Websense

A content filtering solution that manages employee access to the Internet. Websense uses a policy engine and a URL database to control user access to websites.

WEP

Wired Equivalent Privacy. A security protocol for wireless LANs, defined in the IEEE 802.11b standard.

WINS

Windows Internet Naming Service. A Windows system that determines the IP address associated with a particular network device, also known as "name resolution." WINS uses a distributed database that is automatically updated with the NetBIOS names of network devices currently available and the IP address assigned to each one.WINS provides a distributed database for registering and querying dynamic NetBIOS names to IP address mapping in a routed network environment. It is the best choice for NetBIOS name resolution in such a routed network because it is designed to solve the problems that occur with name resolution in complex networks.

X.509

A widely used standard for defining digital certificates. X.509 is actually an ITU recommendation, which means that it has not yet been officially defined or approved for standardized usage.

xauth

See IKE Extended Authentication.

xlate

An xlate, also referred to as a translation entry, represents the mapping of one IP address to another, or the mapping of one IP address/port pair to another.

Key Terms and Definitions

This appendix lists and defines the key terms used in this document.

AAA

Authentication, authorization, and accounting. Pronounced "triple a."

For more on Authentication Protocols, see: http://www.cisco.com/en/US/tech/tk59/tsd_technology_support_protocol_home.html

ACL

Access Control Lists are used for purposes filtering IP traffic generally for security reasons.

For more on ACLs, see IP Addressing Services - Access Lists: http://www.cisco.com/en/US/tech/tk648/tk361/tk821/tsd_technology_support_sub-protocol_home.html

Active Directory

Microsoft's application that delivers LDAP and other AAA services.

Cell/Area Zone

A logical section or subset (physical, geographical or function) of the production facility. It typically contains Level 0-2 devices (see Automation and Control Reference Model).

CIP Common Industrial Protocol

The Common Industrial Protocol (CIP™) encompasses a comprehensive suite of messages and services for the collection of manufacturing automation applications—control, safety, synchronization, motion, configuration and information. CIP is owned and maintained by the Open Device Vendor Association. The ODVA is an international association comprising members from the world's leading automation companies.

Control Plane

Control plane refers to network protocol traffic (e.g. routing, resiliency) that usually passes between network infrastructure devices to maintain the network's functions. Examples of control plane traffic include Spanning Tree and EIGRP.

CSMA/CD

Carrier sense multiple access collision detect. Media-access mechanism wherein devices ready to transmit data first check the channel for a carrier. If no carrier is sensed for a specific period of time, a device can transmit. If two devices transmit at once, a collision occurs and is detected by all colliding devices. This collision subsequently delays retransmissions from those devices for some random length of time. Ethernet and IEEE 802.3 use CSMA/CD access.

Data Plane

Data plane refers to the application data the network switches and routes being sent to and from end-devices. CIP is considered data plane traffic.

DHCP

Dynamic Host Configuration Protocol. Provides a mechanism for allocating IP addresses dynamically so that addresses can be reused when hosts no longer need them.

Determinism

A property of an overall automation and control system that behaves determined only by initial state and input. Many factors impact the deterministic nature of a system, including network performance. For the purposes of this document, we will consider the network low latency, minimal jitter and minimal packet loss as the key network criteria that impact the deterministic nature of the overall automation and control system.

DMZ, Demilitarized Zone

Refers to a buffer or network segment between two network zones. A DMZ is commonly found between a corporate network and the internet where data and services can be shared/accessed from users in either the internet or corporate networks. A DMZ is typically established with network firewalls to manage and secure the traffic from either zone.

For an example of a network DMZ, see Scenario: DMZ Configuration: http://www.cisco.com/en/US/docs/security/pix/pix72/quick/guide/dmz_p.html

DNS

Domain Name System. System used on the Internet for translating names of network nodes into IP addresses.

Ethernet

Baseband LAN specification invented by Xerox Corporation and developed jointly by Xerox, Intel, and Digital Equipment Corporation. Ethernet networks use CSMA/CD and run over a variety of cable types and speeds. Ethernet is a family of frame-based networking technologies or standards (IEEE 802.3) for local area networks. It defines standards for common addressing format and the physical and data link (or Media Access Control) layers of the OSI Model.

See the IEEE 802.3 working group's site (http://www.ieee802.org/3/) for more details on the set of standards.

For more on Ethernet, see Ethernet - Introduction: http://www.cisco.com/en/US/tech/tk389/tk214/tsd_technology_support_protocol_home.html & Internetworking Technology Handbook-Ethernet: http://www.cisco.com/en/US/docs/internetworking/technology/handbook/Ethernet.html

IKE

Industrial Automation and Control Systems (IACS)

Refers to the set of devices and applications used to automate and control the relevant manufacturing process. Rather than use various terms with a similar meaning (e.g., production systems, factory floor systems, we standardized on this term for use in this paper). That is not to suggest any specific focus or limitations. We intend that the ideas and concepts outline herein are applicable in various types of manufacturing including but not limited to batch, continuous, discrete, hybrid and process. Other documents and industry references may refer to Industrial Control Systems (ICS). For the purpose of this document, those terms are interchangeable. This document simply choose to use IACS, as reflected in the ISA 99 standards.

Internet Protocol. Network layer protocol in the TCP/IP stack offering a connectionless internetwork service. IP provides features for addressing, type-of-service specification, fragmentation and reassembly, and security. Defined in RFC 791.

For more on IP, TCP and UDP, see Internetworking Technology Handbook-Internet Protocols: http://www.cisco.com/en/US/docs/internetworking/technology/handbook/Internet-Protocols.html

IP Protocol Suite

Is a set of networking standards on which the internet and most enterprise networking is based. It includes the Layer 3 Internet Protocol (IP), the Layer-4 Transmission Control Protocol (TCP) and User Datagram Protocol (UDP).

IPS

Intrusion Prevention Systems is a network security device that monitors network activity for malicious or unwanted behavior.

See more on Intrusion Prevention Systems at widpedia: http://en.wikipedia.org/wiki/Intrusion-prevention_system or Cisco IPS: http://www.cisco.com/en/US/products/sw/secursw/ps2113/index.html

IPSec

IP Security. A framework of open standards that provides data confidentiality, data integrity, and data authentication between participating peers. IPSec provides these security services at the IP layer. IPSec uses IKE (See above) to handle the negotiation of protocols and algorithms based on local policy and to generate the encryption and authentication keys to be used by IPSec. IPSec can protect one or more data flows between a pair of hosts, between a pair of security gateways, or between a security gateway and a host.

For a more in-depth understanding of IPsec, see the following URL: http://www.cisco.com/en/US/tech/tk583/tk372/technologies_tech_note09186a0080094203.shtml.

ISA-99

ISA-99 focuses on security for industrial automation and control systems, For more, see http://www.isa.org/MSTemplate.cfm?MicrositeID=988&CommitteeID=6821

ISA-95

The standard for the integration of enterprise and control systems, see http://www.isa.org/Template.cfm?Section=Find_Standards&Template=/Customsource/ISA/Standards/TaggedStandardsCommittee.cfm&id=2360

Jitter

Refers to the variation in Latency (see definition below). Jitter is important as often larger variations in the delay due to communications can negatively impact the 'deterministic' nature of the relevant system.

Latency

Refers to the delay in communications due to processing and transmission media (Switches, Routers and cables) between any two end-devices. Latency could also refer to the processing time in an application to process a message.

Layer

Generally refers to layers of the OSI Model which logically describe the functions that make up networked communications (see Chapter 1, Figure 8).

Level

Refers to levels of the Automation and Control Reference Model (see Chapter2) that describe functions and domains of control within manufacturing organizations. This Model is based upon the Purdue Control Hierarchy model and is used in a variety of Industrial standards (e.g. ISA 95 and 99).

LDAP

Lightweight Directory Access Protocol. Protocol that provides access for management and browser applications that provide read/write interactive access to an X.500 compliant directory service. X.500 specifies a standard for distributed maintenance of files and directories.

Manufacturing Zone

The Manufacturing zone is a network zone in the Automation and Control Reference Model (see Chapter 2) The zone contains the complete set of applications, systems, infrastructure and devices that are critical to the continued operations of the plant.

In other documentation (for example ISA 99), this zone may also be referred to as the Control zone. The terms are interchangeable in this regard.

NAC

Network Access Control is a security approach that allows only compliant and trusted endpoint devices, such as PCs, servers, and PDAs, onto the network, restricting the access of noncompliant devices, and thereby limiting the potential damage from emerging security threats and risks.

For more on Network Admission Control, see: http://www.cisco.com/en/US/netsol/ns466/networking_solutions_package.html

NAT Network Address Translation

Network Address Translation is a mechanism for reducing the need for globally unique IP addresses. NAT allows an organization with addresses that are not globally unique to connect to the Internet by translating those addresses into globally routable address space.

Network Convergence

The period of time the network requires to restore normal network traffic handling after an outage or event. For our testing and test results, convergence time is measured using the following formula:

Convergence in milliseconds = [(Tx - Rx) / packet rate] * 1000 ms/s

Where:

Tx = Packets transmitted

Rx = Packets received

Packet rate tested = 10,000 packets per second

ODVA Open Device Vendors Association

ODVA is an international association comprising members from the world's leading automation companies. Collectively, ODVA and its members support network technologies based on the Common Industrial Protocol (CIP™). These currently include DeviceNet™, EtherNet/IP™, CompoNet™, and ControlNet™, along with the major extensions to CIP — CIP Safety™ and CIP Motion™. ODVA manages the development of these open technologies, and assists manufacturers and users of CIP Networks through its activities in standards development, certification, vendor education and industry awareness. Both Rockwell Automation and Cisco are members of the ODVA.

OSI Model

The Open Systems Interconnection model is a Network architectural model consisting of seven layers, each of which specifies particular network functions, such as addressing, flow control, error control, encapsulation, and reliable message transfer. The lowest layer (the physical layer) is closest to the media technology. The lower two layers are implemented in hardware and software whereas the upper five layers are implemented only in software. The highest layer (the application layer) is closest to the user. The OSI reference model is used universally as a method for teaching and understanding network functionality

The term layer in this document generally refers to a layer or layers of the OSI Model.

See Chapter 1, Figure 8 for a diagram of the OSI Model.

Plant

Plant, Production Facility, Factory or Factory Floor—This document chose to use the term plant as a keyword to describe the area in which the manufacturing process and control takes place. This is not to exclude similar words such as factory, production facility, or any other term used to refer to the area in which the manufacturing process exists. In fact, they can be used interchangeably, but for the purpose of consistency, we chose to use Plant.

Port

A port can refer to two things in networking.

1. Physical Interface on an internetworking device (such as a router).

2. In IP terminology, an upper-layer process that receives information from lower layers. Port is an application-specific or process-specific software construct serving as a communications endpoint used by Transport Layer protocols of the Internet Protocol Suite such as Transmission Control Protocol (TCP) and User Datagram Protocol (UDP). Ports are numbered (a port number), and each numbered port is associated with a specific process. For example, SMTP is associated with port 25. A port number is also called a well-known address. For a list of official port numbers see The Internet Assigned Numbers Authority (IANA) at the following URL: http://www.iana.org/assignments/port-numbers.

For the purpose of this document, port refers to the second meaning.

RADIUS

Remote Authentication Dial In User Service (RADIUS) is a networking protocol that provides centralized access, authorization and accounting management for pe.ople or computers to connect and use a network service. When a person or device connects to a network often "RADIUS" authentication is required.

Remote Terminal Session

Remote Terminal Session of Remote Desktop refers to a set of protocols and software that enable one computer or user to remotely access and control another computer through graphical Terminal Emulation. Software that makes it appear to a remote host as a directly attached terminal, including Microsoft's RDP, Remote Desktop Protocol and VNC Virtual Network Computing.

SSL

Secure Socket Layer. Encryption technology for the Web used to provide secure transactions, such as the transmission of credit card numbers for e-commerce.

Subnet or Subnetwork

In IP networks, a subnet is a network sharing a particular subnet address. Subnetworks are networks arbitrarily segmented by a network administrator in order to provide a multilevel, hierarchical routing structure while shielding the subnetwork from the addressing complexity of attached networks.

TCP

Transmission Control Protocol. Connection-oriented transport layer protocol that provides reliable full-duplex data transmission. TCP is part of the TCP/IP protocol stack.

For more on IP, TCP and UDP, see Internetworking Technology Handbook-Internet Protocols: http://www.cisco.com/en/US/docs/internetworking/technology/handbook/Internet-Protocols.html

UDP

User Datagram Protocol. Connectionless transport layer protocol in the TCP/IP protocol stack. UDP is a simple protocol that exchanges datagrams without acknowledgments or guaranteed delivery, requiring that error processing and retransmission be handled by the application or other protocols. UDP is defined in RFC 768.

For more on IP, TCP and UDP, see http://www.cisco.com/en/US/docs/internetworking/technology/handbook/Internet-Protocols.htm

VLAN

virtual LAN. Group of devices on one or more LANs that are configured (using management software) so that they can communicate as if they were attached to the same wire, when in fact they are located on a number of different LAN segments. Because VLANs are based on logical instead of physical connections, they are extremely flexible.

For more on VLANs, see Internetworking Technology Handbook-Lan Switching http://www.cisco.com/en/US/docs/internetworking/technology/handbook/LAN-Switching.html

VPN

Virtual Private Network. Enables IP traffic to travel securely over a public TCP/IP network by encrypting all traffic from one network to another. A VPN uses "tunneling" to encrypt all information at the IP level.

For more on VPNs, see "How VPNs work": http://www.cisco.com/en/US/tech/tk583/tk372/technologies_tech_note09186a0080094865.shtml or "IPSec VPN WAN Design Overview" http://www.cisco.com/en/US/docs/solutions/Enterprise/WAN_and_MAN/IPSec_Over.html#wp1006588

WINS

Windows Internet Naming Service. Microsoft's NetBIOS name translation service, analogous to DNS.

Table 9-1 Cisco Nexus 1000V Terminology

Term

Description

Control VLAN

One of two VLANs for the communication between VSM and VEM. The control VLAN is used to exchange control messages. The network administrator configures the control VLAN. See packet VLAN.

Distributed Resource Scheduler (DRS)

Balances the workload across your defined resources (hosts, shared storage, network presence, and resource pools) in a cluster.

Distributed Virtual Switch (DVS)

This is a logical switch that spans one or more VMware ESX 4.0 servers. It is controlled by one VSM instance.

ESX/ESXi

A virtualization platform used to create the virtual machines as a set of configuration and disk files that together perform all the functions of a physical machine.

Each ESX/ESXi host has a VI Client available for management use. If your ESX/ESXi host is registered with the vCenter Server, a VI Client that accommodates the vCenter Server features is available.

Managed Object Browser (MOB)

A tool that enables you to browse managed objects on VirtualCenter Server and ESX Server systems.

Network Interface Card (NIC)

Network Interface Card.

PNIC: physical network interface card

vNIC:

Open Virtual Appliance or Application (OVA) file

The package that contains the following files used to describe a virtual machine and saved in a single archive using .TAR packaging.

•Descriptor file (.OVF)

•Manifest (.MF) and certificate files (optional)

Open Virtual Machine Format (OVF)

A platform independent method of packaging and distributing virtual machines.

Packet VLAN

One of two VLANs for the communication between VSM and VEM. The packet VLAN forwards relevant data packets, such as CDP, from the VEM to the VSM. The network administrator configures the packet VLAN. See control VLAN.

Port Profile

A collection of interface configuration commands that can be dynamically applied at either physical or virtual interfaces. A port profile can define a collection of attributes such as VLAN ID, private VLAN (PVLAN), access control list (ACL), and port security. Port profiles are integrated with the management layer for the virtual machines and allow virtual machine administrators to choose from profiles as they create virtual machines. When a virtual machine is powered on or off, its corresponding profiles are used to dynamically configure the vEth interface.

vCenter Server

A service that acts as a central administrator for VMware ESX/ESXi hosts that are connected on a network. vCenter Server directs actions on the virtual machines and the virtual machine hosts (the ESX/ESXi hosts).

Virtual Ethernet Interface (vEth)

Virtual equivalent of physical network access ports. vEths are dynamically provisioned based on network policies stored in the switch as the result of virtual machine provisioning operations at the hypervisor management layer.

Virtual Ethernet Module (VEM)

This is the part of Cisco Nexus 1000V that actually switches data traffic. It runs on a VMware ESX 4.0 host. Up to 64 VEMs are controlled by one VSM. All the VEMs that form a switch domain should be in the same virtual Data Center as defined by VMware vCenter Server.

This software replaces the vSwitch in each hypervisor. It performs switching between directly attached virtual machines, and provides uplink capabilities to the rest of the network.

Virtual Machine (VM)

A virtualized x86 PC environment in which a guest operating system and associated application software can run. Multiple virtual machines can operate on the same host system concurrently.

VMotion

The practice of migrating virtual machines live from server to server.

Virtual NIC (vNIC)

Logically connects a virtual machine to the vSwitch and allows the virtual machine to send and receive traffic through that interface. If two vNICs attached to the same vSwitch need to communicate with each other, the vSwitch performs the Layer 2 switching function directly, without any need to send traffic to the physical network.

Virtual Supervisor Module (VSM)

This is the control software of the Cisco Nexus 1000V distributed virtual switch. It runs on a virtual machine (VM) and is based on Cisco NX-OS.

VMware Infrastructure Bundle (VIB)

The package format used by VMware ESX 4.0 release.

VMware update manager (VUM)

The software application that manages Cisco Nexus 1000V software installation and VEM upgrades.

Note VUM is not a requirement. Software can be installed manually without using VUM.

vSphere Client

The user interface that lets users connect remotely to the vCenter Server or ESX/ESXi from any windows PC. The primary interface for creating, managing, and monitoring virtual machines, their resources, and their hosts. It also provides console access to virtual machines.

Numerals

3DES

Triple Data Encryption Standard. A stronger version of DES, which is the default encryption method for SSH version 1.5. Used when establishing an SSH session with the sensor. It can be used when the sensor is managing a device.

802.x

A set of IEEE standards for the definition of LAN protocols.

AAA

authentication, authorization, and accounting. Pronounced "triple a." The primary and recommended method for access control in Cisco devices.

ACE

Access Control Entry. An entry in the ACL that describes what action should be taken for a specified address or protocol. The sensor adds/removes ACE to block hosts.

ACK

acknowledgement. Notification sent from one network device to another to acknowledge that some event occurred (for example, the receipt of a message).

ACL

Access Control List. A list of ACEs that control the flow of data through a router. There are two ACLs per router interface for inbound data and outbound data. Only one ACL per direction can be active at a time. ACLs are identified by number or by name. ACLs can be standard, enhanced, or extended. You can configure the sensor to manage ACLs.

action

The response of the sensor to an event. An action only happens if the event is not filtered. Examples include TCP reset, block host, block connection, IP logging, and capturing the alert trigger packet.

active ACL

The ACL created and maintained by ARC and applied to the router block interfaces.

adaptive security appliance

ASA. Combines firewall, VPN concentrator, and intrusion prevention software functionality into one software image. You can configure the adaptive security appliance in single mode or multi-mode.

AIC engine

Application Inspection and Control engine. Provides deep analysis of web traffic. It provides granular control over HTTP sessions to prevent abuse of the HTTP protocol. It allows administrative control over applications that try to tunnel over specified ports, such as instant messaging, and tunneling applications, such as gotomypc. It can also inspect FTP traffic and control the commands being issued.

AIM IPS

Advanced Integration Module. A type of IPS network module installed in Cisco routers.

AIP SSM

Advanced Inspection and Prevention Security Services Module. The IPS plug-in module in the Cisco ASA 5500 series adaptive security appliance. AIP-SSM is an IPS services module that monitors and performs real-time analysis of network traffic by looking for anomalies and misuse based on an extensive, embedded signature library. When AIP-SSM detects unauthorized activity, it can terminate the specific connection, permanently block the attacking host, log the incident, and send an alert to the device manager. See also adaptive security appliance.

Alarm Channel

The IPS software module that processes all signature events generated by the inspectors. Its primary function is to generate alerts for each event it receives.

alert

Specifically, an IPS event type; it is written to the Event Store as an evidsAlert. In general, an alert is an IPS message that indicates a network exploit in progress or a potential security problem occurrence. Also known as an alarm.

Analysis Engine

The IPS software module that handles sensor configuration. It maps the interfaces and also the signature and alarm channel policy to the configured interfaces. It performs packet analysis and alert detection. The Analysis Engine functionality is provided by the SensorApp process.

anomaly detection

AD. The sensor component that creates a baseline of normal network traffic and then uses this baseline to detect worm-infected hosts.

API

Application Programming Interface. The means by which an application program talks to communications software. Standardized APIs allow application programs to be developed independently of the underlying method of communication. Computer application programs run a set of standard software interrupts, calls, and data formats to initiate contact with other devices (for example, network services, mainframe communications programs, or other program-to-program communications). Typically, APIs make it easier for software developers to create links that an application needs to communicate with the operating system or with the network.

application

Any program (process) designed to run in the Cisco IPS environment.

application image

Full IPS image stored on a permanent storage device used for operating the sensor.

application instance

A specific application running on a specific piece of hardware in the IPS environment. An application instance is addressable by its name and the IP address of its host computer.

application partition

The bootable disk or compact-flash partition that contains the IPS software image.

ARC

Attack Response Controller. Formerly known as Network Access Controller (NAC). A component of the IPS. A software module that provides block and unblock functionality where applicable.

architecture

The overall structure of a computer or communication system. The architecture influences the capabilities and limitations of the system.

ARP

Address Resolution Protocol. Internet protocol used to map an IP address to a MAC address. Defined in RFC 826.

ASDM

Adaptive Security Device Manager. A web-based application that lets you configure and manage your adaptive security device.

ASN.1

Abstract Syntax Notation 1. Standard for data presentation.

aspect version

Version information associated with a group of IDIOM default configuration settings. For example, Cisco Systems publishes the standard set of attack signatures as a collection of default settings with the S aspect. The S-aspect version number is displayed after the S in the signature update package file name. Other aspects include the Virus signature definitions in the V-aspect and IDIOM signing keys in the key-aspect.

atomic attack

Represents exploits contained within a single packet. For example, the "ping of death" attack is a single, abnormally large ICMP packet.

Atomic engine

There are two Atomic engines: Atomic IP inspects IP protocol packets and associated Layer-4 transport protocols, and Atomic ARP inspects Layer-2 ARP protocol.

attack

An assault on system security that derives from an intelligent threat, that is, an intelligent act that is a deliberate attempt (especially in the sense of method or technique) to evade security services and violate the security policy of a system.

attack relevance rating

ARR. A weight associated with the relevancy of the targeted OS. The attack relevance rating is a derived value (relevant, unknown, or not relevant), which is determined at alert time. The relevant OSes are configured per signature.

attack severity rating

ASR. A weight associated with the severity of a successful exploit of the vulnerability. The attack severity rating is derived from the alert severity parameter (informational, low, medium, or high) of the signature. The attack severity rating is configured per signature and indicates how dangerous the event detected is.

authentication

Process of verifying that a user has permission to use the system, usually by means of a password key or certificate.

AuthenticationApp

A component of the IPS. Authorizes and authenticates users based on IP address, password, and digital certificates.

autostate

In normal autostate mode, the Layer 3 interfaces remain up if at least one port in the VLAN remains up. If you have appliances, such as load balancers or firewall servers that are connected to the ports in the VLAN, you can configure these ports to be excluded from the autostate feature to make sure that the forwarding SVI does not go down if these ports become inactive.

Anti-Virus.

backplane

The physical connection between an interface processor or card and the data buses and the power distribution buses inside a chassis.

base version

A software release that must be installed before a follow-up release, such as a service pack or signature update, can be installed. Major and minor updates are base version releases.

benign trigger

A situation in which a signature is fired correctly, but the source of the traffic is nonmalicious.

BIOS

Basic Input/Output System. The program that starts the sensor and communicates between the devices in the sensor and the system.

blackhole

Routing term for an area of the internetwork where packets enter, but do not emerge, due to adverse conditions or poor system configuration within a portion of the network.

block

The ability of the sensor to direct a network device to deny entry to all packets from a specified network host or network.

block interface

The interface on the network device that the sensor manages.

BackOrifice. The original Windows back door Trojan that ran over UDP only.

BO2K

BackOrifice 2000. A Windows back door Trojan that runs over TCP and UDP.

bootloader

A small set of system software that runs when the system first powers up. It loads the operating system (from the disk, network, external compact flash, or external USB flash), which loads and runs the IPS application. For the AIM IPS, it boots the module from the network and assists in software installation and upgrades, disaster recovery, and other operations when the module cannot access its software.

Botnets

A collection of software robots, or bots, that run autonomously and automatically. The term is often associated with malicious software but it can also refer to the network of computers using distributed computing software. The term Botnet is used to refer to a collection of compromised computers (called Zombie computers) running software, usually installed through worms, Trojan horses, or back doors, under a common command-and-control infrastructure.

Bpdu

Bridge Protocol Data Unit. Spanning-Tree Protocol hello packet that is sent out at configurable intervals to exchange information among bridges in the network.

bypass mode

Mode that lets packets continue to flow through the sensor even if the sensor fails. Bypass mode is only applicable to inline-paired interfaces.

certification authority. Entity that issues digital certificates (especially X.509 certificates) and vouches for the binding between the data items in a certificate. Sensors use self-signed certificates.

CA certificate

Certificate for one CA issued by another CA.

CEF

Cisco Express Forwarding. CEF is advanced, Layer 3 IP switching technology. CEF optimizes network performance and scalability for networks with large and dynamic traffic patterns, such as the Internet, on networks characterized by intensive Web-based applications, or interactive sessions.

certificate

Digital representation of user or device attributes, including a public key, that is signed with an authoritative private key.

cidDump

A script that captures a large amount of information including the IPS processes list, log files, OS information, directory listings, package information, and configuration files.

CIDEE

Cisco Intrusion Detection Event Exchange. Specifies the extensions to SDEE that are used by Cisco IPS systems. The CIDEE standard specifies all possible extensions that may be supported by Cisco IPS systems.

CIDS header

The header that is attached to each packet in the IPS system. It contains packet classification, packet length, checksum results, timestamp, and the receive interface.

cipher key

The secret binary data used to convert between clear text and cipher text. When the same cipher key is used for both encryption and decryption, it is called symmetric. When it is used for either encryption or decryption (but not both), it is called asymmetric.

Cisco IOS

Cisco system software that provides common functionality, scalability, and security for all products under the CiscoFusion architecture. Cisco IOS allows centralized, integrated, and automated installation and management of internetworks while supporting a wide variety of protocols, media, services, and platforms.

CLI

command-line interface. A shell provided with the sensor used for configuring and controlling the sensor applications.

CollaborationApp

A component of the IPS. Shares information with other devices through a global correlation database to improve the combined efficacy of all the devices.

command and control interface

The interface on the sensor that communicates with the IPS manager and other network devices. This interface has an assigned IP address.

community

In SNMP, a logical group of managed devices and NMSs in the same administrative domain.

composite attack

Spans multiple packets in a single session. Examples include most conversation attacks such as FTP, Telnet, and most Regex-based attacks.

connection block

ARC blocks traffic from a given source IP address to a given destination IP address and destination port.

console

A terminal or laptop computer used to monitor and control the sensor.

console port

An RJ45 or DB9 serial port on the sensor that is used to connect to a console device.

control interface

When ARC opens a Telnet or SSH session with a network device, it uses one of the routing interfaces of the device as the remote IP address. This is the control interface.

control transaction

CT. An IPS message containing a command addressed to a specific application instance. Example control transactions include start, stop, getConfig.

Control Transaction Server

A component of the IPS. Accepts control transactions from a remote client, initiates a local control transaction, and returns the response to the remote client.

Control Transaction Source

A component of the IPS. Waits for control transactions directed to remote applications, forwards the control transactions to the remote node, and returns the response to the initiator.

A piece of information sent by a web server to a web browser that the browser is expected to save and send back to the web server whenever the browser makes additional requests of the web server.

CSA MC

Cisco Security Agent Management Center. CSA MC receives host posture information from the CSA agents it manages. It also maintains a watch list of IP addresses that it has determined should be quarantined from the network.

CSM

Cisco Security Manager, the provisioning component of the Cisco Self-Defending Networks solution. CS-Manager is fully integrated with CS-MARS.

CS-MARS

Cisco Security Monitoring, Analysis and Reporting System. The monitoring component of the Cisco Self-Defending Networks solution. CS-MARS is fully integrated with CS-Manager

CVE

Common Vulnerabilities and Exposures. A list of standardized names for vulnerabilities and other information security exposures maintained at http://cve.mitre.org/.

darknets

A virtual private network where users connect only to people they trust. In its most general meaning, a darknet can be any type of closed, private group of people communicating, but the name is most often used specifically for file-sharing networks. Darknet can be used to refer collectively to all covert communication networks.

Database Processor

A processor in the IPS. Maintains the signature state and flow databases.

datagram

Logical grouping of information sent as a network layer unit over a transmission medium without prior establishment of a virtual circuit. IP datagrams are the primary information units in the Internet. The terms cell, frame, message, packet, and segment also are used to describe logical information groupings at various layers of the OSI reference model and in various technology circles.

DCE

data circuit-terminating equipment (ITU-T expansion). Devices and connections of a communications network that comprise the network end of the user-to-network interface. The DCE provides a physical connection to the network, forwards traffic, and provides a clocking signal used to synchronize data transmission between DCE and DTE devices. Modems and interface cards are examples of DCE.

DCOM

Distributed Component Object Model. Protocol that enables software components to communicate directly over a network. Developed by Microsoft and previously called Network OLE, DCOM is designed for use across multiple network transports, including such Internet protocols as HTTP.

DDoS

Distributed Denial of Service. An attack in which a multitude of compromised systems attack a single target, thereby causing denial of service for users of the targeted system. The flood of incoming messages to the target system essentially forces it to shut down, thereby denying service to the system to legitimate users.

Deny Filters Processor

A processor in the IPS. Handles the deny attacker functions. It maintains a list of denied source IP addresses.

DES

Data Encryption Standard. A strong encryption method where the strength lies in a 56-bit key rather than an algorithm.

destination address

Address of a network device that is receiving data.

DIMM

Dual In-line Memory Modules.

DMZ

demilitarized zone. A separate network located in the neutral zone between a private (inside) network and a public (outside) network.

DNS

Domain Name System. An Internet-wide hostname to IP address mapping. DNS enables you to convert human-readable names into the IP addresses needed for network packets.

DoS

Denial of Service. An attack whose goal is just to disrupt the operation of a specific system or network.

DRAM

dynamic random-access memory. RAM that stores information in capacitors that must be refreshed periodically. Delays can occur because DRAMs are inaccessible to the processor when refreshing their contents. However, DRAMs are less complex and have greater capacity than SRAMs.

DTE

Data Terminal Equipment. Refers to the role of a device on an RS-232C connection. A DTE writes data to the transmit line and reads data from the receive line.

DTP

Dynamic Trunking Protocol. A Cisco proprietary protocol in the VLAN group used for negotiating trunking on a link between two devices and for negotiating the type of trunking encapsulation (ISL or 802.1q) to be used.

ECLB

Ether Channel Load Balancing. Lets a Catalyst switch split traffic flows over different physical paths.

egress

Traffic leaving the network.

encryption

Application of a specific algorithm to data to alter the appearance of the data making it incomprehensible to those who are not authorized to see the information.

engine

A component of the sensor designed to support many signatures in a certain category. Each engine has parameters that can be used to create signatures or tune existing signatures.

enterprise network

Large and diverse network connecting most major points in a company or other organization. Differs from a WAN in that it is privately owned and maintained.

escaped expression

Used in regular expression. A character can be represented as its hexadecimal value, for example, \x61 equals `a,' so \x61 is an escaped expression representing the character `a.'

ESD

electrostatic discharge. Electrostatic discharge is the rapid movement of a charge from one object to another object, which produces several thousand volts of electrical charge that can cause severe damage to electronic components or entire circuit card assemblies.

event

An IPS message that contains an alert, a block request, a status message, or an error message.

Event Store

One of the components of the IPS. A fixed-size, indexed store (30 MB) used to store IPS events.

evIdsAlert

The XML entity written to the Event Store that represents an alert.

fail closed

Blocks traffic on the device after a hardware failure.

fail open

Lets traffic pass through the device after a hardware failure.

false negative

A signature is not fired when offending traffic is detected.

false positive

Normal traffic or a benign action causes a signature to fire.

Fast Ethernet

Any of a number of 100-Mbps Ethernet specifications. Fast Ethernet offers a speed increase 10 times that of the 10BaseT Ethernet specification while preserving such qualities as frame format, MAC mechanisms, and MTU. Such similarities allow the use of existing 10BaseT applications and network management tools on Fast Ethernet networks. Based on an extension to the IEEE 802.3 specification.

firewall

Router or access server, or several routers or access servers, designated as a buffer between any connected public networks and a private network. A firewall router uses access lists and other methods to ensure the security of the private network.

Flood engine

Detects ICMP and UDP floods directed at hosts and networks.

flooding

Traffic passing technique used by switches and bridges in which traffic received on an interface is sent out all the interfaces of that device except the interface on which the information was received originally.

forwarding

Process of sending a frame toward its ultimate destination by way of an internetworking device.

fragment

Piece of a larger packet that has been broken down to smaller units.

fragmentation

Process of breaking a packet into smaller units when transmitting over a network medium that cannot support the original size of the packet.

Fragment Reassembly Processor

A processor in the IPS. Reassembles fragmented IP datagrams. It is also responsible for normalization of IP fragments when the sensor is in inline mode.

FTP

File Transfer Protocol. Application protocol, part of the TCP/IP protocol stack, used for transferring files between network nodes. FTP is defined in RFC 959.

FTP server

File Transfer Protocol server. A server that uses the FTP protocol for transferring files between network nodes.

full duplex

Capability for simultaneous data transmission between a sending station and a receiving station.

FWSM

Firewall Security Module. A module that can be installed in a Catalyst 6500 series switch. It uses the shun command to block. You can configure the FWSM in either single mode or multi-mode.

GBIC

GigaBit Interface Converter. Often refers to a fiber optic transceiver that adapts optical cabling to fiber interfaces. Fiber-ready switches and NICs generally provide GBIC and/or SFP slots. For more information, refer to the Catalyst Switch Cable, Connector, and AC Power Cord Guide.

Gigabit Ethernet

Standard for a high-speed Ethernet, approved by the IEEE (Institute of Electrical and Electronics Engineers) 802.3z standards committee in 1996.

global correlation

The IPS sensor shares information with other devices through a global correlation database to improve the combined efficacy of all devices.

global correlation client

The software component of CollaborationApp that obtains and installs updates to the local global correlation databases.

global correlation database

The collective information obtained from and shared with collaborative devices such as IPS sensors.

GMT

Greenwich Mean Time. Time zone at zero degrees longitude. Now called Coordinated Universal Time (UTC).

GRUB

Grand Unified Bootloader. Boot loader is the first software program that runs when a computer starts. It is responsible for loading and transferring control to the operating system kernel software. The kernel, in turn, initializes the rest of the operating system.

H.225.0

An ITU standard that governs H.225.0 session establishment and packetization. H.225.0 actually describes several different protocols: RAS, use of Q.931, and use of RTP.

H.245

An ITU standard that governs H.245 endpoint control.

H.323

half duplex

Capability for data transmission in only one direction at a time between a sending station and a receiving station. BSC is an example of a half-duplex protocol.

handshake

Sequence of messages exchanged between two or more network devices to ensure transmission synchronization.

hardware bypass

A specialized interface card that pairs physical interfaces so that when a software error is detected, a bypass mechanism is engaged that directly connects the physical interfaces and allows traffic to flow through the pair. Hardware bypass passes traffic at the network interface, does not pass it to the IPS system.

host block

ARC blocks all traffic from a given IP address.

HTTP

Hypertext Transfer Protocol. The stateless request/response media transfer protocol used in the IPS architecture for remote data exchange.

HTTPS

An extension to the standard HTTP protocol that provides confidentiality by encrypting the traffic from the website. By default this protocol uses TCP port 443.

ICMP

Internet Control Message Protocol. Network layer Internet protocol that reports errors and provides other information relevant to IP packet processing. Documented in RFC 792.

ICMP flood

Denial of Service attack that sends a host more ICMP echo request ("ping") packets than the protocol implementation can handle.

IDAPI

Intrusion Detection Application Programming Interface. Provides a simple interface between IPS architecture applications. IDAPI reads and writes event data and provides a mechanism for control transactions.

IDCONF

Intrusion Detection Configuration. A data format standard that defines operational messages that are used to configure intrusion detection and prevention systems.

IDENT

Ident protocol, specified in RFC 1413, is an Internet protocol that helps identify the user of a particular TCP connection.

IDIOM

Intrusion Detection Interchange and Operations Messages. A data format standard that defines the event messages that are reported by intrusion detection systems and the operational messages that are used to configure and control intrusion detection systems.

IDM

IPS Device Manager. A web-based application that lets you configure and manage your sensor. The web server for IDM resides on the sensor. You can access it through Internet Explorer or Firefox web browsers.

IDMEF

Intrusion Detection Message Exchange Format. The IETF Intrusion Detection Working Group draft standard.

IDSM2

Intrusion Detection System Module. A switching module that performs intrusion detection in the Catalyst 6500 series switch.

IDS MC

Management Center for IDS Sensors. A web-based IDS manager that can manage configurations for up to 300 sensors.

IME

IPS Manager Express. A network management application that provides system health monitoring, events monitoring, reporting, and configuration for up to ten sensors.

inline mode

All packets entering or leaving the network must pass through the sensor.

inline interface

A pair of physical interfaces configured so that the sensor forwards all traffic received on one interface out to the other interface in the pair.

InterfaceApp

A component of the IPS. Handles bypass and physical settings and defines paired interfaces. Physical settings are speed, duplex, and administrative state.

intrusion detection system

IDS. A security service that monitors and analyzes system events to find and provide real-time or near real-time warning of attempts to access system resources in an unauthorized manner.

IP address

32-bit address assigned to hosts using TCP/IP. An IP address belongs to one of five classes (A, B, C, D, or E) and is written as 4 octets separated by periods (dotted decimal format). Each address consists of a network number, an optional subnetwork number, and a host number. The network and subnetwork numbers together are used for routing, and the host number is used to address an individual host within the network or subnetwork. A subnet mask is used to extract network and subnetwork information from the IP address.

IPS

Intrusion Prevention System. A system that alerts the user to the presence of an intrusion on the network through network traffic analysis techniques.

IPS data or message

Describes the messages transferred over the command and control interface between IPS applications.

iplog

A log of the binary packets to and from a designated address. Iplogs are created when the log Event Action is selected for a signature. Iplogs are stored in a libpcap format, which can be read by WireShark and TCPDUMP.

IP spoofing

IP spoofing attack occurs when an attacker outside your network pretends to be a trusted user either by using an IP address that is within the range of IP addresses for your network or by using an authorized external IP address that you trust and to which you want to provide access to specified resources on your network. Should an attacker get access to your IPSec security parameters, that attacker can masquerade as the remote user authorized to connect to the corporate network.

IPv6

IP version 6. Replacement for the current version of IP (version 4). IPv6 includes support for flow ID in the packet header, which can be used to identify flows. Formerly called IPng (next generation).

ISL

Inter-Switch Link. Cisco-proprietary protocol that maintains VLAN information as traffic flows between switches and routers.

Java Web Start

Java Web Start provides a platform-independent, secure, and robust deployment technology. It enables developers to deploy full-featured applications to you by making the applications available on a standard web server. With any web browser, you can launch the applications and be confident you always have the most-recent version.

JNLP

Java Network Launching Protocol. Defined in an XML file format specifying how Java Web Start applications are launched. JNLP consists of a set of rules defining how exactly the launching mechanism should be implemented.

Knowledge Base. The sets of thresholds learned by Anomaly Detection and used for worm virus detection.

Knowledge Base

See KB.

LACP

Link Aggregation Control Protocol. LACP aids in the automatic creation of EtherChannel links by exchanging LACP packets between LAN ports. This protocol is defined in IEEE 802.3ad.

LAN

Local Area Network. Refers to the Layer 2 network domain local to a given host. Packets exchanged between two hosts on the same LAN do not require Layer 3 routing.

Layer 2 Processor

A processor in the IPS. Processes layer 2-related events. It also identifies malformed packets and removes them from the processing path.

Logger

A component of the IPS. Writes all the log messages of the application to the log file and the error messages of the application to the Event Store.

logging

Gathers actions that have occurred in a log file. Logging of security information is performed on two levels: logging of events (such as IPS commands, errors, and alerts), and logging of individual IP session information.

LOKI

Remote access, back door Trojan, ICMP tunneling software. When the computer is infected, the malicious code creates an ICMP tunnel that can be used to send small payload ICMP replies.

MainApp

The main application in the IPS. The first application to start on the sensor after the operating system has booted. Reads the configuration and starts applications, handles starting and stopping of applications and node reboots, handles software upgrades.

maintenance partition

The bootable disk partition on the IDSM2, from which an IPS image can be installed on the application partition. No IPS capability is available while the IDSM2 is booted into the maintenance partition.

maintenance partition image

The bootable software image installed on the maintenance partition on an IDSM2. You can install the maintenance partition image only while booted into the application partition.

major update

A base version that contains major new functionality or a major architectural change in the product.

Malware

Malicious software that is installed on an unknowing host.

manufacturing image

Full IPS system image used by manufacturing to image sensors.

master blocking sensor

A remote sensor that controls one or more devices. Blocking forwarding sensors send blocking requests to the master blocking sensor and the master blocking sensor executes the blocking requests.

MD5

Message Digest 5. A one-way hashing algorithm that produces a 128-bit hash. Both MD5 and Secure Hash Algorithm (SHA) are variations on MD4 and strengthen the security of the MD4 hashing algorithm. Cisco uses hashes for authentication within the IPSec framework. Also used for message authentication in SNMP v.2. MD5 verifies the integrity of the communication, authenticates the origin, and checks for timeliness.

Meta engine

Defines events that occur in a related manner within a sliding time interval. This engine processes events rather than packets.

MIB

Management Information Base. Database of network management information that is used and maintained by a network management protocol, such as SNMP or CMIP. The value of a MIB object can be changed or retrieved using SNMP or CMIP commands, usually through a GUI network management system. MIB objects are organized in a tree structure that includes public (standard) and private (proprietary) branches.

MIME

Multipurpose Internet Mail Extension. Standard for transmitting nontext data (or data that cannot be represented in plain ASCII code) in Internet mail, such as binary, foreign language text (such as Russian or Chinese), audio, or video data. MIME is defined in RFC 2045.

minor update

A minor version that contains minor enhancements to the product line. Minor updates are incremental to the major version, and are also base versions for service packs.

module

A removable card in a switch, router, or security appliance chassis. The AIM IPS, AIP SSM, IDSM2, and NME IPS are IPS modules.

monitoring interface

See sensing interface.

MPF

Modular Policy Framework. A means of configuring security appliance features in a manner similar to Cisco IOS software Modular QoS CLI.

MSFC, MSFC2

Multilayer Switch Feature Card. An optional card on a Catalyst 6000 supervisor engine that performs L3 routing for the switch.

MSRPC

Microsoft Remote Procedure Call. MSRPC is the Microsoft implementation of the DCE RPC mechanism. Microsoft added support for Unicode strings, implicit handles, inheritance of interfaces (which are extensively used in DCOM), and complex calculations in the variable-length string and structure paradigms already present in DCE/RPC.

MySDN

My Self-Defending Network. A part of the signature definition section of IDM and IME. It provides detailed information about signatures.

NAC

Network Access Controller. See ARC.

NAT

Native Address Translation. A network device can present an IP address to the outside networks that is different from the actual IP address of a host.

NBD

Next Business Day. The arrival of replacement hardware according to Cisco service contracts.

Neighborhood Discovery

Protocol for IPv6. IPv6 nodes on the same link use Neighbor Discovery to discover each other's presence, to determine each other's link-layer addresses, to find routers, and to maintain reachability information about the paths to active neighbors.

network device

A device that controls IP traffic on a network and can block an attacking host. An example of a network device is a Cisco router or PIX Firewall.

network participation

Networks contributing learned information to the global correlation database.

network participation client

The software component of CollaborationApp that sends data to the SensorBase Network.

never block address

Hosts and networks you have identified that should never be blocked.

never shun address

See never block address.

NIC

Network Interface Card. Board that provides network communication capabilities to and from a computer system.

NME IPS

Network Module Enhanced. An IPS module that you can install in any network module slot in the Cisco 2800 and 3800 series integrated services routers.

NMS

node

A physical communicating element on the command and control network. For example, an appliance, an IDSM2, or a router.

Normalizer engine

Configures how the IP and TCP normalizer functions and provides configuration for signature events related to the IP and TCP normalizer.

NOS

network operating system. Generic term used to refer to distributed file systems. Examples include LAN Manager, NetWare, NFS, and VINES.

NotificationApp

A component of the IPS. Sends SNMP traps when triggered by alert, status, and error events. NotificationApp uses the public domain SNMP agent. SNMP GETs provide information about the general health of the sensor.

NTP

Network Timing Protocol. Protocol built on top of TCP that ensures accurate local time-keeping with reference to radio and atomic clocks located on the Internet. This protocol is capable of synchronizing distributed clocks within milliseconds over long time periods.

NTP server

Network Timing Protocol server. A server that uses NTP. NTP is a protocol built on top of TCP that ensures accurate local time-keeping with reference to radio and atomic clocks located on the Internet. This protocol is capable of synchronizing distributed clocks within milliseconds over long time periods.

NVRAM

Non-Volatile Read/Write Memory. RAM that retains its contents when a unit is powered off.

OIR

online insertion and removal. Feature that permits you to add, replace, or remove cards without interrupting the system power, entering console commands, or causing other software or interfaces to shutdown.

OPS

Outbreak Prevention Service.

P2P

Peer-to-Peer. P2P networks use nodes that can simultaneously function as both client and server for the purpose of file sharing.

packet

Logical grouping of information that includes a header containing control information and (usually) user data. Packets most often are used to refer to network layer units of data. The terms datagram, frame, message, and segment also are used to describe logical information groupings at various layers of the OSI reference model and in various technology circles.

PAgP

Port Aggregation Control Protocol. PAgP aids in the automatic creation of EtherChannel links by exchanging PAgP packets between LAN ports. It is a Cisco-proprietary protocol.

passive fingerprinting

Act of determining the OS or services available on a system from passive observation of network interactions.

Passive OS Fingerprinting

The sensor determines host operating systems by inspecting characteristics of the packets exchanged on the network.

PASV Port Spoof

An attempt to open connections through a firewall to a protected FTP server to a non-FTP port. This happens when the firewall incorrectly interprets an FTP 227 passive command by opening an unauthorized connection.

PAT

Port Address Translation. A more restricted translation scheme than NAT in which a single IP address and different ports are used to represent the hosts of a network.

patch release

Release that addresses defects identified in the update (minor, major, or service pack) binaries after a software release (service pack, minor, or major update) has been released.

PAWS

Protection Against Wrapped Sequence. Protection against wrapped sequence numbers in high performance TCP networks. See RFC 1323.

PCI

Peripheral Component Interface. The most common peripheral expansion bus used on Intel-based computers.

PDU

protocol data unit. OSI term for packet. See also BPDU and packet.

PEP

Cisco Product Evolution Program. PEP is the UDI information that consists of the PID, the VID, and the SN of your sensor. PEP provides hardware version and serial number visibility through electronic query, product labels, and shipping items.

PER

packed encoding rules. Instead of using a generic style of encoding that encodes all types in a uniform way, PER specializes the encoding based on the date type to generate much more compact representations.

PFC

Policy Feature Card. An optional card on a Catalyst 6000 supervisor engine that supports VACL packet filtering.

PID

Product Identifier. The orderable product identifier that is one of the three parts of the UDI. The UDI is part of the PEP policy.

ping

packet internet groper. Often used in IP networks to test the reachability of a network device. It works by sending ICMP echo request packets to the target host and listening for echo response replies.

PIX Firewall

Private Internet Exchange Firewall. A Cisco network security device that can be programmed to block/enable addresses and ports between networks.

PKI

Public Key Infrastructure. Authentication of HTTP clients using the clients X.509 certificates.

POST

Power-On Self Test. Set of hardware diagnostics that runs on a hardware device when that device is powered up.

Post-ACL

Designates an ACL from which ARC should read the ACL entries, and where it places entries after all deny entries for the addresses being blocked.

Pre-ACL

Designates an ACL from which ARC should read the ACL entries, and where it places entries before any deny entries for the addresses being blocked.

promiscuous delta

PD. A weight in the range of 0 to 30 configured per signature. This weight can be subtracted from the overall risk rating in promiscuous mode.

promiscuous mode

A passive interface for monitoring packets of the network segment. The sensing interface does not have an IP address assigned to it and is therefore invisible to attackers.

Q.931

ITU-T specification for signaling to establish, maintain, and clear ISDN network connections.

QoS

quality of service. Measure of performance for a transmission system that reflects its transmission quality and service availability.

rack mounting

Refers to mounting a sensor in an equipment rack.

RAM

random-access memory. Volatile memory that can be read and written by a microprocessor.

RAS

Registration, Admission, and Status Protocol. Protocol that is used between endpoints and the gatekeeper to perform management functions. RAS signalling function performs registration, admissions, bandwidth changes, status, and disengage procedures between the VoIP gateway and the gatekeeper.

RBCP

Router Blade Control Protocol. RBCP is based on SCP, but modified specifically for the router application. It is designed to run over Ethernet interfaces and uses 802.2 SNAP encapsulation for messages.

reassembly

The putting back together of an IP datagram at the destination after it has been fragmented either at the source or at an intermediate node.

recovery package

An IPS package file that includes the full application image and installer used for recovery on sensors.

regex

See regular expression.

regular expression

A mechanism by which you can define how to search for a specified sequence of characters in a data stream or file. Regular expressions are a powerful and flexible notation almost like a mini-programming language that allow you to describe text. In the context of pattern matching, regular expressions allow a succinct description of any arbitrary pattern.

repackage release

A release that addresses defects in the packaging or the installer.

reputation

Similar to human social interaction, reputation is an opinion toward a device on the Internet. It enables the installed base of IPS sensors in the field to collaborate using the existing network infrastructure. A network device with reputation is most probably malicious or infected.

risk rating

RR. A risk rating is a value between 0 and 100 that represents a numerical quantification of the risk associated with a particular event on the network. The risk of the attack accounts for the severity, fidelity, relevance, and asset value of the attack, but not any response or mitigation actions. This risk is higher when more damage could be inflicted on your network.

RMA

Return Materials Authorization. The Cisco program for returning faulty hardware and obtaining a replacement.

ROMMON

Read-Only-Memory Monitor. ROMMON lets you TFTP system images onto the sensor for recovery purposes.

round-trip time

See RTT.

RPC

remote-procedure call. Technological foundation of client/server computing. RPCs are procedure calls that are built or specified by clients and are executed on servers, with the results returned over the network to the clients.

RSM

Router Switch Module. A router module that is installed in a Catalyst 5000 switch. It functions exactly like a standalone router.

RTP

RTT

round-trip time. A measure of the time delay imposed by a network on a host from the sending of a packet until acknowledgement of the receipt.

rack unit. A rack is measured in rack units. An RU is equal to 44 mm or 1.75 inches.

SCP

Switch Configuration Protocol. Cisco control protocol that runs directly over the Ethernet.

SCEP

Simple Certificate Enrollment Protocol. The Cisco Systems PKI communication protocol that leverages existing technology by using PKCS#7 and PKCS#10. SCEP is the evolution of the enrollment protocol.

SDEE

Security Device Event Exchange. A product-independent standard for communicating security device events. It adds extensibility features that are needed for communicating events generated by various types of security devices.

SDEE Server

Accepts requests for events from remote clients.

Secure Shell Protocol

Protocol that provides a secure remote connection to a router through a Transmission Control Protocol (TCP) application.

security context

You can partition a single adaptive security appliance into multiple virtual devices, known as security contexts. Each context is an independent device, with its own security policy, interfaces, and administrators. Multiple contexts are similar to having multiple standalone devices. Many features are supported in multiple context mode, including routing tables, firewall features, IPS, and management.

Security Monitor

Monitoring Center for Security. Provides event collection, viewing, and reporting capability for network devices. Used with the IDS MC.

sensing interface

The interface on the sensor that monitors the desired network segment. The sensing interface is in promiscuous mode; it has no IP address and is not visible on the monitored segment.

sensor

The sensor is the intrusion detection engine. It analyzes network traffic searching for signs of unauthorized activity.

SensorApp

A component of the IPS. Performs packet capture and analysis. SensorApp analyzes network traffic for malicious content. Packets flow through a pipeline of processors fed by a producer designed to collect packets from the network interfaces on the sensor. SensorApp is the standalone executable that runs Analysis Engine.

Service engine

Deals with specific protocols, such as DNS, FTP, H255, HTTP, IDENT, MS RPC, MS SQL, NTP, P2P, RPC, SMB, SNMP, SSH, and TNS.

service pack

Used for the release of defect fixes and for the support of new signature engines. Service packs contain all of the defect fixes since the last base version (minor or major) and any new defects fixes.

session command

Command used on routers and switches to provide either Telnet or console access to a module in the router or switch.

SFP

Small Form-factor Pluggable. Often refers to a fiber optic transceiver that adapts optical cabling to fiber interfaces. See GBIC for more information.

shun command

Enables a dynamic response to an attacking host by preventing new connections and disallowing packets from any existing connection. It is used by ARC when blocking with a PIX Firewall.

Signature Analysis Processor

A processor in the IPS. Dispatches packets to the inspectors that are not stream-based and that are configured for interest in the packet in process.

signature

A signature distills network information and compares it against a rule set that indicates typical intrusion activity.

signature engine

A component of the sensor that supports many signatures in a certain category. An engine is composed of a parser and an inspector. Each engine has a set of legal parameters that have allowable ranges or sets of values.

signature engine update

Executable file with its own versioning scheme that contains binary code to support new signature updates.

Signature Event Action Filter

Subtracts actions based on the signature event signature ID, addresses, and risk rating. The input to the Signature Event Action Filter is the signature event with actions possibly added by the Signature Event Action Override.

Signature Event Action Handler

Performs the requested actions. The output from Signature Event Action Handler is the actions being performed and possibly an evIdsAlert written to the Event Store.

Signature Event Action Override

Adds actions based on the risk rating value. Signature Event Action Override applies to all signatures that fall into the range of the configured risk rating threshold. Each Signature Event Action Override is independent and has a separate configuration value for each action type.

Signature Event Action Processor

Processes event actions. Event actions can be associated with an event risk rating threshold that must be surpassed for the actions to take place.

signature fidelity rating

SFR. A weight associated with how well a signature might perform in the absence of specific knowledge of the target. The signature fidelity rating is configured per signature and indicates how accurately the signature detects the event or condition it describes.

signature update

Executable file that contains a set of rules designed to recognize malicious network activities, such as worms, DDOS, viruses, and so forth. Signature updates are released independently, are dependent on a required signature engine version, and have their own versioning scheme.

Slave Dispatch Processor

A processor in the IPS. Process found on dual CPU systems.

SMB

Server Message Block. File-system protocol used in LAN manager and similar NOSs to package data and exchange information with other systems.

SMTP

Simple Mail Transfer Protocol. Internet protocol providing e-mail services.

Serial Number. Part of the UDI. The SN is the serial number of your Cisco product.

SNAP

Subnetwork Access Protocol. Internet protocol that operates between a network entity in the subnetwork and a network entity in the end system. SNAP specifies a standard method of encapsulating IP datagrams and ARP messages on IEEE networks. The SNAP entity in the end system makes use of the services of the subnetwork and performs three key functions: data transfer, connection management, and QoS selection.

sniffing interface

See sensing interface.

SNMP

Simple Network Management Protocol. Network management protocol used almost exclusively in TCP/IP networks. SNMP provides a means to monitor and control network devices, and to manage configurations, statistics collection, performance, and security.

SNMP2

SNMP Version 2. Version 2 of the network management protocol. SNMP2 supports centralized and distributed network management strategies, and includes improvements in the SMI, protocol operations, management architecture, and security.

software bypass

Passes traffic through the IPS system without inspection.

source address

Address of a network device that is sending data.

SPAN

Switched Port Analyzer. Feature of the Catalyst 5000 switch that extends the monitoring abilities of existing network analyzers into a switched Ethernet environment. SPAN mirrors the traffic at one switched segment onto a predefined SPAN port. A network analyzer attached to the SPAN port can monitor traffic from any other Catalyst switched port.

spanning tree

Loop-free subset of a network topology.

SQL

Structured Query Language. International standard language for defining and accessing relational databases.

SRAM

Type of RAM that retains its contents for as long as power is supplied. SRAM does not require constant refreshing, like DRAM.

SSH

Secure Shell. A utility that uses strong authentication and secure communications to log in to another computer over a network.

SSL

Secure Socket Layer. Encryption technology for the Internet used to provide secure transactions, such as the transmission of credit card numbers for e-commerce.

Stacheldraht

A DDoS tool that relies on the ICMP protocol.

State engine

Stateful searches of HTTP strings.

Statistics Processor

A processor in the IPS. Keeps track of system statistics such as packet counts and packet arrival rates.

Stream Reassembly Processor

A processor in the IPS. Reorders TCP streams to ensure the arrival order of the packets at the various stream-based inspectors. It is also responsible for normalization of the TCP stream. The normalizer engine lets you enable or disable alert and deny actions.

String engine

A signature engine that provides regular expression-based pattern inspection and alert functionality for multiple transport protocols, including TCP, UDP, and ICMP.

subsignature

A more granular representation of a general signature. It typically further defines a broad scope signature.

surface mounting

Refers to attaching rubber feet to the bottom of a sensor when it is installed on a flat surface. The rubber feet allow proper airflow around the sensor and they also absorb vibration so that the hard-disk drive is less impacted.

switch

Network device that filters, forwards, and floods frames based on the destination address of each frame. The switch operates at the data link layer of the OSI model.

SYN flood

Denial of Service attack that sends a host more TCP SYN packets (request to synchronize sequence numbers, used when opening a connection) than the protocol implementation can handle.

system image

The full IPS application and recovery image used for reimaging an entire sensor.

TAC

A Cisco Technical Assistance Center. There are four TACs worldwide.

TACACS+

Terminal Access Controller Access Control System Plus. Proprietary Cisco enhancement to Terminal Access Controller Access Control System (TACACS). Provides additional support for authentication, authorization, and accounting.

target value rating

TVR. A weight associated with the perceived value of the target. Target value rating is a user-configurable value (zero, low, medium, high, or mission critical) that identifies the importance of a network asset (through its IP address).

TCP

Transmission Control Protocol. Connection-oriented transport layer protocol that provides reliable full-duplex data transmission. TCP is part of the TCP/IP protocol stack.

TCPDUMP

The TCPDUMP utility is a free network protocol analyzer for UNIX and Windows. It lets you examine data from a live network or from a capture file on disk. You can use different options for viewing summary and detail information for each packet. For more information, see http://www.tcpdump.org/.

TCP reset interface

The interface on the IDSM2 that can send TCP resets. On most sensors the TCP resets are sent out on the same sensing interface on which the packets are monitored, but on the IDSM2 the sensing interfaces cannot be used for sending TCP resets. On the IDSM2 the TCP reset interface is designated as port 1 with Catalyst software, and is not visible to the user in Cisco IOS software. The TCP reset action is only appropriate as an action selection on those signatures that are associated with a TCP-based service.

Telnet

Standard terminal emulation protocol in the TCP/IP protocol stack. Telnet is used for remote terminal connection, enabling users to log in to remote systems and use resources as if they were connected to a local system. Telnet is defined in RFC 854.

terminal server

A router with multiple, low speed, asynchronous ports that are connected to other serial devices. Terminal servers can be used to remotely manage network equipment, including sensors.

TFN

Tribe Flood Network. A common type of DoS attack that can take advantage of forged or rapidly changing source IP addresses to allow attackers to thwart efforts to locate or filter the attacks.

TFN2K

Tribe Flood Network 2000. A common type of DoS attack that can take advantage of forged or rapidly changing source IP addresses to allow attackers to thwart efforts to locate or filter the attacks.

TFTP

Trivial File Transfer Protocol. Simplified version of FTP that lets files be transferred from one computer to another over a network, usually without the use of client authentication (for example, username and password).

threat rating

TR. A threat rating is a value between 0 and 100 that represents a numerical decrease of the risk rating of an attack based on the response action that depicts the threat of an alert on the monitored network.

three-way handshake

Process whereby two protocol entities synchronize during connection establishment.

threshold

A value, either upper- or lower-bound that defines the maximum/minimum allowable condition before an alarm is sent.

Time Processor

A processor in the IPS. Processes events stored in a time-slice calendar. Its primary task is to make stale database entries expire and to calculate time-dependent statistics.

TLS

Transport Layer Security. The protocol used over stream transports to negotiate the identity of peers and establish encrypted communications.

TNS

Transparent Network Substrate. Provides database applications with a single common interface to all industry-standard network protocols. With TNS, database applications can connect to other database applications across networks with different protocols.

topology

Physical arrangement of network nodes and media within an enterprise networking structure.

TPKT

Transport Packet. RFC 1006-defined method of demarking messages in a packet. The protocol uses ISO transport services on top of TCP.

traceroute

Program available on many systems that traces the path a packet takes to a destination. It is used mostly to debug routing problems between hosts. A traceroute protocol is also defined in RFC 1393.

traffic analysis

Inference of information from observable characteristics of data flow(s), even when the data is encrypted or otherwise not directly available. Such characteristics include the identities and locations of the source(s) and destination(s), and the presence, amount, frequency, and duration of occurrence.

Traffic ICMP engine

Analyzes traffic from nonstandard protocols, such as TFN2K, LOKI, and DDOS.

trap

Message sent by an SNMP agent to an NMS, a console, or a terminal to indicate the occurrence of a significant event, such as a specifically defined condition or a threshold that was reached.

Trojan engine

Analyzes traffic from nonstandard protocols, such as BO2K and TFN2K.

trunk

Physical and logical connection between two switches across which network traffic travels. A backbone is composed of a number of trunks.

trusted certificate

Certificate upon which a certificate user relies as being valid without the need for validation testing; especially a public-key certificate that is used to provide the first public key in a certification path.

trusted key

Public key upon which a user relies; especially a public key that can be used as the first public key in a certification path.

tune

Adjusting signature parameters to modify an existing signature.

UDI

Unique Device Identifier. Provides a unique identity for every Cisco product. The UDI is composed of the PID, VID, and SN. The UDI is stored in the Cisco IPS ID PROM.

UDLD

UniDirectional Link Detection. Cisco proprietary protocol that allows devices connected through fiber-optic or copper Ethernet cables connected to LAN ports to monitor the physical configuration of the cables and detect when a unidirectional link exists. When a unidirectional link is detected, UDLD shuts down the affected LAN port and sends an alert, since unidirectional links can cause a variety of problems, such as, spanning tree topology loops.

UDP

unblock

To direct a router to remove a previously applied block.

UniDirectional Link Detection

See UDLD.

unvirtualized sensing interface

An unvirtualized sensing interface has not been divided into subinterfaces and the entire interfaces can be associated with at most one virtual sensor.

UPS

Uninterruptable Power Source.

UTC

Coordinated Universal Time. Time zone at zero degrees longitude. Formerly called Greenwich Mean Time (GMT) and Zulu time.

VACL

VLAN ACL. An ACL that filters all packets (both within a VLAN and between VLANs) that pass through a switch. Also known as security ACLs.

VID

Version identifier. Part of the UDI.

VIP

Versatile Interface Processor. Interface card used in Cisco 7000 and Cisco 7500 series routers. The VIP provides multilayer switching and runs Cisco IOS. The most recent version of the VIP is VIP2.

virtual sensor

A logical grouping of sensing interfaces and the configuration policy for the signature engines and alarm filters to apply to them. In other words, multiple virtual sensors running on the same appliance, each configured with different signature behavior and traffic feeds.

virtualized sensing interface

A virtualized interface has been divided into subinterfaces each of which consists of a group of VLANs. You can associate a virtual sensor with one or more subinterfaces so that different intrusion prevention policies can be assigned to those subinterfaces. You can virtualize both physical and inline interfaces.

virus

Hidden, self-replicating section of computer software, usually malicious logic, that propagates by infecting—that is, inserting a copy of itself into and becoming part of—another program. A virus cannot run by itself; it requires that its host program be run to make the virus active.

virus update

A signature update specifically addressing viruses.

VLAN

Virtual Local Area Network. Group of devices on one or more LANs that are configured (using management software) so that they can communicate as if they were attached to the same wire, when in fact they are located on a number of different LAN segments. Because VLANs are based on logical instead of physical connections, they are extremely flexible.

VTP

VLAN Trunking Protocol. Cisco Layer 2 messaging protocol that manages the addition, deletion, and renaming of VLANs on a network-wide basis.

VMS

CiscoWorks VPN/Security Management Solution. A suite of network security applications that combines web-based tools for configuring, monitoring, and troubleshooting enterprise VPN, firewalls, network intrusion detection systems and host-based intrusion prevention systems.

VoIP

Voice over IP. The capability to carry normal telephony-style voice over an IP-based internet with POTS-like functionality, reliability, and voice quality. VoIP enables a router to carry voice traffic (for example, telephone calls and faxes) over an IP network. In VoIP, the DSP segments the voice signal into frames, which then are coupled in groups of two and stored in voice packets. These voice packets are transported using IP in compliance with ITU-T specification H.323.

VPN

Virtual Private Network(ing). Enables IP traffic to travel securely over a public TCP/IP network by encrypting all traffic from one network to another. A VPN uses "tunneling" to encrypt all information at the IP level.

VTP

VLAN Trunking Protocol. A Cisco Layer 2 messaging protocol that manages the addition, deletion, and renaming of VLANs on a network-wide basis.

vulnerability

One or more attributes of a computer or a network that permit a subject to initiate patterns of misuse on that computer or network.

WAN

wide-area network. Data communications network that serves users across a broad geographic area and often uses transmission devices provided by common carriers. Frame Relay, SMDS, and X.25 are examples of WANs.

watch list rating

WLR. A weight associated with the CSA MC watch list in the range of 0 to 100 (CSA MC only uses the range 0 to 35).

Web Server

A component of the IPS. Waits for remote HTTP client requests and calls the appropriate servlet application.

WHOIS

A TCP-based query/response protocol used for querying an official database to determine the owner of a domain name or an IP address.

Wireshark

Wireshark is a free network protocol analyzer for UNIX and Windows. It lets you examine data from a live network or from a capture file on disk. You can interactively browse the capture data, viewing summary and detail information for each packet. Wireshark has several powerful features, including a rich display filter language and the ability to view the reconstructed stream of a TCP session. For more information, see http://www.wireshark.org.

worm

A computer program that can run independently, can propagate a complete working version of itself onto other hosts on a network, and can consume computer resources destructively.

X.509

Standard that defines information contained in a certificate.

XML

eXtensible Markup Language. Textual file format used for data interchange between heterogeneous hosts.

zone

A set of destination IP addresses sorted into an internal, illegal, or external zone used by Anomaly Detection.

Bandwidth – is a data transfer capacity or data rate measured in bits

BIOS – means basic input output system

Binary Number System – is a system that represents numeric values using two symbols: 0 and 1

Bit – is a binary digit of value either 0 or 1

Bridge – is an internetworking device used to help conserve the bandwidth on the network

Broadcast – is where you simultaneously transmit a message to all computers on a network

Byte – organizational unit for data consisting of eight bits

Client – is a device or system that requires services from other device or system (known as server)

Computer Network – is an interconnection of a group of computers

CPU – Central Processing Unit, also called as processor is a class of logic machines that execute computer programs

Data – is a digital representation of anything in any form

Default Gateway – is a router that serves as an access point to another network

DNS – Domain Name System translates names into an IP addresses

Fault Tolerance – is an ability of a system to continue perform his functions when one or more of its components has failed

Frame – is a data packed of fixed or variable length. It consists of header frame synchronization, payload, and trailer

FTP – File Transfer Protocol is a network protocol used to transfer data from one computer to another through a network

Full Duplex – is a system that allows communication in both directions at the same time. Example, land-line phone

Half Duplex – is a system that allows communication in both directions by only in one direction at a time. Example, a "walkie-talkie" style two-way radio

HTML – Hyper Text Markup Language for web pages

HTTP – Hypertext Transfer Protocol – is a communication protocol that transfers information on the World Wide Web

Hub – a device for connecting multiple twisted pair or fiber optic Ethernet devices together, making them act as a single network segment

Internet – is a worldwide, public series of interconnected computer networks that transmit data using Internet Protocol

Intranet – is a private computer network that uses Internet Protocol to securely share part of an organization’s information or operations with its employees

IP Address – is a unique address that certain electronic devices such as computers use in order to communicate with each other on a computer network

IP Telephony – Voice over Internet Protocol optimized for the transmission of Voice through the Internet

LAN – Local Area Network – is a computer network covering a small geographic area (home, office, building)

MAC – Media Access Control address, also known as hardware address is a unique identifier attached to Network Interface Cards

RAM – Random Access Memory is a type of computer data storage where the information is lost after the power is switched off

Multicast – is where you simultaneously transmit a message to a group of computers on a network

OS – Operating System is the software that manages the resources of a computer

OSI Model – Open System Interconnection Basic Reference Model is a layered, abstract description for communications and computer network protocol design; it’s 7 layers are: Physical Layer, Data Link Layer, Network Layer, Transport Layer, Session Layer, Presentation Layer, and Application Layer

Protocol – is a set of rules that controls connection, communication, and data transfer between two computing endpoints

Repeater – is a device that retransmits a signal at a higher level or power

RJ-45 – Registered Jack – is a standardized physical interface for connecting computer networking equipment

Routers – a device that controls data packets forwarding between different networks

Routing – is a process of moving data packets from source to destination

Server – is an application or a device that performs services for connected client

Switch – is a device that connects network segments

TCP/IP – Transmission Control Protocol and Internet Protocol is a set of communications protocols that implement the protocol stack on which the Internet runs

Telnet – it stands for Telecommunication Network; It is a network protocol used in Internet and LAN connections

Unicast – is where you transmit a message to a single computer on a network

VPN – Virtual Private Network is a communications network tunnel through another network, dedicated for a specific network

WAN – Wide Area Network is a computer network that covers a broad area

Are there any important IT terms that aren’t listed here? Feel free to add yours in the comments below!

Networking Terms, Definitions and Usage

In the networking and IP communications markets and solutions space, certain terms, labels and

designators can mean different things depending on usage and context.

We felt it might be helpful for visitors to our site for us to include definitions of some of these

terms, particularly as the terms relate to Systechís solutions and market view.

Network Environments

Throughout the industry, vendors and providers refer to office, business, industrial,

transportation, enterprise, and so on. In each case, the understanding of the term or label is not

always clear. With Systech solutions, we view networking environments in the context of the

facility environment where the network and systems/devices connected to it are located.

Administrative Facilities Environments primarily for general office, clerical and

administrative process functions; conditions of temperature,

humidity, and cleanliness, are reasonably controlled.

Operating Facilities Environments primarily for producing, treating, collecting,

handling and physically distributing materials and products;

conditions of temperature, humidity and cleanliness vary

widely from controlled to uncontrolled to harsh. Can be

referred to as industrial facilities.

Business Transaction Environments primarily for transacting and exchange with

Facilities customers, consumers and buyers; conditions of

temperature, humidity and cleanliness vary from reasonably

controlled to somewhat uncontrolled. Can be referred to as

commercial facilities.

Networks

Wide Area Networks (WAN) Provide communications between facilities. Examples are

the everyday telephone network and virtual private networks

(VPNs).

Local Area Networks (LAN) Provide communications within facilities. Examples are

Ethernet, Token Ring and Arcnet.

Serial Data Transfer Form of communications within facilities in which (with

limitations) computers, peripherals and special function

devices are connected together.

Broadband Ethernet LANís and WAN networks that employ high

bandwidth, high speed communications technologies (xxx

mbs and greater), such as satellite, DSL, T-1, and T-3.

Protocol A special set of rules that devices use when communicating

with each other.

Internet Protocol (IP) A protocol by which data is sent from one network-enabled

device to another on the Internet. Each network-enabled

device has at least one IP address that identifies it from all

other devices on the network. An address may be either a

ìpublicî address or a ìprivateî address. Public Addresses

are generally unique. Private Addresses are only unique

within the context of the local network.

IPv4 Internet Protocol Version 4. Most widely used version of

IP.

IPv6 Internet Protocol Version 6. The latest level of the

Internet Protocol. IPv6 is also referred to as IPng (IP Next

generation). IPv6 provides an evolutionary set of

improvements to IPv4. The most obvious improvement is

that IP addresses are lengthened from 32 bits to 128 bits.

This extension anticipates considerable future growth of the

Internet, and provides relief for what was perceived as an

impending shortage of network addresses.

TCP/IP A specification for computer network protocols. TCP/IP is

sometimes called the Internet Reference Model. TCP/IP

defines a set of rules by which network-enabled devices

communicate over a network.

SNMP (Simple Network A protocol governing network management and the

Management Protocol) monitoring of network-enabled devices and their functions.

Network-Enabled Devices A computer, server, router, printer, firewall, switch, input/

output device, sensor or hub that is connected to an

Ethernet network or the Internet.

Dial-to-IP Networks, in which the devices that communicate over a

telephone WAN using dial-up modems, are provided with a

common connection point to higher speed, IP-based local

(LAN) or wide area networks (WAN).

Serial-to-IP Serial data transfer connections of devices are provided with

a common connection to higher speed, IP-based local area

networks (LAN) or wide area networks (WAN).

Network Devices

Client-server Model An architecture (system design) that divides processing

between clients and servers such that processing tasks can

run on the same machine or on different machines on the

same network.

Client A network-enabled device that accesses a remote service on

a server by way of a network.

Server A network-enabled device that provides a specific kind of

service to client software running on other computers on a

network.

Communication Server A hardware device that provides computers, printers,

terminals or other devices with a common connection point

to a local or wide area network. Hubs, Switches, Terminal

Servers, Device Servers, and Transaction Servers are all

types of communication servers.

Device Server A Communication Server that converts serial transmission to

Ethernet IP packets, enabling serial-based devices to

communicate over an Ethernet LAN instead of a dedicated

cable. The devices connect to the device server from their

RS-232, RS422 or RS485 serial port. The other side of the

device server can connect through a network interface port

to an Ethernet local area network or wide-area network, or

through a modem to a telephone-based wide area network.

The use of a device server means that each device does not

need its own network interface port or modem. The

terminology ìterminal serverî has been replaced with

ìdevice serverî to reflect that serial to IP communication

now encompasses far more than the connection of dumb

terminals to a host computer.

Terminal Server A Communication Server that converts serial transmission to

Ethernet IP packets, enabling serial-based terminals to

communicate over an Ethernet LAN instead of a dedicated

cable. The terminals connect to the terminal server from

their RS-232, RS422 or RS485 serial port. The other side of

the terminal server connects through a network interface

port to an Ethernet local area network or wide-area network,

or through a modem to a telephone-based wide-area

network. The use of a terminal server means that each

terminal does not need its own network interface port or

modem. The name ìterminal serverî originated during a

period when users logged onto and accessed computers

from dumb terminals. At that time, terminal servers

provided the connections from the dumb terminal to the

host computer.

Hub A hardware device that serves as a central point for

connecting devices over a local area network. Hubs

broadcast frames to all network-enabled devices on the

Ethernet network and therefore create more collisions than a

switch. Hubs are rarely used today due to preferences for

switches.

Switch A hardware device that serves as an efficient central point

for connecting network-enabled devices over a local area

network. A Switch has several advantages over hubs. For

example, switches allow the division of a network into

multiple segments to reduce the number of data collisions.

Further, a switch only forwards frames to the networkenabled

device that connects to the intended destination of

the data.

Managed Switch Provides additional control over the network than can be

provided over an unmanaged switch. A Managed Switch

also collects and reports information about the performance

of the switch. Additional functionality can include the ability

to set up broadcast domains; set up VLANs; limit the

bandwidth rate of a segment; and provide for QoS, SNMP;

Port Mirroring; and/or Trunk redundancy.

Transaction Server A server designed to work in a financial transaction

environment. A card scanner, ATM or modem connects to

one side of the transaction server. The other side of the

transaction server can connect through a network interface

port to a local area network, WAN or modem.

Print Server Software or hardware that manages one or more printers.

Commercial Server A server designed to work in a standard administrative or

business transaction facility environment.

Industrial Server A server designed to work in an operating facility

environment.

Gateway A network point that acts as an entry point to another

network, or a connecting point between two dissimilar

networks.

Router A network device that forwards packets from one network to

another. Based on internal routing tables, routers read each

incoming packet and determine how to forward it. The

destination address in the packet governs the line (interface)

to which the router directs an outgoing packet.

Serial-based Device Devices that have a RS-232, RS-485 or RS-422 serial port

interfaces. Examples of serial-based devices include, but are

not limited to, printers, terminals, credit card readers, scales,

modems, scanners and sensors.

CCNA TERMS

Admin

0 Response to "CCNA TERMS"

Post a Comment