GLOSSARY

3DES Triple DES is a 168-bit (3 × 56-bit) encryption process. DES, or Data Encryption
Standard, is a symmetric key encryption algorithm using a block-cipher method.

AAA Authentication, authorization, and accounting.

AAA server The server/host responsible for running RADIUS or TACACS services.

ACS Access Control Server, the RADIUS and TACACS system sold by Cisco.

Advanced malware protection (AMP) Cisco advanced malware protection (AMP) is

designed for Cisco FirePOWER network security appliances. It provides visibility and control
to protect against highly sophisticated, targeted, zero-day, and persistent advanced malware
threats.

AES Advanced Encryption Standard is a symmetric key encryption algorithm using a block-
cipher method developed by Joan Daemen and Vincent Rijmen. Available in key sizes of 128-
bit, 192-bit, or 256-bit.

amplification DDoS attacks A form of reflected attacks in which the response traffic (sent
by the unwitting participants) is made up of packets that are much larger than those that were
initially sent by the attacker (spoofing the victim).

antispam filters Multilayer filters based on Cisco’s e-mail reputation and threat intelligence.

AnyConnect Cisco’s secure mobility client solution, supporting full-tunnel VPN. Requires
a small client on the workstation, but then tunnels all traffic through the SSL or IPsec tunnel,
allowing other nonsecure protocols to be transported and secured.

ASA Adaptive Security Appliance firewall, such as the ASA 5510 Firewall.

asset Property (tangible or intangible) that has value to a company, something worth pro-
tecting.

asymmetrical Meaning both sides are not the same (not symmetrical). An asymmetrical
encryption algorithm uses one key to encrypt data and a second (and different) key to decrypt
the data.

attack severity rating The amount of damage an attack can cause. It is used as one property
of a signature inside an IPS/IDS.

audit A detailed review of a network, system or collection of processes. Accounting is

another word that has a similar function: collecting information about the network.

authentication method list The list of methods to be used for authentication (RADIUS,
TACACS, enable password, Kerberos, vty line, or local database).

authorization method list The list of methods to be used for authorization (RADIUS,
TACACS, Kerberos, local database, or to pass if already authenticated). Used to specify what
the authenticated user is authorized to do.
522 back doors

back doors A piece of malware or configuration change that allows attackers to control the
victim’s system remotely.

brute-force (password-guessing) attacks A type of attack that takes place when a mis-
creant bombards a system with frequent guesses of a password hoping to eventually get the
correct password that enables the miscreant to access the system.

BYOD (Bring Your Own Device) BYOD refers to policies in place that enable users to con-
nect to the corporate network using personal devices such as smartphones, tablets, and laptops.

BYOD devices These are the corporate-owned and personally owned endpoints that require
access to the corporate network regardless of their physical location.

C3PL Cisco Common Classification Policy Language. This promotes the concept of using
class maps and policy maps to identify and provide specific treatment for traffic.

CA Certificate authority. A system that generates and issues digital certificates. This is usually
a device that is trusted by both parties using certificates.

CCP Cisco Configuration Professional. A web-based router administration tool with a GUI.

CCP communities Groups of routers presented together in CCP as a community of devices.

A way to organize the devices being managed within CCP.

CCP templates Sections of configurations that can be reapplied to multiple devices in CCP,
substituting variables (such as a hostname) that are unique to each router.

CCP user profiles Method to restrict what CCP displays to the administrator, thus limiting
what the administrator can see and change through CCP.

CDP Cisco Discovery Protocol enables network devices to send information about the
device itself to any device or application on the network that wants to listen to and collect the
device information.

CERT The CERT Division, part of the Software Engineering Institute and based at Carnegie
Mellon University (Pittsburgh, Pennsylvania) is a worldwide respected authority in the field of
network security and cyber security.

Cisco AnyConnect Secure Mobility Client The Cisco AnyConnect Client provides con-
nectivity for end users who need access to the corporate network.

Cisco AnyConnect Secure Mobility Client full-tunnel VPN The client is designed to pro-
tect users on computer-based or mobile platforms, providing a solution to encrypt IP traffic,
including TCP and UDP. Clientless SSL VPNs only provide a way to encrypt TCP-based appli-
cations, whereas the Cisco AnyConnect Secure Mobility Client provides a full-tunnel VPN
capability to encrypt TCP, UDP, and other protocols.

Cisco public key The Cisco public key is needed for the IOS-based IPS to verify Cisco’s
digital signature of the IPS signature package provided by Cisco.

Cisco SIO Security Intelligence Operations. Early warning intelligence, threat and vulnerabil-
ity analysis, and proven Cisco mitigation solutions to help protect networks.

ClamAV An open source antivirus engine sponsored and maintained by Cisco and non-Cisco
engineers.
 DH group 523

class map The portion of Modular Policy Framework (MPF) in the ASA, or C3PL on rout-
ers and switches, that defines what types of traffic belong to a certain class. Policy maps rely
on class maps for the classification of traffic.

class map type inspect This special type of class map defines specific classes and types of
traffic to be used for further inspection in zone-based firewalls on IOS routers.

clientless SSL VPN Allows for limited VPN resource access within some protocols that can
natively support TLS, such as HTTPS and CIFS shared over HTTPS.

cloud-based MDM deployment In a cloud-based MDM deployment, MDM application

software is hosted by a managed service provider who is solely responsible for the deploy-
ment, management, and maintenance of the MDM solution.

computer viruses A malicious software that infects a host file or system area to perform
undesirable outcomes such as erasing data, stealing information, or corrupting the integrity of
the system.

context-aware security Security enforcement that involves the observation of users and
roles in addition to things like interface-based controls. An example is an ACS providing full
access to an administrator who is logged in from his local computer, but restricted access when
that same user is logged in through a remote device or through a smartphone.

control plane The control plane of a device handles packets that are generated by the device
itself or that are used for the creation and operation of the network itself. Control plane pack-
ets always have a receive destination IP address and are handled by the CPU in the network
device route processor.

control plane policing (CoPP) A Cisco IOS-wide feature designed to enable users to
restrict the amount of traffic handled by the route processor of their network devices.

control plane protection (CPPr) A Cisco feature, similar to control plane policing, that can
help to mitigate the effects on the CPU of traffic that requires processing by the CPU. CPPr
has the capability to restrict traffic with finer granularity by dividing the aggregate control
plane into three separate control plane categories known as subinterfaces.

CRL Certificate revocation list. Used in a PKI environment to inform clients about certifi-
cates that have been revoked by the CA.

custom privilege level Level 0 (user) and level 15 (enable) are predefined; anything in
between (1–14) is custom privilege level.

data plane The logic systems in a device that are responsible for the actual movement (post-
decision) of information. End users sending traffic to their servers is one example of traffic on
the data plane.
DH group The Diffie-Hellman exchange refers to the security algorithm used to exchange
keys securely, even over an unsecured network connection. Groups refer to the lengths of the
keys involved in the exchange. Group 1 is a 768-bit key exchange, Group 2 is a 1024-bit key
exchange, and Group 5 is a 1536-bit key exchange. The purpose of this algorithm is to estab-
lish shared symmetrical secret keys on both peers. The symmetric keys are used by symmetric
algorithms such as AES. DH itself is an asymmetrical algorithm.
524 DHCP snooping

DHCP snooping DHCP snooping is a security feature that acts like a firewall between
untrusted hosts and trusted DHCP servers.

digital signature An encrypted hash that uniquely identifies the sender of a message and
authenticates the validity and integrity of the data received. Signing is done with the private
key of the sender, and validation of that signature (done by the receiver) is done using the pub-
lic key of the sender.

direct DDoS attacks Direct DDoS attacks occur when the source of the attack generates
the packets, regardless of protocol, application, and so on that are sent directly to the victim of
the attack.

disabled signature A signature that is disabled. A signature needs to be both enabled and
nonretired to be used by an IPS/IDS.

downloaders A piece of malware that downloads and installs other malicious content from
the Internet to perform additional exploitation on an affected system.

dynamic ARP inspection (DAI) DAI is a security feature that validates ARP packets in a
network. DAI intercepts, logs and discards ARP packets with invalid IP-to-MAC address bind-
ings. This capability protects the network from some man-in-the-middle attacks.

eavesdropping Any method of listening in on other conversations, whether voice or data

(sniffer).

enabled signature A signature that is enabled. A signature needs to be both enabled and
nonretired to be used by an IPS/IDS.

EUI-64 Extended Unique Identifier-64 is an IEEE standard for converting a 48-bit MAC
address into a 64-bit host address in IPv6 networks. Used for stateless autoconfiguration.

exploit A malicious program designed to “exploit” or take advantage of a single vulnerability

or set of vulnerabilities.

file retrospection After a malicious attempt or malware is detected, Cisco next-generation

products (such as the Cisco ASA, Cisco WSA, and Cisco Next-Generation IPS) with AMP capa-
bilities continue to cross-examine files over an extended period of time.

file sandboxing If malware is detected, the Cisco AMP capabilities can put files in a sand-
box to inspect its behavior, combining the inspection with machine-learning analysis to deter-
mine the threat level. Cisco Cognitive Threat Analytics (CTA) uses machine-learning algorithms
to adapt over time.

hash A unidirectional process rather than a reversible algorithm, it takes a variable-sized

input and creates a fixed-size output. Common examples include MD5 and SHA.

HMAC Hash Message Authentication Code, used to verify data integrity and authenticity of
a message.

identity certificate A digital certificate assigned to a device, host, person, or e-mail in a PKI
infrastructure offering a concept of validated identity.
 man-in-the-middle attack 525

Identity Services Engine (ISE) The Cisco ISE is a critical piece to the Cisco BYOD solu-
tion. It is the cornerstone of the authentication, authorization, and accounting (AAA) require-
ments for endpoint access, which are governed by the security policies put forth by the organi-
zation.

IDS (intrusion detection system) Intrusion detection systems, primarily using signature
matching, can alert administrators about an attack on the network, but cannot prevent the ini-
tial packet from entering the network.

IKE Phase 1 Internet Key Exchange Phase 1 negotiates the parameters for the IKE Phase 1
tunnel, including hash, DH group, encryption, and lifetime.

IKE phase 2 Internet Key Exchange Phase 2 builds the actual IPsec tunnel. This includes
negotiating the transform set for the IPsec SA.

Immunet A free community-based antivirus software maintained by Cisco Sourcefire.

IPS (intrusion prevention system) Intrusion prevention systems, primarily using signature
matching, can alert administrators about an attack on the network and can prevent the initial
packet from entering the network.

IPsec IPsec is the suite of protocols used to protect the contents of Layer 3 IP packets. ESP
is the primary protocol used to encapsulate the Layer 3 packets.

key A password or set of information used to seed other mathematical algorithms.

key loggers A piece of malware that captures the user’s keystrokes on a compromised com-
puter or mobile device. It collects sensitive information such as passwords, PINs, personal iden-
tifiable information (PII), credit card numbers, and more.

LDAP Lightweight Directory Access Protocol. This protocol can be used for gathering/
managing information from an LDAP-accessible directory/database. An example of its use is
having a AAA server use an LDAP request to Active Directory to verify the credentials of a
user.

lifetime The amount of time, in seconds or amount of data that has gone by, that a key or
security association is considered valid.

LLDP (Link Layer Discovery Protocol) LLDP was developed by Cisco and others within
the Internet and IEEE community as a new, standardized discovery protocol, 802.1AB. Similar
to CDP, LLDP defines basic discovery capabilities and was enhanced to specifically address the
voice application.

logic bombs A type of malicious code that is injected to a legitimate application. An

attacker can program a logic bomb to delete itself from the disk after it performs the malicious
tasks on the system.

mailers and mass-mailer worms A type of worm that sends itself in an e-mail message.
malvertising This is the act of incorporating malicious ads on trusted websites, which results
in users’ browsers being inadvertently redirected to sites hosting malware.

man-in-the-middle attack A form of eavesdropping where the attacker inserts himself in

the middle of a conversation, masquerading as a wireless access point, router, proxy server, and
so on.
526 management plane

management plane The management plane refers to traffic and technologies involved in
being able to manage the network and its devices. This could include management sessions
with SSH, HTTPS, and so on, and could also include information-gathering tools such as SNMP
or NetFlow.

MD5 Message digest algorithm 5 is a cryptographic function with a 128-bit hash. Hashing
algorithms are unidirectional. The enable secret on an IOS router is stored using an MD5 hash.

MD5 route authentication MD5 hashing is applied to the authentication of routing updates
between routers to ensure the integrity of routing protocol updates. MD5 route authentication
is available for OSPF, EIGRP, RIPv2, and BGP.

method list List of available methods for AAA to use in order (local, RADIUS, TACACS,
and so on).

mobile device management (MDM) The function of mobile device managers, also known
as mobile device management (MDM), is to deploy, manage, and monitor the mobile devices
that make up the Cisco BYOD solution.

MPF Modular Policy Framework. A newer technique using the class map and policy map
framework to bring about all sorts of manipulations or additional functions to a router. This is
what the ASA refers to when using class maps, policy maps, and the service policy commands.
On an IOS router, these are referred to as C3PL components.

NA IPv6 neighbor advertisement. Used to communicate information from an IPv6 host to

another on the same locally connected network.

named access control list (ACL) Configured with ip access-list rather than just access-list
commands, and can be defined as either standard or extended, but by name. Named ACLs are
easier to edit than numbered ACLs because of the access-list configuration mode provided by
the named ACL.

NAT Network Address Translation. The process of swapping out an IP address of a packet in
transit with an alternative address. An example of its use is workstations on the inside of a net-
work using private IP addresses and having those source addresses modified by the NAT router
before packets from those workstations are sent out to the Internet.

network antivirus Antivirus capabilities in network infrastructure devices.

Next-Generation IPS (NGIPS) The new suite of IPS solutions based on the technologies
that were part of the Cisco acquisition of Sourcefire. The Cisco FirePOWER NGIPS solution
provides multiple layers of advanced threat protection at high inspection throughput rates.

NFP Network foundation protection. The concept of breaking down the network into func-
tional components, such as control plane, management plane, and data plane, and then provid-
ing protection for each of those components.

NS IPv6 neighbor solicitation. Used by an IPv6 speaker to make a request of one or more
local IPv6 devices on the same network.

NTP Network Time Protocol. Used to synchronize time on the network, which is important
for log messages and for IPS/IDS event time stamps to correlate messages across multiple
devices.
 RA 527

on-premises MDM deployment In an on-premises deployment, MDM application software

is installed on servers that are located within the corporate data center and are completely sup-
ported and maintained by the network staff of the corporation.

packet filtering Packet filtering is a static check on known information such as source/
destination address and source/destination port information.

parser view Commands are available only within particular contexts (views). This is a way to
implement role-based management, by creating views and associating specific administrators
with those views.

PAT Port Address Translation. This is a subset of NAT, with multiple devices being mapped
to a single address. It is also referred to as a many-to-one translation.

personally identifiable information (PII) This is the type of information that has, unfortu-
nately, been talked about in the press all too often lately when we hear about data breaches.
This information includes names, dates of birth, addresses, and Social Security numbers.

PFS Perfect Forward Secrecy. New keys within DH are not based on seeds from previous
keys when PFS is enabled, further increasing security. PFS is associated only with IKE Phase 2.

phishing Elicits secure information through an e-mail message that appears to come from
a legitimate source such as a service provider, fellow employee, or financial institution. The
e-mail message might ask the user to reply with the sensitive data or to access a website to
update information such as a bank account number.

PKCS#10 Public Key Cryptography Standards #10 is a file format used when sending cer-
tificate requests to a CA.

PKCS#12 Public Key Cryptography Standards #12 is a file format used to store private keys
with accompanying public key certificates.

PKCS#7 Public Key Cryptography Standards #7 is used by a CA to distribute digital

certificates.

PKI Public key infrastructure. A scalable architecture that includes software, hardware, peo-
ple, and procedures to facilitate the management of digital certificates.

policy map The portion of MPF or C3PL that defines what actions occur to traffic belong-
ing to each class.

policy map type inspect The policy map type is associated with Zoned-Based Firewalls on
the IOS. The ASA also has specific purpose policy maps for deep packet inspection.

public key The part of a key pair that is shared with other people in a PKI exchange

qualitative A method of risk assessment that uses a scenario model, including expert
opinion.

quantitative A method of risk assessment that uses a mathematical model based on data.

RA IPv6 router announcement. Used by a router to inform other IPv6 devices about the local
network address to which they are connected.
528 RADIUS

RADIUS Remote Authentication Dial-In User Service. This is one method for a router or
switch to communicate with a AAA server, such as ACS.

ransomware A type of malware that compromises a system and then often demands a ran-
som from the victim to pay the attacker for the malicious activity to cease or for the malware
to be removed from the affected system.

reflected DDoS (RDDoS) attacks Occur when the sources of the attack are sent spoofed
packets that appear to be from the victim; the sources then become unwitting participants in
the DDoS attacks by sending the response traffic back to the intended victim.

regulatory compliance Security policy created because of local/national laws or regulations

(SOX, HIPAA, and so on).

retired signature If a particular signature is deemed old and no longer a common threat, it
can be retired, which reduces memory used by the IOS IPS.

risk A measurement of the likelihood of a successful attack by measuring the level of threat
against a particular vulnerability.

risk rating A quantitative rating of your network before security measures are put in place.
The IOS IPS also uses a risk rating to calculate the potential danger of an attack.

root certificate The certificate at the top of a certificate hierarchy in PKI.

rootkits A set of tools that an attacker uses to elevate their privilege to obtain root-level
access and completely take control of the affected system.

RS IPv6 router solicitation request. Used by an IPv6 device to obtain information from an
IPv6 router on the local network.

RSA In 1977, Rivest, Shamir, and Adleman developed a public key algorithm still used by
most browsers today. This is an asymmetrical algorithm used for authentication.

SCEP Simple Certificate Enrollment Protocol. SCEP was created to facilitate large-scale
deployments of PKI, by automating the process of authenticating and enrolling with a CA that
supports SCEP. This is a Cisco-sponsored protocol and is supported by some, but not all, other
vendors.

secure bootset Part of the Cisco IOS Resilient Configuration feature, preventing the erasure
of IOS files from a storage device, such as flash or NVRAM.

Secure Copy (SCP) A feature that provides a secure and authenticated method for copying
device configurations or device image files.

SecureX Cisco’s security framework to establish and enforce security policies across a dis-
tributed network.
security levels Numeric levels used in the ASA to define a relationship of more secure or
less secure.

service policy Just like in MQC for quality of service (QoS), this is the device that ties a
policy to an interface (QoS) or to a zone pair (ZBF). On an ASA, this is the command element
that links a policy to one or more interfaces.
 subordinate CA 529

SFR Signature fidelity rating. An IPS measurement of the degree of attack certainty related
to that signature correctly indicating the attack on which it is supposed to match.

SHA1 Secure Hash Algorithm 1. A successor to MD5, developed by the National Security
Agency (NSA).

show ip cef command The output of this command displays the IP prefixes of the packets
that will be received and handled by the control plane (CPU) of the device.

show policy-map control-plan command The output of this command provides the status
of the policy that has been applied to the control plane.

signature files Package of signatures that update an IDS/IPS against new attack methods.
IOS IPS signature packages are similar to the signatures used on the IPS/IDS appliances.

signature micro-engines Part of IDS/IPS that supports a group of signatures in a common

category.

SNMP Simple Network Management Protocol is used for device management, including
requesting information and receiving updates from network devices.

Snort An open source intrusion detection and prevention technology developed by the
founder of Sourcefire (now a part of Cisco).

spammers A type of malware whose sole purpose is to send unsolicited messages with the
primary goal of fooling users into clicking malicious links, replying to e-mails or other such
messages with sensitive information, or performing different types of scams.

spoofed address The source address of an IP packet that has been changed to something
not actually assigned or belonging to the location from which it came. Like identity theft for
an IP address.

spoofing An attack where the source pretends to be another host or user (MAC, IP, e-mail).

SSH Secure Shell. An encrypted alternative to Telnet, for remote CLI management access to
a network device.

SSL Secure Sockets Layer is the original security method for HTTPS. Although succeeded by
TLS, this term is still widely used and assumed. This is a secure alternative to HTTP.

standard/extended ACL Access control list for packet filtering, set up by number. ACLs
1–100 are standard (source IP only), and 100–199 are extended (source and destination IP as
well as port information). ACLs 1300–1999 are also standard ACLs, and 2000–2699 are also
extended ACLs.

stateful filtering More than just a simple packet-filter check, stateful inspection can deter-
mine whether a network flow exists and can look at information up to the application layer. A
stateful filtering firewall dynamically allows the return traffic to the user, from the server they
were accessing on the other side of the firewall. This is implemented in the ASA firewall and in
the zone-based firewall feature on an IOS router.

subordinate CA A certificate authority at a level below the root CA. Large PKIs use multiple
subordinate CAs to offload the work from a single root CA.
530 SVI

SVI Switched virtual interface, or “interface VLAN,” on a switch.

symmetrical Literally meaning both sides are the same, such as with pre-shared keys, where
both ends have the exact same information used to encode/decode data. DH produces sym-
metrical keys. Symmetrical keys are used by symmetrical algorithms, such as AES, where one
key encrypts the data and the same key is used to decrypt the data.

SYN flood attack An exploit against TCP’s three-way handshake opening lots of sessions via
the initial SYN packet with no intent of replying to the SYN-ACK and completing the session.
This leaves half-open, or embryonic, connections and can overflow a server’s session table.

syslog Logging messages can be sent to a syslog server that gathers all incoming messages
into text files. Syslog server programs can sort by incoming device IP address and by severity/
facility levels to make security monitoring simpler.

TACACS+ Terminal Access Controller Access Control System. This is one of the protocols
that can be used to communicate between an AAA server and its client (such as between an
ACS server and a router).

threat The potential for a vulnerability to be exploited.

TLS Transport Layer Security. Based on SSL, but more widely adopted as an IETF standard
in RFC 5246.

Traffic Light Protocol (TLP) A set of designations developed by the US CERT to ensure
that sensitive information is shared with the correct audience.

transform set A set of secure protocol parameters to be used by IPsec in IKE Phase 2. To
properly peer, both sides must agree on a common set.

transparent firewall Firewall implemented at Layer 2 of the OSI model, but still including
the ability to analyze traffic at Layer 3 and higher.

Trojan horses A type of malware that executes instructions determined by the nature of
the Trojan to delete files, steal data, and compromise the integrity of the underlying operating
system.

TVR Target value rating. User-defined variable in IPS/IDS of the criticality of a particular tar-
get if attacked.

unretired In IPS, if a new variant would cause old signatures to become valid again, the sig-
nature can be assigned as “unretired,” which will make the signature available for use, and will
consume memory on the IOS router.

uRPF Unicast Reverse Path Forwarding. Comparing the entry point of a packet’s source
address against the routing table and making sure the ingress interface matches what the egress
interface would be to reach the source of the packet. If the interface does not match, the
router assumes the source address is bogus (spoofed) and can drop the packet.

VPN Virtual private network. Used to provide encryption, authentication, data integrity, and
antireplay for network traffic.

vulnerability A flaw or weakness in a system’s design or implementation that could be

exploited.
 zones 531

worms Viruses that replicate themselves over the network, infecting numerous vulnerable
systems. In most occasions, a worm will execute malicious instructions on a remote system
without user interaction.

X.509v3 The ITU standard for PKI. Version 3 typically refers more to the IETF standard
(RFC 3280), which includes CRL usage.

zone pairs The traffic flow, for initial traffic, unidirectionally between two zones. An exam-
ple is a zone pair that begins in the inside zone and goes to the outside zone. Policies can then
be applied to initial traffic that is moving in the direction of the zone pair (in this case, from
inside to outside).

zones The grouping of multiple interfaces under a similar security policy together, such as
inside or outside.