Glossary

Symbols and Numerics
3DES / Triple DES. An encryption algorithm that uses three 56-bit DES encryption keys (effectively 168 bits) in quick succession. An alternative 3DES version uses just two 56-bit DES keys, but uses one of them twice, resulting effectively in a 112-bit key length. Legal for use only in the United States. See DES.
802.1x / 802.1x is an IEEE standard for media-level access control, offering the capability to permit or deny network connectivity, control VLAN access and apply traffic policy, based on user or machine identity.
A
AAA / authentication, authorization, and accounting. Pronounced "triple-A."
AAL5-SNAP / ATM Adaptation Layer 5 Subnetwork Access Protocol.
AAL5-MUX / ATM Adaptation Layer 5 Multiplexing.
access control, access control rule / information entered into the configuration which allows you to specify what type of traffic to permit or deny into an the interface. By default, traffic that is not explicitly permitted is denied. Access control rules are composed of access control entries (ACEs).
ACE / access control entry. An entry in an ACL that specifies a source host or network and whether or not traffic from that host is permitted or denied. An ACE can also specify a destination host or network, and the type of traffic.
ACL / access control list. Information on a device that specifies which entities are permitted to access that device or the networks behind that device. Access control lists consist of one or more access control entries (ACE).
ACS / Cisco Secure Access Control Server. Cisco software that can implement a RADIUS server or a TACACS+ server. The ACS is used to store policy databases used by Easy VPN, NAC and other features to control access to the network.
address translation / The translation of a network address and/or port to another network address/or port. See also IP address, NAT, PAT, Static PAT.
ADSL / asymmetric digital subscriber line.
aggressive mode / A mode of establishing ISAKMP SAs that simplifies IKE authentication negotiation (phase 1) between two or more IPSecpeers. Aggressive mode is faster than main mode, but is not as secure. See main mode, quick mode.
AH / Authentication Header. This is an older IPSec protocol that is less important in most networks than ESP. AH provides authentication services but does not provide encryption services. It is provided to ensure compatibility with IPSec peers that do not support ESP, which provides both authentication and encryption.
AH-MD5-HMAC / Authentication Header with the MD5 (HMAC variant) hash algorithm.
AH-SHA-HMAC / Authentication Header with the SHA (HMAC variant) hash algorithm.
AHP / Authentication Header Protocol. A protocol that provides source host authentication, and data integrity. AHP does not provide secrecy.
algorithm / A logical sequence of steps for solving a problem. Security algorithms pertain to either data encryption or authentication.
DES and 3DES are two examples of data encryption algorithms.
Examples of encryption-decryption algorithms include block cipher, CBC, null cipher, and stream cipher.
Authentication algorithms include hashes such as MD5 and SHA.
AMI / alternate mark inversion.
ARP / Address Resolution Protocol—A low-level TCP/IP protocol that maps a node hardware address (called a MAC address) to its IP address.
ASA / Adaptive Security Algorithm. Allows one-way (inside to outside) connections without an explicit configuration for each internal system and application.
asymmetric encryption / Also called public key systems, this approach allows anyone to obtain access to anyone else's public key and therefore send an encrypted message to that person using the public key.
asymmetric keys / A pair of mathematically related cryptographic keys. The public key encrypts information that only the private key can decrypt, and vice versa. Additionally, the private key signs data that only the public key can authenticate.
ATM / Asynchronous Transfer Mode. International standard for cell relay in which multiple service types (such as voice, video, and data) are conveyed in fixed-length (53-byte) cells. Fixed-length cells allow cell processing to occur in hardware, thereby reducing transit delays.
authenticate / To establish the truth of an identity.
authentication / In security, the verification of the identity of a person or process. Authentication establishes the integrity of a data stream, ensuring that it was not tampered with in transit, and providing confirmation of the data stream's origin.
B
block / A fixed-length sequence of bits.
block cipher / An encryption algorithm that uses a 64-bit symmetric cipher to operate on data blocks of a fixed size. See cipher.
BOOTP / Bootstrap Protocol. The protocol used by a network node to determine the IP address of its Ethernet interfaces to affect network booting.
burst rate / The number of bytes that a traffic burst must not exceed.
C
C3PL / Cisco Common Classification Policy Language. C3PL is a structured replacement for feature-specific configuration commands and allows configurable functionality to be expressed in terms of an event, a condition, and an action.
CA / Certification Authority. A trusted third-party entity that issues and/or revokes digital certificates. Sometimes referred to as a notary or a certifying authority. Within a given CA's domain, each device needs only its own certificate and the CA's public key to authenticate every other device in that domain.
CA certificate / A digital certificate granted to one certification authority (CA) by another certification authority.
CA server / Certification Authority server. A network host that is used to issue and/or revoke digital certificates.
cache / A temporary repository of information accumulated from previous task executions that can be reused, decreasing the time required to perform the tasks.
CBAC / Context-based Access Control. Protocol that provides internal users with secure access control for each application and for all traffic across network perimeters. CBAC scrutinizes both source and destination addresses and tracks each application connection status.
CDP / Cisco Discovery Protocol. A media- and protocol-independent device-discovery protocol that runs on all Cisco-manufactured equipment including routers, access servers, bridges, and switches. Using CDP, a device can advertise its existence to other devices and receive information about other devices on the same LAN or on the remote side of a WAN.
CDP / Certificate Revocation List Distribution Point. A location from with a Certificate Revocation List can be retrieved. A CDP is usually an HTTP or LDAP URL
CEP / Certificate Enrollment Protocol. A certificate management protocol. CEP is an early implementation of Certificate Request Syntax (CRS), a standard proposed to the Internet Engineering Task Force (IETF). CEP specifies how a device communicates with a CA, including how to retrieve the public key of the CA, how to enroll a device with the CA, and how to retrieve a certificate revocation list (CRL). CEP uses PKCS (Public Key Cryptography Standards) 7 and 10 as key component technologies. The public key infrastructure working group (PKIX) of the IETF is working to standardize a protocol for these functions, either CRS or an equivalent. When an IETF standard is stable, Cisco will add support for it. CEP was jointly developed by Cisco Systems and VeriSign, Inc.
certificate / See digital certificate.
certificate identity / An X.509 certificate contains within it information regarding the identity of whichever device or entity possesses that certificate. The identification information is then examined during each subsequent instance of peer verification and authentication. However, certificate identities can be vulnerable to spoofing attacks.
CET / Cisco Encryption Technology. Proprietary network layer encryption introduced in Cisco IOS Release 11.2. CET provides network data encryption at the IP packet level and implements the following standards: DH, DSS, and 40- and 56-bit DES.
CHAP / Challenge Handshake Authentication Protocol. Security feature supported on lines using PPP encapsulation that prevents unauthorized access. CHAP does not itself prevent unauthorized access, it merely identifies the remote end. The router or access server then determines whether that user is allowed access. See also PAP.
chargen / Character Generation. Via TCP, a service that sends a continual stream of characters until stopped by the client. Via UDP, the server sends a random number of characters each time the client sends a datagram.
checksum / Computational method for checking the integrity of transmitted data, computed from a sequence of octets taken through a series of arithmetic operations. The recipient recomputes the value and compares it for verification.
Cisco SDM / Cisco Router and Security Device Manager. Cisco SDM is an Internet browser-based software tool designed to configure LAN, WAN, and security features on a router. See Getting Started for more information.
cipher / An encryption-decryption algorithm.
ciphertext / Encrypted, unreadable data, prior to its decryption.
class map
clear channel / A clear channel is one through which non-encrypted traffic can flow. Clear channels place no security restrictions on transmitted data.
cleartext / Decrypted text. Also called plaintext.
CLI / command-line interface. The primary interface for entering configuration and monitoring commands to the router. Refer to the Configuration Guide for the router you are configuring for information on what commands you can enter from the CLI.
client/server computing / Term used to describe distributed computing (processing) network systems in which transaction responsibilities are divided into two parts: client (front end) and server (back end). Also called distributed computing. See also RPC.
CNS / Cisco Networking Services. A suite of services that support scalable network deployment, configuration, service-assurance monitoring, and service delivery.
comp-lzs / An IP compression algorithm.
Configuration, Config, Config File / The file on the router that holds the settings, preferences, and properties you can administer using Cisco SDM.
cookie / A cookie is a web browser feature which stores or retrieves information, such as a user's preferences, to persistent storage. In Netscape and Internet Explorer, cookies are implemented by saving a small text file on your local hard drive. The file can be loaded the next time you run a Java applet or visit a website. In this way information unique to you as a user can be saved between sessions. The maximum size of a cookie is approximately 4KB.
CPE / customer premises equipment.
CRL / certificate revocation list. A list maintained and signed by a certificate authority (CA) of all the unexpired but revoked digital certificates.
cryptography / Mathematical and scientific techniques for keeping data private, authentic, unmodified, and non-repudiated.
crypto map / In Cisco SDM, crypto maps specify which traffic should be protected by IPSec, where IPSec-protected traffic should be sent, and what IPSec transform sets should be applied to this traffic.
D
data confidentiality / The result of data encryption that prevents the disclosure of information to unauthorized individuals, entities, or processes. This information can be either data at the application level, or communication parameters. See traffic flow confidentiality or traffic analysis.
data integrity / The presumed accuracy of transmitted data — signifying the sender's authenticity and the absence of data tampering.
data origin authentication / One function of a non-repudiation service.
decryption / Reverse application of an encryption algorithm to encrypted data, thereby restoring that data to its original, unencrypted state.
default gateway / The gateway of last resort. The gateway to which a packet is routed when its destination address does not match any entries in the routing table.
delta file / A file that Cisco IOS IPS creates to store changes made to signatures.
DES / Data Encryption Standard. Standard cryptographic algorithm developed and standardized by the U.S. National Institute of Standards and Technology (NIST). Uses a secret 56-bit encryption key. The DES algorithm is included in many encryption standards.
DHCP / Dynamic Host Configuration Protocol. Provides a mechanism for allocating IP addresses to hosts dynamically, so that addresses can be reused when hosts no longer need them.
DH, Diffie-Hellman / A public key cryptography protocol that allows two parties to establish a shared secret over insecure communications channels. Diffie-Hellman is used within Internet Key Exchange (IKE) to establish session keys. Diffie-Hellman is a component of Oakley key exchange.
Diffie-Hellman key exchange / A public key cryptography protocol that allows two parties to establish a shared secret over insecure communication channels. Diffie-Hellman is used within Internet Key Exchange (IKE) to establish session keys. Diffie-Hellman is a component of Oakley key exchange. Cisco IOS software supports 768-bit and 1024-bit Diffie-Hellman groups.
digest / The output of a hash function.
digital certificate / A cryptographically signed, digital representation of user or device attributes that binds a key to an identity. A unique certificate attached to a public key provides evidence that the key has not been compromised. A certificate is issued and signed by a trusted certification authority, and binds a public key to its owner. Certificates typically include the owner's name, the owner's public key, the certificate's serial number, and the certificate's expiration date. Other information might also be present. See X.509.
digital signature / An authentication method that permits the easy discovery of data forgery, and prevents repudiation. Additionally, the use of digital signatures allows for verification that a transmission has been received intact. Typically includes a transmission time stamp.
distributed key / A shared cryptographic key that is divided into pieces, with each piece provided to a different participant.
DLCI / data-link connection identifier. In Frame Relay connections, the identifier for a particular data link connection between two endpoints.
DMVPN / Dynamic multipoint virtual private network. A virtual private network in which routers are arranged in a logical hub and spoke topology, and in which the hubs have point-to-point GRE over IPSec connections with the hub. DMVPN uses GRE and NHRP to enable the flow of packets to destinations in the network.
single DMVPN / A router with a single DMVPN configuration has a connection to one DMVPN hub, and has one configured GRE tunnel for DMVPN communication.The GRE tunnel addresses for the hub and spokes must be in the same subnet.
DMZ / demilitarized zone. A DMZ is a buffer zone between the Internet, and your private networks. It can be a public network typically used for Web, FTP and E-Mail servers that are accessed by external clients on the Internet. Placing these public access servers on a separate isolated network provides an extra measure of security for your internal network.
DN / Distinguished Name. A unique identifier for a Certification Authority customer, included in each of that customer's certificates received from that Certification Authority. The DN typically includes the user's common name, the name of that user's company or organization, the user's two-letter country code, an e-mail address used to contact the user, the user's telephone number, the user's department number, and the city in which the user resides.
DNS / Domain Name System (or Service). An Internet service that translates domain names, which are composed of letters, into IP addresses, which are composed of numbers.
domain name / The familiar, easy-to-remember name of a host on the Internet that corresponds to its IP address.
DPD / dead peer detection. DPD determines if a peer is still active by sending periodic keepalive messages to which the peer is supposed to respond. If the peer does not respond within a specified amount of time, the connection is terminated.
DRAM / dynamic random access memory. RAM that stores information in capacitors that must be periodically refreshed.
DSCP / Differentiated Services Code Point. DSCP markings can be used to classify traffic for QoS. See also NBAR
DSLAM / digital subscriber line access multiplexer.
DSS / digital signature standard. Also called digital signature algorithm (DSA), the DSS algorithm is part of many public-key standards for cryptographic signatures.
dynamic routing / Routing that adjusts automatically to network topology or traffic changes. Also called adaptive routing.
E
EAPoUDP / Extensible Authentication Protocol over User Datagram Protocol. Sometimes shortened to EOU. The protocol used by a client and a NAD to perform posture validation.
Easy VPN / A centralized VPN management solution based on the Cisco Unified Client Framework.A Cisco Easy VPN consists of two components: a Cisco Easy VPN Remote client, and a Cisco Easy VPN server.
ECHO / See ping, ICMP.
eDonkey / Also known as eDonkey 2000 or ED2K is an extremely large peer-to-peer file sharing network. eDonkey implements the (Multisource File Transmission Protocol (MFTP).
EIGRP / Enhanced Interior Gateway Routing Protocol. Advanced version of IGRP developed by Cisco Systems. Provides superior convergence properties and operating efficiency, and combines the advantages of link state protocols with those of distance vector protocols.
encapsulation / Wrapping of data in a particular protocol header. For example, Ethernet data is wrapped in a specific Ethernet header before network transit. Also, when bridging dissimilar networks, the entire frame from one network is simply placed in the header used by the data link layer protocol of the other network.