CCNA Security Glossary 1

Sunday, August 31st, 2008 | Study Guide

access control list (ACL) ACLs can provide basic traffic-filtering capabilities on Cisco routers. ACLs can be configured for all routed network protocols to filter packets as they pass through a router or security appliance. An ACL may be used for packet filtering (a type of firewall), as well as for selecting types of traffic to be analyzed, forwarded, or influenced in some manner.

accounting Tracking users’ consumption of network resources. This information may be used for management purposes, planning, billing, or other purposes. Typical information that is gathered includes the user’s name, the nature of the service delivered, when the service began, and when it concluded.

Advanced Encryption Standard (AES) The AES initiative was announced in 1997, when the public was invited to propose candidate encryption schemes to be evaluated as the
encryption standard to replace DES. The Rijndael cipher was selected as the AES algorithm in October of 2000 by the U.S. National Institute of Standards and Technology (NIST). In 2002 the U.S. Secretary of Commerce approved the adoption of AES as an official U.S. government
standard.

application layer firewall This third-generation firewall technology evaluates network
packets for valid data at the application layer before allowing a connection. Data in all network packets is examined at the application layer and maintains complete connection state and sequencing information. Application layer firewalls also can validate other security items that appear only within the application layer data, such as user passwords and service requests.

asymmetric algorithm Employs a two-key technology: a public key and a private key. Often this is simply called public key encryption. In this key pair, the public key may be distributed freely, whereas the private key must be closely guarded. If it is compromised, the system as a whole will fail. The way that public key encryption works is that the public key is used to encrypt the data. After it is encrypted, only the private key can decrypt the data. The opposite is also true.
asymmetric encryption

asymmetric encryption Employs a two-key technology: a public key and a private key. Often this is simply called public key encryption. In this key pair, the public key may be distributed freely, whereas the private key must be closely guarded. If it is compromised, the system as a whole will fail. The way that public key encryption works is that the public key is used to encrypt
the data. After it is encrypted, only the private key can decrypt the data. The opposite is also true.

auditing The process of recording the actions of an authenticated user. An example is tracking how long a user is authenticated on the network and the resources he or she works with while on the network, as well as the length of usage. Auditing can produce a history of network usage on
the part of a given user or users.

authentication The confirmation that a user who is requesting a service is a valid user of the network services requested. Authentication is accomplished by presenting an identity and credentials. These might be such things as passwords, one-time tokens, or digital certificates.

authentication, authorization, and accounting (AAA) These three primary services give a network security as well as a record of user activity. AAA identifies who the user is, what the user can access, and what services and resources the user is using when he or she makes a connection with a server.

authentication server A RADIUS server (such as Cisco Secure ACS) that validates a client’s credentials against its user database.

authenticator A device (such as a Cisco Catalyst switch) that provides access to a network. The authenticator typically does not authenticate the supplicant. Rather, the authenticator acts as a gateway, relaying authentication messages between the supplicant and an external authentication server.

authorization The granting of specific types of service to a user, based on his or her authentication, the services he or she is requesting, and the current system state.

AutoSecure An automated approach to applying security best practices to a router that is invoked from the CLI.

auxiliary VLAN The VLAN used by a Cisco IP Phone to carry voice traffic is often called an auxiliary VLAN.

availability The availability of data is a measure of its accessibility. For example, if a server were down only 5 minutes per year, it would have an availability of 99.999 percent (that is, “five nines” of availability).

Challenge Handshake Authentication Protocol (CHAP) 597

awareness Awareness makes the end-user community conscious of security issues, without necessarily any in-depth procedural training. For example, distributing an e-mail or pamphlet describing the issue of viruses and the importance of virus protection creates awareness of the issue.

block cipher Derives its name from the fact that it transforms a fixed-length “block” of plain text into a “block” of ciphertext. These two blocks are the same length. When the reverse transformation is applied to the ciphertext block, by using the same secret key, it is decrypted.
Block ciphers use a fixed length or block size. This generally is 128 bits, but they can range in size. For instance, DES has a block size of 64 bits.

bootset The collection of a router’s image and configuration files that can be protected using the
Cisco IOS Resilient Configuration feature, which keeps a secure copy of the bootset.

brute-force attack Attempts to match password credentials by guessing a sequence of patterns
(for example, the letter a through the letter z, followed by the letters aa through zz, followed by aaa through zzz, and so on). In such an attack, all possible combinations are used until the password is discovered. This may require a great deal of time, but it always eventually succeeds
in discovering the password.

buffer overflow A programming error that may result in erratic program behavior, a memory access exception and program termination, or a possible breach of system security.

call agent Replaces many of the features previously provided by Private Branch Exchanges
(PBX). For example, a call agent can be configured with rules that determine how calls are forwarded. Cisco Unified Communications Manager (UCM) is an example of a call agent.

catastrophe A disruption category in which all resources at a site are destroyed, and normal business operations must be moved to an alternative site.

certificate A document issued and signed by the certificate authority (CA) that binds the name
of the entity and its public key.

Using PassGuide online virtual Cisco practice engine, easy to know well Cisco Training knowledge and pass the Cisco certification exams.

certificate authority (CA) A trusted third party responsible for signing the public keys of entities in a PKI-based system.

Challenge Handshake Authentication Protocol (CHAP) An authentication scheme used by Point-to-Point Protocol (PPP) to validate the identity of remote clients. CHAP periodically verifies the client’s identity by using a three-way handshake. Verification is based on a shared secret. CHAP also is the mandatory protocol for iSCCI, as chosen by the Internet Engineering Task Force
(IETF). CHAP is based on shared secrets. It periodically verifies the client’s identity by using a three-way handshake. This verification is based on a shared secret. With CHAP, the password never actually crosses the wire, just a hash of the challenge, hostname, and password.

598 checksum

checksum A mathematical computation used to verify that the contents of a message have not been altered.

ciphertext The representation of plain text in an unreadable form.

Cisco Discovery Protocol (CDP) A Layer 2 protocol that permits adjacent Cisco devices to learn information about one another (for example, protocol and platform information).

Cisco Security Agent (CSA) A host-based IPS (HIPS) solution. The CSA software can be installed on selected host systems and optionally report suspicious activity to a centralized management server.

Cisco Security Device Manager (SDM) Provides a graphical user interface (GUI) for configuring a wide variety of features on an IOS router.

Cisco Security Manager An application that can be used to configure security features on a wide variety of Cisco security products.

Cisco Security MARS The Cisco Security Monitoring, Analysis and Response System. The MARS product offers security monitoring for security devices and applications. In addition to Cisco devices and applications, Cisco Security MARS can monitor many third-party devices and applications.

Cisco Self-Defending Network The Cisco vision for using a network to recognize threats and then prevent and adapt to them.

class map A way of identifying a set of packets based on their contents using “match” conditions. Classes generally are defined so that you can apply an action to the identified traffic that reflects a policy. The class itself is designated via the class map. Class maps are created using the class-map command. After it is created, the class map is used to match packets to a specified class.

cold site A cold site offers an alternative site where business operations can be conducted, unlike a hot or warm site. However, a cold site typically does not contain redundant computing
equipment such as servers and routers. As a result, the data network would need to be rebuilt from scratch, which might require weeks. Therefore, although a cold site is less expensive initially, as compared to hot or warm sites, a cold site could have more long-term consequences. In fact, the financial consequences could be far greater than the initial cost savings.

collision When two separate messages have the same message digest. A hash “collision” or hash
“clash” happens when two distinct inputs entered into a hash function produce identical outputs. Each hash function has the potential for collisions. However, if you are working with a

demilitarized zone (DMZ) 599

well-designed hash function, collisions should occur less frequently. In terms of hash functions, collisions inhibit the distinguishing of data, making records more costly to find in hash tables and data processing.

community VLAN Ports belonging to a community VLAN can communicate with one another, but not with ports in other community VLANs.

confidentiality Data confidentiality is provided by encrypting data. If a third party intercepts the encrypted data, he or she cannot interpret it.

Context-Based Access Control (CBAC) Represents a significant advance over ACLs in that it provides stateful packet filtering capability. CBAC provides the capacity to monitor several attributes in TCP connections, UDP sessions, and Internet Control Message Protocol (ICMP).
This monitoring is done in an effort to be sure that the only traffic allowed through a firewall ACL
is the return traffic for a dialogue that was originated on the private side of the firewall.

cryptographic hash This function is a transformation that takes an input and returns a string, which is called the hash value. Cryptographic hash functions begin with the assumption that an adversary can deliberately try to find inputs with the same hash value. Creating a well-designed cryptographic hash involves a one-way operation in which there is no practical way to calculate a particular data input that will result in a desired hash value. This one-way nature makes the hash very difficult to forge.

cryptography The practice and study of encoding information to protect the original contents.
In modern terms this is considered the breach between mathematics and computer science, combining to provide a means of securing information both in computer systems and on networks.

data diddling The process of changing data before it is stored in a computing system.

Data Encryption Standard (DES) Typically operates in block mode, where it encrypts data in
64-bit blocks. Like other symmetric algorithms, DES uses the same algorithm and key for both encryption and decryption. DES has weathered nearly 35 years of cryptographic scrutiny. To this point, no significant flaws have been found. Adding to its appeal, DES may be easily implemented and accelerated in hardware.

Defense in Depth A design philosophy that uses a layered security approach to eliminate a single point of failure and to provide overlapping protection.

demilitarized zone (DMZ) Sometimes called a screened subnet. A segment of the overall network that is cordoned off through the use of two firewalls. One of these firewalls sits between the DMZ and the Internet, and the other sits between the DMZ and the internal network. This configuration may also be referred to as creating a “perimeter” network.

Bookmark and Share
PassGuide Cisco Exams

PassGuide Practice Test Questions

No comments yet.

Leave a comment

Search

Pages

PassGuide Certification Testing

passguide cisco dumps