CCNA Security Glossary 2

Sunday, August 31st, 2008 | Study Guide

denial of service (DoS)

denial of service (DoS) A class of attack in which the attacker seeks to make a given resource unavailable to legitimate users by overwhelming the resource with requests for service that appear legitimate. The resource, such as a server, seeks to handle all requests but ultimately fails. It either becomes unavailable for legitimate purposes or struggles to such an extent that it cannot respond
to legitimate requests in a timely manner.

detective control Can detect when access to data or a system occurs.

deterrent control Attempts to prevent a security incident by influencing a potential attacker not
to launch an attack.

DHCP snooping The Dynamic Host Configuration Protocol snooping feature on Cisco Catalyst switches can be used to combat a DHCP server spoofing attack. With this solution, Cisco Catalyst switch ports are configured in either a trusted or untrusted state. If a port is trusted, it is allowed to receive DHCP responses. If a port is untrusted, it is not allowed to receive DHCP responses. If a DHCP response attempts to enter an untrusted port, the port is disabled.

dictionary attack Attempts to match password credentials by guessing passwords from a
“dictionary” of common words.

Diffie-Hellman (DH) algorithm A key exchange algorithm that was invented by Whitfield
Diffie and Martin Hellman in 1976. The Diffie-Hellman algorithm derives its strength from the difficulty of calculating the discrete logarithms of very large numbers. The functional usage of this algorithm is to provide secure key exchange over insecure channels such as the Internet. DH is
also often used to provide keying material for other symmetric algorithms, such as DES, 3DES, and AES.

Diffie-Hellman Challenge Handshake Authentication Protocol (DHCHAP) A variation of CHAP that may be used to authenticate devices connecting to a Fibre Channel switch so that only trusted devices may be added to a fabric. DHCHAP adds a DH exchange that both strengthens CHAP and provides an agreed-upon secret key.

digital signature Also called a digital signature scheme. A form of asymmetric cryptography that is used to simulate the security characteristics of a written signature in digital form. Digital signature schemes typically use two algorithms that employ a pair of public and private keys. One
of these is used for signing, which involves the user’s secret or private key. The other is used to verify these signatures. This typically involves the use of the user’s public key.

Digital Signature Algorithm (DSA) The Digital Signature Standard (DSS) outlines the use of the DSA by a signer to generate a digital signature to be applied to data and by a recipient of the data to verify the signature’s authenticity. To create the digital signature, you need both a public key and a private key. The private key is used to generate the signature, and the public key is used

exploit 601

to verify it. For both signature generation and verification, the data, which is called a message, is reduced through the use of the Secure Hash Algorithm (SHA).

disaster A disruption category in which normal business operations are interrupted for one or more days. However, not all critical resources at a site are destroyed.

disaster recovery plan Sometimes called a business continuity plan. Addresses actions taken during and immediately following a disaster.

Dynamic ARP Inspection (DAI) Uses trusted and untrusted ports. ARP replies are allowed
into the switch on trusted ports. However, if an ARP reply enters the switch on an untrusted port, the contents of the ARP reply are compared to the DHCP binding table to verify its accuracy. If the ARP reply is inconsistent with the DHCP binding table, the ARP reply is dropped, and the port
is disabled.

dynamic firewall This fourth-generation firewall technology, sometimes called a stateful firewall, keeps track of the communication process through the use of a state table. This firewall operates at Layers 3, 4, and 5.

EAP Extensible Authentication Protocol. Dictates the specific authentication messages transported by 802.1x and RADIUS protocols used in an IEEE 802.1x solution.

education More comprehensive than training because it covers a larger body of knowledge. Obtaining a college degree focusing on IT security is an example of a comprehensive security education.

elevation of privileges The act of exploiting a bug in a software application to gain access to resources that normally would be protected from an application or user. The result is that the application performs actions with more privileges than intended by the application developer or system administrator.

Encapsulating Security Payload (ESP) An Internet standard that allows for the authentication and encryption of IP packets. ESP over Fibre Channel provides a means of protecting data in transit throughout the Fibre Channel network. However, it does not address the need to secure data while it is stored on the Fibre Channel network.

endpoint The final point of connection in a communication channel.

exploit A malicious program designed to take advantage of a vulnerability.

602 extended access control list (ACL)

extended access control list (ACL) Made up of a series of statements created in global mode. With extended ACLs, IP packets may be filtered based on a number of attributes. Extended ACLs can filter packets according to protocol type, source and IP address, destination IP address, source TCP or UDP ports, destination TCP or UDP ports, and optional protocol type information if finer granularity of control is required.

Extensible Authentication Protocol-Flexible Authentication via Secure Tunneling (EAP- FAST) Protects authentication messages within a secure Transport Layer Security (TLS) tunnel using shared secret keys. Security is provided by an SSL (Secure Socket Layer)/TLS certificate on the “server side”/ACS and by a username and password on the client side.

Extensible Authentication Protocol-Message Digest 5 (EAP-MD5) A standards-based EAP type that uses an MD5-Challenge message. This is much like the challenge message used in PPP CHAP (Point-to-Point Protocol Challenge Handshake Authentication Protocol), which also uses MD5 as its hashing algorithm.

Extensible Authentication Protocol-Transport Layer Security (EAP-TLS) Developed by Microsoft Corporation to address weaknesses found in other EAP types (such as the one-way authentication used by EAP-MD5). EAP-TLS uses certificate-based (X.509 certificate-based) authentication. It requires both a supplicant and an authentication server to possess a digital certification to perform mutual authentication.

Extensible Authentication Protocol-Tunneled Transport Layer Security (EAP-TTLS)
Uses a secured Transport Layer Security (TLS) tunnel to send other EAP authentication messages.

Fibre Channel In terms of SAN networking, this is the primary SAN transport used for host-
to-SAN connectivity.

Fibre Channel Authentication Protocol (FCAP) Born from Switch Link Authentication Protocol (SLAP), the first authentication protocol proposed for Fibre Channel. This optional authentication mechanism may be employed between any two devices or entities on a Fibre Channel network. It uses certificates or optional keys to provide security.

Fibre Channel over IP (FCIP) Represents the implementation of Fibre Channel in an IP
implementation that relies on TCP/IP as the network protocol.

Fibre Channel Password Authentication Protocol (FCPAP) An optional password-based authentication key-exchange protocol. It may be used in Fibre Channel networks to provide mutual authentication between Fibre Channel ports. As compared to FCAP, FCPAP does not require a PKI to operate.

HMAC 603

Fibre Channel Security Protocol (FC-SP) Designed to overcome the security challenges for enterprise-wide fabrics by providing switch-to-switch and host-to-switch authentication. The
focus of FC-SP is protecting data in transit throughout the Fibre Channel network.

Fibre Channel zoning The partitioning of a Fibre Channel fabric into smaller subsets for security purposes.

firewall Allows for the segmentation of networks into different physical subnetworks, thereby helping limit the potential damage that could spread from one subnet to another. This term comes from firewalls in buildings, which limit the spread of a fire. A firewall may be a piece of software
or hardware that acts as a barrier between the internal (trusted) network and the external
(untrusted) network, such as the Internet.

gatekeeper Can be thought of as the “traffic cop” of the WAN. For example, because bandwidth
on a WAN typically is somewhat limited, a gatekeeper can monitor the available bandwidth. Then, when there is not enough bandwidth to support another voice call, the gatekeeper can deny future call attempts.

gateway Can forward calls between different types of networks. For example, you could place
a call from an IP phone in your office, through a gateway to the PSTN, to call your home.

hashing Used to provide data integrity. Hashes are based on one-way mathematical functions that can be easy to compute but extremely challenging to reverse. The way that hashing works in practice is that data of an arbitrary length is input into the hash function and is processed through the function, resulting in a fixed-length hash. The resultant fixed-length hash is called either the digest or fingerprint.

heap overflow A type of buffer overflow that occurs in the heap data area. Memory on the heap
is dynamically allocated by the application at runtime and typically contains program data. A heap overflow is not as likely to result in a condition permitting remote code execution as a buffer overflow.

HMAC Keyed Hash Message Authentication Code. An HMAC in cryptographic terms is a type
of message authentication code calculated by using a cryptographic hash function along with a secret key. This may be used to simultaneously verify both the data’s integrity and the message’s authenticity. An iterative cryptographic hash function such as MD5 or SHA-1 may be used to calculate the HMAC. When these are used, the resulting MAC algorithm is called HMAC-MD5
or HMAC-SHA-1, for instance. The cryptographic strength of the underlying hash function, along with the key’s size and quality and the hash output length in bits, define the cryptographic strength
of the HMAC.

604 host-based intrusion prevention system (HIPS)

host-based intrusion prevention system (HIPS) An IPS in which the intrusion-prevention application resides on that specific host, typically a single computer. The IPS monitors system activities for malicious or unwanted behaviors. It can react in real time to block or prevent those activities. The key benefit is that HIPS is behavior-based as opposed to signature-based.

Host Bus Adapter (HBA) Connects a host system to other network and storage devices. This term primarily refers to devices for connecting SCSI, Fibre Channel, and eSATA devices, but devices for connecting to IDE, Ethernet, FireWire, USB, and other systems may also be called host adapters.

hot site A completely redundant site that has equipment very similar to that at the original site. Data is routinely copied from a primary site to a hot site. As a result, a hot site can be up and functioning within a few minutes (or even seconds) after a catastrophe at the primary site.

IEEE 802.1x A standards-based approach for providing port-based network access. Specifically, 802.1x is a Layer 2 protocol that defines how Extensible Authentication Protocol
(EAP) frames are encapsulated, typically between a user’s network device (such as a PC) and a switch or wireless access point.

IKE proposal Internet Key Exchange proposal. A collection of security protocols and algorithms that can be used to establish an IKE Phase 1 (ISAKMP) tunnel.

in-band management An approach that allows management traffic to be transmitted across a production network.

inline mode Inline mode operation requires at least two monitoring interfaces on an IPS sensor, because the sensor resides inline with the traffic. (In other words, traffic enters the sensor on one monitoring interface and exits the sensor on another monitoring interface.) Therefore, a sensor running in inline mode supports IPS operation and can drop malicious traffic before it reaches its intended target.

Using PassGuide online virtual Cisco practice engine, easy to know well Cisco Training knowledge and pass the Cisco certification exams.

Integrated Services Router (ISR) As its name suggests, this kind of Cisco router integrates various services (such as voice and security services) into a router’s architecture.

integrity Data integrity ensures that data is not modified in transit. For example, routers at each end of a tunnel could calculate checksum values or hash values for the data. If both routers calculate the same values, the data most likely was not modified in transit.

intrusion detection system (IDS) Can recognize network attacks by analyzing a copy of network traffic. Can deliver a comprehensive, pervasive security solution for combating unauthorized intrusions, malicious Internet worms, and bandwidth and e-business application attacks.

Media Gateway Control Protocol (MGCP) 605

intrusion prevention system (IPS) Provides end-to-end protection for the network via a network-based defense that can identify, classify, and stop known and unknown threats, including worms, network viruses, application threats, system intrusion attempts, and application misuse.

IP spoofing An attack in which an attacker falsifies packets’ source IP address (for example, causing the source IP address to be a trusted IP address).

IP telephony Similar to VoIP, sends voice traffic over an IP network. However, the primary distinction from a VoIP network is that an IP telephony environment contains endpoints that natively communicate using IP.

isolated VLAN Ports belonging to an isolated VLAN lack Layer 2 connectivity between one another. However, they can communicate with a promiscuous post.

key pair In terms of a PKI, the key pair is composed of one public key and one private key. These two keys work together to provide a means to both encrypt and decrypt data. The public key may be widely distributed publicly, but the private key should be closely held by its owner. Data encrypted with the public key can be decrypted only by the matching private key.

keyspace The keyspace of an algorithm represents a defined set of all possible key values. For each key of n bits, a keyspace is produced that has 2n possible key values. This means that if 1 bit were added to the key, this would effectively double the size of the keyspace.

Lightweight Extensible Authentication Protocol (LEAP) Uses a username/password combination to perform authentication. Typically is found in a Cisco wireless LAN (WLAN) implementation.

LUN masking A Logical Unit Number is an address used by the SCSI protocol to differentiate
an individual disk drive that makes up a common SCSI target device. LUN masking represents a defense against attacks. In this authorization process, a LUN is made available to some hosts and unavailable to other hosts.

Management Information Base (MIB) Information about a managed device’s resources and activity is defined by a series of objects. The structure of these management objects is defined by
a managed device’s MIB.

Media Gateway Control Protocol (MGCP) Originally developed by Cisco and considered to
be a client/server protocol. The client (such as an analog port in a voice-enabled router) can communicate with a server (such as a Cisco Unified Communications Manager server) via a series
of events and signals. For example, the server could tell the client that if an attached phone goes off-hook, play the signal of dial tone to that phone.

606 message

message In cryptographic terms, a collection of plain text. Messages may be anything from an
e-mail, to a username-and-password combination, to a string of data.

Message Digest 5 (MD5) An iterative hash function that breaks a message into blocks of a fixed size and then iterates over them with a compression function. Defined in RFC 1321, MD5 with its
128-bit hash value has been employed in a wide variety of security applications. It is also commonly used to check the integrity of files. An MD5 hash typically is expressed as a 32- character hexadecimal number.

method list A sequential list that defines the authentication methods used to authenticate a user. Method lists enable the designation of one or more security protocols to be used for authentication, ensuring a backup system for authentication in case the initial method fails. Cisco IOS software uses the first method listed to authenticate users. If that method does not respond, Cisco IOS software selects the next authentication method in the method list. This process continues until either successful communication with a listed authentication method occurs or the authentication method list is exhausted, in which case authentication fails.

microengine Handles a group of similar signatures. A sensor contains multiple microengines and decides which one(s) it will use to analyze traffic. It uses criteria such as the network protocol being used by the traffic, the signature’s associated operating system, the port number being used
by the session, and the type of attack the sensor is looking for.

Microsoft Challenge Handshake Authentication Protocol (MS-CHAP) Microsoft’s version
of CHAP. This protocol exists in two versions: MS-CHAPv1 (RFC 2433) and MS-CHAPv2 (RFC
2759).

Multipoint Control Unit (MCU) Useful for conference calling. During a conference call, several people might be speaking at the same time, and everyone on that conference call can hear them. It takes processing power to mix together these audio streams. MCUs provide that processing power. MCUs might contain digital signal processors (DSP), which are dedicated pieces of computer circuitry that can mix together these audio streams.

National Institute of Standards and Technology (NIST) The U.S. government body that is responsible for defining and publishing U.S. Federal Information Processing Standards (FIPS).

network access device (NAD) The system that provides network access in an enterprise network environment.

network access server (NAS) Provides enterprise access services and implements security mechanisms for those connecting with a corporate network. A NAS is the intermediate device between an end user and authentication server. It could be a router, VPN endpoint (perhaps ASA), WiFi access point, or Catalyst switch running 802.1x. Any device that handles user credentials via

preventive control 607

Telnet, SSH, HTTP, IKE, EAP, PPP, and so on and then passes these credentials to a RADIUS/ TACACS server on the back end would qualify as a NAS.

Network Address Translation (NAT) Employed by networks that use private IP addresses. In terms of security uses, it is used by the application inspection function of firewalls to help identify the location of embedded addressing information. NAT is used to translate embedded addresses and to update any checksum or other fields that are affected by the translation.

Network Admission Control (NAC) Refers to the Cisco NAC appliance, which provides network access features to enterprise environments to help ensure a secure and clean environment.

Network Time Protocol (NTP) Allows a router to act as a time source, helping to ensure that the time is consistent across multiple network devices. Synchronizing clocks in this manner makes event correlation much easier.

nondisaster A disruption category in which normal business operations are briefly interrupted.

nonrepudiation Blocks the false denial of a particular action.

out-of-band (OOB) management Keeps management traffic isolated from production data traffic.

parameter map Specifies parameters to be applied to classified traffic. Using the parameter- map type command you may specify parameters that control the behavior of actions and match criteria specified under a policy map and a class map.

phreaker A hacker of a telephony system.

Point-to-Point Protocol (PPP) A data link protocol commonly used to establish a direct connection between two nodes over serial cable, phone line, trunk line, cellular telephone, specialized radio links, or fiber-optic links. Most Internet service providers use PPP for customers’ dialup access to the Internet.

policy map Actions are associated with traffic classified by class maps using policy maps. An action is defined as a specific functionality and typically is associated with a traffic class. Some common actions are inspect, drop, and pass.

preventive control Attempts to prevent access to data or a system. This could be any number of things that attempt to block this access.

608 private key

private key One half of a public key/private key key pair. This key must remain privately held and should be guarded by its owner. As soon as data has been encrypted by the associated public key, only the private key may be used to decrypt the data. With regard to digital signatures, its function is to sign a message. The message signature may then be verified through the use of the associated public key.

privilege level An IOS EXEC mode that allows an administrator logged into that privilege level
to access all commands available to that privilege level and all lower privilege levels. Cisco IOS routers support privilege levels in the range 0 to 15. By default, when you attach to a router, you are in unprivileged mode, which has a privilege level of 1. Privilege level 0 may be assigned to a user account. Those who have this level may then be assigned a subset of the commands available
at level 1. After entering the enable command and providing appropriate credentials, you are moved to privileged mode, which has a privilege level of 15.

promiscuous mode Uses a single monitoring interface on an IDS/IPS sensor. When running in promiscuous mode, a sensor receives a copy of selected network traffic. If the sensor detects malicious traffic, it can take a variety of actions. For example, it can trigger an alarm or instruct a security appliance to drop traffic coming from a specific source. Because a sensor running in promiscuous mode is not inline with the traffic, IDS operation is supported, but not IPS operation.

Protected Extensible Authentication Protocol (PEAP) Microsoft Challenge Handshake Authentication Protocol version 2 (MS-CHAPv2) An EAP type that increases protection of authentication messages by creating a protected Transport Layer Security (TLS) tunnel. Then, within the protection of the TLS tunnel, an authentication protocol such as MS-CHAPv2 can be used.

proxy server Acts as an intermediary between networks, often your internal network and the Internet at large. In such configurations there is no direct connection between an outside user and internal network resources. The proxy provides the only visible IP address on the Internet. Clients connect to the proxy server to submit their application layer request. These requests include the actual destination as well as the data request itself. Based on the proxy server settings, the proxy analyzes the request and may even filter or change the packet contents before proceeding. The proxy server also makes a copy of all the incoming packets and then changes the source address.
It does this to hide the internal address from the outside world before it sends the packet to the destination address.

public key One half of a public key/private key key pair. This key may be made available publicly. It can be used to encrypt data that may then be decrypted only by the matching private key. With regard to digital signatures, its function is to verify a message signature. In this case, the message would be signed with the sender’s private key, and then the recipient would verify the signature’s authenticity using the sender’s public key.

Bookmark and Share
PassGuide Cisco Exams

PassGuide Practice Test Questions

No comments yet.

Leave a comment

Search

Pages

PassGuide Certification Testing

passguide cisco dumps