07 May 2010

Glossary of Router Security-Related Terms

AAA
Authentication, Authorization, and Accounting –
The advanced user access control and auditing facility in Cisco IOS
11 and 12. (See also RADIUS and TACACS+)

ACL
Access Control List - See Access List

Access List
A set of rules that identify, permit, or restrict network traffic,
usually based on addresses and other information from the packet
headers. Cisco IOS depends heavily on access lists for traffic
filtering, access to router services, IPSec configuration, and more.

AH
Authentication Header – a part of IPSec, the packet format and
protocol for IP integrity assurance services. (see IPSec, IKE, ESP)

ARP
Address Resolution Protocol – link-layer protocol used for mapping
from IP addresses to MAC addresses. ARP is standardized in RFC
826. (See also MAC Address, LAN, Proxy-ARP)

ATM
Asynchronous Transfer Mode – virtual-circuit oriented link layer
protocol, used for network backbones, LANs, and
telecommunications facilities. (See also LANE)

BGP
Border Gateway Protocol – an advanced exterior gateway routing
protocol mostly used on backbone routers. BGP version 4 is
standardized in RFC 1771.

CAR
Committed Access Rate – a traffic bandwidth control facility usable
for simple quality-of-service and traffic shaping tasks.

CBAC
Content-Based Access Control – packet inspection system used for
application firewall functionality in Cisco routers.

CDP
Cisco Discovery Protocol – a proprietary link layer protocol that
Cisco routers use to identify each other on a network. Not
commonly used today.

CEF
Cisco Express Forwarding – a proprietary packet transfer
technology used inside most Cisco router models.

CIDR
Classless Inter-Domain Routing - the present standard for network
address allocation and network route aggregation on the Internet.
CIDR replaced the old class-based IP addressing scheme. CIDR is
standardized by RFC 1518.

CPP
Control Plane Policing – a security mechanism that applies rate
limiting to traffic into and out of the router’s central processor.

DHCP
Dynamic Host Configuration Protocol – UDP-based protocol for
assigning host network attributes, like IP addresses and gateways,
on the fly. DHCP is standardized in RFC 2131.

DNS
Domain Name System – hierarchical naming scheme used for host
and network names on most IP networks, including the Internet.
DNS is also the name for the protocol used to transmit and relay
name information. DNS is standardized in RFCs 1034 and 1035.

DoS
Denial of Service – this abbreviation is often used for network
attacks that prevent a network component from providing its
operational functions, or that crash it.

DDoS
Distributed Denial of Service – This abbreviation is used for DoS
attacks that use multiple (usually hundreds or more) coordinated
network data sources to attack a single victim.

EGP
Exterior Gateway Protocol – routing protocol designed for
managing route updates between different autonomous systems.
The main EGP in use today is BGP version 4.

EIGRP
Extended Interior Gateway Routing Protocol – A Cisco proprietary
routing protocol that includes peer authentication features. (see
also OSPF).

Enable mode
A slang expression for a privileged EXEC session on a Cisco IOS
router, derived from the command used to request privileged EXEC
mode: enable.

ESP
Encapsulated Security Payload – a part of IPSec, the packet format
and protocol for IP confidentiality services (see also IPSec, IKE,
AH)

FTP
File Transfer Protocol – widely-used TCP-based file transfer and
file management protocol. Typically, FTP control messages are
passed on TCP port 21. FTP is standardized in RFC 959.

GTSM
Generalized TTL Security Mechanism – a simple spoof rejection
mechanism that uses the TTL field of the IP header to detect illicit
packets. GTSM is standardized in RFC 3682.

ICMP
Internet Control Message Protocol – a support protocol used along
with IP for control and status message. ICMP is a network layer
protocol that provides error messages and management capabilities
in IP networks. ICMP is standardized in RFC 792.

IETF
Internet Engineering Task Force – the technical and consultative
body that defines standards for the Internet. IETF standards are
published by RFC number, the list of current standards (STD 1) is
RFC 3700.

IGP
Interior Gateway Protocol – a routing protocol used among the
routers in an autonomous system. Currently popular IGPs include
OSPF, RIP, EIGRP, and IS-IS.

IKE
Internet Key Exchange – the standard security negotiation and key
management protocol used with IPSec. IKE is standardized in RFC
2409.

IOS
Internet Operating System – Cisco’s name for the modular software
system that runs on their routers and many other network devices.

IP
Internet Protocol version 4 – The network-layer protocol on which
the Internet is built. There are two extant versions of IP: IPv4 and
IPv6. IPv4 is standardized in RFCs 791 and 1883. [Note: this
guide covers security only for IPv4.]

IPv6
Internet Protocol version 6 – The new network-layer protocol for
the future of the Internet. I is standardized in RFC 2460.


IPSec
Internet Protocol Security – a set of standards that define
confidentiality and integrity protection for IP traffic. IPSec is
standardized by a set of RFCs including RFC 2401.

IS-IS
Intermediate System to Intermediate System – an OSI standard
interior gateway protocol based on a link state model. IS-IS is
standardized in ISO-10589 and RFC 1195.


ISAKMP
Internet Security Association Key Management Protocol – one of
the precursors of IKE (see also IKE, IPSec).


Kerberos
Kerberos was developed by the Massachusetts Institute of
Technology as a network authentication system, and it provides
strong authentication for client/server applications by using secret-
key cryptography. Kerberos is standardized in RFC 1510 (see also
RADIUS and TACACS+).

LAN
Local Area Network – general term for a single-segment or
switched network of limited physical/organizational extent.


LANE
LAN Emulation – A standard mechanism for routing IP packets
over ATM.


L2TP
Layer 2 Tunnel Protocol – A standard protocol for forwarding low-
level protocols over IP networks. L2TP is standardized in RFC
2661.


MAC Address
Media Access Control address – the link layer address of a network
interface, especially Ethernet interfaces. An Ethernet MAC address
is 48 bits long.

MD5
Message Digest algorithm 5 – a widely-used cryptographic
checksum algorithm, standardized in RFC 1321.

MIB
Management Information Base – the hierarchical data organization
used by SNMP. (See also SNMP)

MPLS
Multi-Protocol Label Switching – a standard mechanism for
transferring packets over backbone networks by tagging them with
labels, standardized in RFC 3031.

MPOA
Multi-Protocol Over ATM – A proposed standard mechanism for
hosting network protocols (such as IP) over ATM.

Multicast
An operational feature of IP, in which packets can be broadcast to
particular recipients based on address. In IPv4, addresses from
224.0.0.0 to 225.255.255.255 are usually multicast group addresses.

NNTP
Network News Transfer Protocol – a TCP-based application
protocol that usually runs on port 119.

NTP
Network Time Protocol – the standard network time
synchronization protocol, can use UDP or TCP, but usually uses
UDP, port 123. NTP is standardized in RFC 1305.

NVRAM
Non-volatile RAM – device memory that can hold data even when
unpowered; Cisco routers use NVRAM to hold their startup
configuration.

OSPF
Open Shortest Path First – an IP routing protocol that uses a link-
state distance metric. OSPF is standardized in RFC 2328. (See
also RIP, IGP, EIGRP)

PKI
Public Key Infrastructure – mechanisms and components for
management of keys, certificates, and enrollment.

Proxy
An application that acts as an intermediary in the network
exchanges between applications or services. Proxy servers are
often employed to moderate exchanges through a firewall.

Proxy-ARP
A facility offered by some routers where a router responds to ARP
queries from a connected LAN on behalf of hosts on other LANs.
Proxy ARP is rarely used.

RADIUS
The Remote Authentication Dial-In User Service (RADIUS) is
specified by the IETF RFC 2058. RADIUS support centralized
authentication and accounting. RADIUS normally uses UDP ports
1645, 1646, and/or 1812.

RFC
Request For Comments – a document describing an Internet
standard, proposed standard, or information related to or supports a
standard. (See IETF)

RIP
Router Information Protocol – a simple inter-gateway routing
protocol that uses hop count as its distance metric. RIP is
standardized by RFCs 1088, 1388, and 1723. (See also OSPF)

RMON
Remote MONitoring – facilities for remote performance and traffic
monitoring of network devices, based on SNMP.

Routing
Direction and management of paths through a multi-segment
network. (See also RIP, OSPF, BGP)

RSVP
Resource reSerVation Protocol –standard protocol for requesting
quality-of-service guarantees in IP networks. RSVP is standardized
in RFC 2205.

SCP
Secure Copy Protocol – a file transfer protocol based on SSH.
(see SSH)

SMTP
Simple Mail Transfer Protocol – a TCP-based protocol for sending
and relaying e-mail messages. SMTP is standardized in RFC 2821.

SNMP
Simple Network Management Protocol – datagram protocol used
for monitoring and configuring network devices. SNMP uses UDP
ports 161 and 162. SNMP is standardized in RFC 1157 and other
RFCs. (See also RMON);

SSH
Secure Shell – a remote access protocol that provides end-to-end
confidentiality and integrity services. Use SSH instead of Telnet
whenever possible.

Syslog
A simple UDP protocol used for logging by Unix systems and
Cisco routers. Syslog usually uses UDP port 514.


TACACS+
Terminal Access Controller Access Control System Plus – a
security protocol to provide centralized authentication,
authorization, and accounting of users accessing a router or access
server. TACACS+ is defined by Cisco.

TCP
Transmission Control Protocol – connection-oriented data protocol
used with IP. TCP supports a large number of application layer
network services, including Telnet, web, FTP, and e-mail.

Telnet
A simple TCP-based protocol for remote login, usually on port 23.
Also used to refer to client applications that support the protocol.

TFTP
Trivial File Transfer Protocol – simple UDP file transfer protocol,
with no authetication features. TFTP normally uses UDP port 69; it
is standardized in RFC 1350.

UDP
User Datagram Protocol – message-oriented data protocol used
with IP. UDP is the basis for many core network services,
including DNS, RIP, and NTP. UDP is standardized in RFC 768.

VLAN
Virtual LAN – a link layer communication domain that spans
several link layer switches; commonly used with Ethernet switches.

VPDN
Virtual Private Dialup Network – an application of VPN
technology to secure remote-dialup connections, giving a
remote user secure connectivity to their ‘home base’ network.

VPN
Virtual Private Network – a closed network of computers or LANs,
using the public network as the transport. Usually, traffic between
members of the VPN is protected by IPSec during transit over the
public network.

VTY
Virtual TeletYpe – an interface on a host or router that provides the
interactive services of a terminal. Cisco routers use VTY lines to
host Telnet sessions (see Telnet).



biOos

No comments: