8. Appendices 215 1. Top Ways to Quickly Secure a Cisco Router
8.4. Glossary of Router Security-related Terms
AAA Authentication, Authorization, and Accounting – The advanced user access control and auditing facility in Cisco IOS 11 and 12. (See also RADIUS and TACACS+) ACL Access Control List - See “Access List”
Access List A set of rules that identify, permit, or restrict network traffic, usually based on addresses and other information from the packet headers. Cisco IOS depends heavily on access lists for traffic filtering, access to router services, IPSec configuration, and more.
AH Authentication Header – a part of IPSec, the packet format and protocol for IP integrity assurance services. (see also IPSec, IKE, ESP)
ARP Address Resolution Protocol – link-layer protocol used for mapping from IP addresses to MAC addresses in LAN environments. ARP is standardized in RFC 826. (See also MAC Address, LAN, Proxy-ARP)
ATM Asynchronous Transfer Mode – virtual-circuit oriented link layer protocol, used for network backbones, LANs, and telecommunications facilities. (See also LANE)
BGP Border Gateway Protocol – an advanced routing protocol mostly using on backbone routers. BGP is standardized in RFC 1267.
CBAC Content-Based Access Control – packet inspection system used for application firewall functionality in Cisco routers.
CDP Cisco Discovery Protocol – a proprietary link layer protocol that Cisco routers use to identify each other on a network.
Not commonly used today.
CEF Cisco Express Forwarding – a proprietary packet transfer technology used inside most Cisco router models.
DHCP Dynamic Host Configuration Protocol – UDP-based protocol for assigning host network attributes, like IP addresses and gateways, on the fly. DHCP is standardized in RFC 2131.
DNS Domain Name System – hierarchical naming scheme used for host and network names on most IP networks, including the Internet. DNS is also the name for the protocol used to transmit and relay domain name information. DNS is standardized in RFCs 1034 and 1035.
DoS Denial of Service – this abbreviation is often used for network attacks that prevent a network component from providing its operational functions, or that crash it.
DDoS Distributed Denial of Service – This abbreviation is used for DoS attacks that use mult iple (usually hundreds or more) coordinated network data sources to attack a single victim.
EIGRP Extended Interior Gateway Routing Protocol – A Cisco proprietary routing protocol, not commonly used (see also OSPF).
Enable mode A slang expression for a privileged EXEC session on a Cisco router, derived from the command used to request privileged EXEC mode: enable.
ESP Encapulated Security Payload – a part of IPSec, the packet format and protocol for IP confidentiality services (see also IPSec, IKE, AH)
FTP File Transfer Protocol – widely-used TCP-based file transfer and file management protocol. Typically, FTP control messages are passed on TCP port 21. FTP is standardized in RFC 959.
ICMP Internet Control Message Protocol – a support protocol used along with IP for control and status message. ICMP is a network layer protocol that provides error messages and management capabilities in IP networks. ICMP is standardized in RFC 792.
IETF Internet Engineering Task Force – the technical and consultative body that defines standards for the Internet.
IETF standards are published by RFC number, the list of current standards is RFC 2400.
IKE Internet Key Exchange – the standard security negotiation and key management protocol used with IPSec. IKE is standardized in RFC 2409.
IOS Internet Operating System – Cisco’s name for the modular software system that runs on their routers and some other network devices.
IP Internet Protocol – The network-layer protocol on which the Internet is built. There are two extant versions of IP: IPv4 and IPv6. IPv4 is standardized in RFC 791. IPv6 is standarized in RFC 1883.
[Note: all the discussion in this guide concerns IPv4.]
IPSec Internet Protocol Security – a set of standards that define confidentiality and integrity protection for IP traffic. IPSec is standardized by a set of RFCs including RFC 2401.
ISAKMP Internet Security Association Key Management Protocol – one of the precursors of IKE (see also IKE, IPSec).
Kerberos Kerberos was developed by the Massachusetts Institute of Technology as a network authentication system, and it provides strong authentication for client/server applications by using secret-key cryptography. Kerberos is standardized in RFC 1510 (see also RADIUS).
LAN Local Area Network – general term for a single -segment or switched network of limited physical and organizational extent.
LANE LAN Emulation – A standard mechanism for routing IP packets over ATM.
MAC Address Media Access Control address – the link layer address of a network interface, especially Ethernet interfaces. An Ethernet MAC address is 48 bits long.
MD5 Message Digest algorithm 5 – a widely-used cryptographic checksum algorithm, standardized in RFC 1321.
MIB Management Information Base – the hierarchical data organization used by SNMP. (See also SNMP) MPOA Multi-Protocol Over ATM – A proposed standard
mechanism for hosting network protocols (such as IP) over ATM. (See also LANE)
Multicast An operational feature of IP, in which packets can be broadcast to partic ular recipients based on address. In IPv4, addresses from 224.0.0.0 to 225.255.255.255 are usually multicast group addresses.
NNTP Network News Transfer Protocol – a TCP -based application protocol that usually runs on port 119.
NTP Network Time Protocol – the standard network time synchronization protocol, can use UDP or TCP, but usually uses UDP, port 123. NTP is standardized in RFC 1305.
OSPF Open Shortest Path First – an IP routing protocol that uses a link-state distance metric. OSPF is standardized in RFC 2328. (See also RIP)
Proxy Any application that acts as an intermediary in the network exchanges between two applications or services. Proxy applications are often employed to moderate exchanges through a firewall.
Proxy-ARP A facility offered by some routers where a router responds to ARP queries from a connected LAN on behalf of hosts on other LANs. Rarely used.
RADIUS The Remote Authentication Dial-In User Service (RADIUS) is specified by the IETF RFC 2058. Using RADIUS, access servers can communicate with a central server to
authenticate, authorize, and audit user activities.
RFC Request For Comments – a document describing an Internet standard, proposed standard, or information related to or supports a standard. (See IETF)
RIP Router Information Protocol – a simple inter-gateway routing protocol that uses hop count as its distance metric.
RIP is standardized by RFCs 1088, 1388, and 1723. (See also OSPF)
RMON Remote MONitoring – facilities for remote performance and traffic monitoring of network devices, based on SNMP.
Routing Direction and management of paths through a multi-segment network. (See also RIP, OSPF)
RSVP Resource reSerVation Protocol – fairly new standard protocol for requesting quality-of-service guarantees in IP networks. RSVP is standardized in RFC 2205.
SMTP Simple Mail Transfer Protocol – a TCP-based protocol for sending and relaying e-mail messages. SMTP is
standardized in RFC 821.
SNMP Simple Network Management Protocol – datagram protocol used for monitor ing and configuring network devices.
SNMP uses UDP ports 161 and 162. SNMP is standardized in RFC 1157 and other RFCs. (See also RMON);
Syslog A very simple UDP-based protocol used for logging by Unix systems and Cisco routers. Syslog usually employs UDP port 514.
TACACS+ Terminal Access Controller Access Control System Plus – a security protocol to provide centralized authentication, authorization, and accounting of users accessing a router or access server. TACACS+ is defined by Cisco.
TCP Transmission Control Protocol – connection-oriented data protocol used with IP. TCP supports a large number of application layer network services, including Telnet, web, FTP, and e-mail.
Telnet A simple TCP-based protocol for remote login, usually on port 23. Also used to refer to client applications that support the protocol.
TFTP Trivial File Transfer Protocol – simple UDP-based file transfer protocol, distinguished by its lack of any support for authentication. TFTP normally uses UDP port 69. TFTP is standardized in RFC 1350.
UDP User Datagram Protocol – message-oriented data protocol used with IP. UDP is the basis for many core network services, including DNS, RIP, and NTP. UDP is standardized in RFC 768.
VPDN Virtual Private Dialup Network – an application of VPN technology to secure remote-dialup connections, giving a remote user secure connectivity to their ‘home base’
network. (see also VPN)
VPN Virtual Private Network – a closed network of communicating computers or LANs, using the public network as the transport. Usually the traffic between members of the VPN is protected by IPSec during transit over the public network.
VTY Virtual TeletYpe – an interface on a host or router that provides the interactive services of a terminal interface.
Cisco routers use VTY lines to host Telnet sessions (see Telnet).
Cisco offers an large glossary of Internetwork technology terms and acronyms at their web site: http://www.cisco.com/univercd/cc/td/doc/cisintwk/ita/. Explanations and documentation about a very wide variety of protocols may be found at http://www.protocols.com .