AAA
--authentication, authorization, and accounting. Framework of security services that provide the method for identifying users
(authentication); for remote access control (authorization); and for collecting and sending security server information used
for billing, auditing, and reporting (accounting).
aggressive
mode
--Mode that eliminates several steps during Internet Key Exchange (IKE) authentication negotiation between two or more IPsec
peers. Aggressive mode is faster than main mode but is not as secure.
authorization
--Method for remote access control, including one-time authorization or authorization for each service; per-user account list
and profile; user group support; and support of IP, IPX, ARA, and Telnet. AAA authorization works by assembling a set of attributes
that describe what the user is authorized to perform. These attributes are compared to the information contained in a database
for a given user and the result is returned to AAA to determine the actual capabilities and restrictions of the user. The
database can be located locally on the access server or router, or it can be hosted remotely on a RADIUS or TACACS+ security
server. Remote security servers, such as RADIUS and TACACS+, authorize users for specific rights by associating attribute-value
(AV) pairs, which define those rights, with the appropriate user. All authorization methods must be defined through AAA.
CA
--certificate authority. An entity in a network that issues and manages security credentials and public keys (in the form
of X509v3 certificates) for message encryption. As part of a public key infrastructure (PKI), a CA checks with a registration
authority (RA) to verify information provided by the requestor of a digital certificate. If the RA verifies the information
of the requestor, the CA can then issue a certificate. Certificates generally include the public key of the owner, the expiration
date of the certificate, the name of the owner, and other information about the public key owner.
CRWS
--Cisco Router Web Setup Tool. Tool that provides web interface capabilities.
cTCP
--Cisco Tunneling Control Protocol. When cTCP is enabled on a remote device (client) and headend device, IKE and ESP (Protocol
50) traffic is encapsulated in the TCP header so that the firewalls in between the client and the headend device permits this
traffic (considering it the same as TCP traffic).
DPD
--dead peer detection. Queries the liveliness of the Internet Key Exchange (IKE) peer of a router at regular intervals.
DSLAM
--digital subscriber line access multiplexer. A device that connects many digital subscriber lines to a network by multiplexing
the DSL traffic onto one or more network trunk lines.
IKE
--Internet Key Exchange. Key management protocol standard that is used in conjunction with the IP Security (IPsec) standard.
IPsec is an IP security feature that provides robust authentication and encryption of IP packets. IPsec can be configured
without IKE, but IKE enhances IPsec by providing additional features, flexibility, and ease of configuration for the IPsec
standard. IKE is a hybrid protocol that implements the Oakley key exchange and Skeme key exchange inside the Internet Security
Association and Key Management Protocol (ISAKMP) framework. ISAKMP, Oakley, and Skeme are security protocols implemented by
IKE.
IPsec
--IP Security Protocol. Framework of open standards that provides data confidentiality, data integrity, and data authentication
between participating peers. IPsec provides these security services at the IP layer. IPsec uses IKE to handle negotiation
of protocols and algorithms based on local policy and to generate the encryption and authentication keys to be used by IPsec.
IPsec can be used to protect one or more data flows between a pair of hosts, between a pair of security gateways, or between
a security gateway and a host.
main
mode
--Mode that ensures the highest level of security when two or more IPsec peers are negotiating IKE authentication. It requires
more processing time than aggressive mode.
MIB
--Management Information Base. Database of network management information that is used and maintained by a network management
protocol, such as Simple Network Management Protocol (SNMP) or Common Management Information Protocol (CMIP). The value of
a MIB object can be changed or retrieved using SNMP or CMIP commands, usually through a graphical user interface (GUI) network
management system (NMS). MIB objects are organized in a tree structure that includes public (standard) and private (proprietary)
branches.
peer
--Router or device that participates as an endpoint in IPsec and IKE.
preshared
key
--Shared, secret key that uses IKE for authentication.
QoS
--quality of service. Capability of a network to provide better service to selected network traffic over various technologies,
including Frame Relay; Asynchronous Transfer Mode (ATM); Ethernet; and 802.1 networks, SONET, and IP-routed networks that
may use any or all of these underlying technologies.
RADIUS
--Remote Authentication Dial-In User Service. Distributed client or server system that secures networks against unauthorized
access. RADIUS clients run on Cisco routers and send authentication requests to a central RADIUS server that contains all
user authentication and network service access information.
SA
--security association. Instance of security policy and keying material applied to a data flow. Both IKE and IPsec use SAs,
although SAs are independent of one another. IPsec SAs are unidirectional, and they are unique in each security protocol.
An IKE SA is used by IKE only, and unlike the IPsec SA, it is bidirectional. IKE negotiates and establishes SAs on behalf
of IPsec. A user can also establish IPsec SAs manually.
A set of SAs are needed for a protected data pipe, one per direction per protocol. For example, if you have a pipe that supports
encapsulating security payload (ESP) between peers, one ESP SA is required for each direction. SAs are uniquely identified
by destination (IPsec endpoint) address, security protocol (AH or ESP), and security parameter index (SPI).
SDM
--Security Device Manager. Web interface manager that enables you to connect or disconnect a VPN tunnel and that provides
a web interface for extended authentication (Xauth).
SNMP
--Simple Network Management Protocol. Application-layer protocol that provides a message format for communication between
SNMP managers and agents.
trap
--Message sent by an SNMP agent to a network management system, console, or terminal to indicate the occurrence of a significant
event, such as a specifically defined condition or a threshold that was reached.
VPN
--Virtual Private Network. Enables IP traffic to travel securely over a public TCP/IP network by encrypting all traffic from
one network to another. A VPN uses tunnels to encrypt all information at the IP level.
Feedback