Domain 4: Communication and Network Security Flashcards
1
Q
Acknowledgment (ACK)
A
An acknowledgment of a signal being received.
2
Q
Address Resolution Protocol (ARP)
A
Used at the Media Access Control (MAC) layer to provide for direct communication between two devices within the same LAN segment.
3
Q
Advanced Persistent Threat (APT)
A
An adversary with sophisticated levels of expertise and significant resources who is able to use multiple different attack vectors (e.g., cyber, physical, and deception) to achieve its objectives. These are typically to establish and extend footholds within the organization’s IT infrastructure to continually exfiltrate information; undermine or impede critical aspects of a mission, program, or organization; or place itself in a position to do so in the future. Moreover, the APT pursues its objectives repeatedly over an extended period, adapting to a defender’s efforts to resist it, and with determination to maintain the level of interaction needed to execute its objectives.
4
Q
Application Programming Interface (API) Object Notation (JSON).
A
- Mobile code mechanisms that provide ways for applications to share data, methods, or functions over a network. Usually implemented either in XML or JavaScript 2. A reference to a software access point or library function with a well-defined syntax and welldefined functionality.
5
Q
Bandwidth
A
The amount of information transmitted over time. A process consisting of learning or education could necessitate higher bandwidth than a quick status update, which would require a lower bandwidth.
6
Q
Bit
A
Most essential representation of data (zero or one) at Layer 1 of the OSI 7-Layer Model.
7
Q
Bluetooth (Wireless Personal Area Network IEEE 802.15)
A
Bluetooth wireless technology is an open standard for short-range RF communication used primarily to establish wireless personal area networks (WPANs). It has been integrated into many types of business and consumer devices.
8
Q
Bound Network
A
Network in which devices are connected at Layer 1 by means of physical cables, wires or fiber. Often referred to as wired networks or Ethernet networks or by wiring or cable standard used, (e.g., fiber network, Cat 5, or Cat 6 network). See also Unbound (wireless) Network(s).
physically bound
9
Q
Boundary Routers
A
Primarily advertise routes that external hosts can use to reach internal ones.
10
Q
Bridges
A
A device that creates a single aggregate network from separate network segments. Using the OSI model, this device aggregates networks at Layer 2.
11
Q
Carrier Sense Multiple Access with Collision Avoidance (CSMA/CA)
A
A method of flow control in a network. To prevent more than one station from accessing the network simultaneously, the sending station announces its intent to send, and other stations wait until the sending station announces its completion.
12
Q
Cellular Network
A
A radio network distributed over land areas called cells, each served by at least one fixed-location transceiver, known as a cell site or base station.
13
Q
Circuit-Switched Network
A
A network that establishes a dedicated circuit between endpoints.
14
Q
Code-Division Multiple Access (CDMA)
A
Every call’s data is encoded with a unique key, then the calls are all transmitted at once.
15
Q
Concentrators
A
Multiplex connected devices into one signal to be transmitted on a network.
16
Q
Content Distribution Network (CDN)
A
A large, distributed system of servers deployed in multiple data centers, which moves content to achieve QoS and availability requirements.
17
Q
Control Plane
A
Control of network functionality and programmability is directly made to devices at this layer. OpenFlow was the original framework/protocol specified to interface with devices through southbound interfaces.
18
Q
Converged Protocols
A
A protocol that combines or converges standard protocols such as TCP/IP with proprietary or other nonstandard protocols. These can sometimes provide greatly enhanced functionality and security to meet the needs of specific situations or industries. Adopting them can also complicate enterprise-wide security engineering efforts by requiring additional specialist knowledge and skills to manage and secure.
19
Q
Domain Name Service (DNS)
A
This acronym can be applied to three interrelated elements: a service, a physical server, and a network protocol.
Translates friendly-names into IP addresses that can then be routed using Address resolution protocol.
20
Q
Driver (Device Driver)
A
Software layer that provides an interface for accessing the functions of hardware devices. Typically used by the OS.
21
Q
Dynamic Host Configuration Protocol (DHCP)
A
An industry standard protocol used to dynamically assign IP addresses to network devices.
22
Q
Dynamic or Private Ports
A
Ports 49152– 65535. Whenever a service is requested that is associated with well-known or registered ports, those services will respond with a dynamic port.
23
Q
East-West Data Flow (or Traffic)
A
Network data traffic that flows laterally across a set of internal systems, networks, or subnetworks within an IT architecture. These can flow within a data center or between geographically dispersed locations. Contrast with north-south data flows, in which northbound data is leaving the organization and southbound data is entering it.
24
Q
Fiber Distributed Data Interface (FDDI)
A
A LAN standard, defined by ANSI X3T9.5, specifying a 100 Mbps token-passing network using fiber-optic cable, with transmission distances of up to two kilometers.
25
Fibre Channel over Ethernet (FCoE)
A lightweight encapsulation protocol that lacks the reliable data transport of the TCP layer.
26
File Transfer Protocol (FTP)
The internet protocol (and program) used to transfer files between hosts.
27
Firewalls
Devices that enforce administrative security policies by filtering incoming traffic based on a set of rules.
28
Firmware
Computer programs and data stored in hardware typically in read-only memory (ROM) or programmable read-only memory (PROM)— such that the programs and data cannot be dynamically written or modified during execution of the programs.
29
Frame
Data represented at Layer 2 of the OSI 7-Layer Model.
30
Gateway Device
A firewall or other device sitting at the edge of a network to regulate traffic and enforce rules.
31
Hypertext Transfer Protocol (HTTP)
A communication protocol used to connect to servers on the World Wide Web. Its primary function is to establish a connection with a web server and transmit HTML pages to the client browser. The protocol used to transport hypertext files across the Internet.
32
Internet Control Message Protocol (ICMP)
An IP network protocol standardized by the IETF through RFC 792 to determine whether a particular service or host is available.
33
Internet Group Management Protocol (IGMP)
Used to manage multicasting groups that are a set of hosts anywhere on a network listening for a transmission.
34
Internet of Things (IoT)
A virtual network made up of small, dedicated-use devices that are typically designed as small form factor, embedded hardware with a limited functionality OS. They may interface with the physical world and tend to be pervasively deployed where they exist.
35
Internet Protocol (IPv4)
The dominant protocol that operates at Layer 3 of the OSI 7-Layer Model. IP is responsible for addressing packets so that they can be transmitted from the source to the destination hosts.
36
Internet Protocol (IPv6)
A modernization of IPv4 that includes a much larger address field: IPv6 addresses are 128 bits that support 2128 hosts.
37
Internetworking
Two different sets of servers and communications elements using network protocol stacks to communicate with each other and coordinate their activities with each other.
38
Kill Chain, Cyber Kill Chain
A generalized attack model consisting of actions on the objective and six broad, overlapping sets of operational activities: reconnaissance, weaponization, delivery, exploitation, installation, and command and control. APT actors often combine these operations in complex ways to achieve their goals; such attacks may span many months. For defenders, the kill chain model highlights the temporary gain in security that can result by improved systems and organizational hardening across any or all these areas.
39
Lightweight Directory Access Protocol (LDAP)
Authentication is specified as simple (basic), simple using SSL/TLS, or Simple Authentication and Security Layer (SASL).
40
Logical Link Control (LLC)
One of two sublayers that together make up the data link layer in the OSI.
41
Man-in-the-Middle (MITM)
A form of active attack in which the attacker inserts themselves into the physical or logical communications flow between two parties and falsifies or alters data exchanged as the attacker chooses to. Machine- in-the-browser (MITB) attacks focus on Layer 7 vulnerabilities to masquerade as client to the server and as server to the client.
42
Media Access Control (MAC)
The 48-bit hex number assigned to all network cards. The first 24 bits are assigned to the card manufacturer with the send being a unique value (address) for that card.
43
Microsegmented Networks, Microsegmentation
Part of a zero trust strategy that breaks LANs into small, highly localized zones using firewalls or similar technologies. At the limit, this places a firewall at every connection point.
44
Modem
Provides modulation and demodulation of binary data into analog signals for transmission through telephone, cable, fiber, or other signaling systems.
45
Multiprotocol Label Switching (MPLS)
A WAN protocol that operates at both Layer 2 and Layer 3 and does label switching.
46
Network Function Virtualization (NFV)
Alternately referred to as virtual network function. The objective of NFV is to decouple functions, such as firewall management, intrusion detection, NAT, and name service resolution, away from specific hardware implementation and move them into software solutions. NFV’s focus is to optimize distinct network services.
47
Network Management
Monitors network performance and identifies attacks and failures. Mechanisms include components that enable network administrators to monitor and restrict resource access.
48
North-South Network Data Flow (or Traffic)
1. Data flowing either from the organization to external destinations (northbound) or into the organization from external sources (southbound). 2. In SDN terms, data flowing up (northbound) or down (southbound) the stack of data/control/applications planes.
49
Open Shortest Path First (OSPF)
An interior gateway routing protocol developed for IP networks based on the shortest path first or link-state algorithm.
50
OSI Layer 1
Physical Layer. converts a frame into bits for transmission over the physical connection medium.
51
OSI Layer 2
Data Link Layer. It is the layer where media access control (MAC) addresses reside and frames are transmitted
52
OSI Layer 3
Network Layer. h is responsible for logical addressing and translating logical names into physical addresses. This layer also controls the routing of data from source to destination as well as the building and dismantling of packets.
IP Addresses
53
OSI Layer 4
Transport Layer. It’s responsible for checking that data packets created in the Session layer are received error- free. If necessary, it also changes the length of messages for transport up or down the remaining layers
TCP, UDP, TLS
54
OSI Layer 5
Session Layer. It determines how two computers establish, use, and end a session. Security authentication and network- naming functions required for applications occur here.
55
OSI Layer 6
Presentation Layer. is responsible for formatting data exchange, such as graphic commands, and converting character sets.
it presents data
56
OSI Layer 7
Application Layer.
This layer deals with how applications access the network and describes application functionality, such as file transfers, messaging, and so on
57
Packet
Representation of data at Layer 3 of the OSI 7-Layer Model.
58
Packet Loss
Degradation of VoIP or other streaming data caused by lost packets. A technique called packet loss concealment (PLC) is used in VoIP communications to mask the effect of dropped packets.
59
Packet-Switched Networks
Networks that do not use a dedicated connection between endpoints.
60
Peering
A voluntary interconnection of administratively separate networks to exchange traffic.
61
Point-to-Point Protocol (PPP)
Provides a standard method for transporting multiprotocol datagrams over point-to-point links.
62
Port Address Translation (PAT)
An extension to network address translation (NAT) to translate all addresses to one routable IP address and translate the source port number in the packet to a unique value.
63
Quality of Service (QoS)
Refers to the capability of a network to provide better service to selected network traffic over various technologies, including frame relay, ATM, Ethernet and 802.1 networks, SONET, and IP-routed networks that may use any or all these underlying technologies.
64
Registered Ports
Ports 1024–49151. These ports typically accompany nonsystem applications associated with vendors and developers.
65
Remote Procedure Call (RPC)
A protocol that enables one system to execute instructions on other hosts across a network infrastructure.
66
Root of Trust (RoT)
Hardware-based mechanisms that guarantee the integrity of the hardware prior to loading the OS of a computer.
67
Segment
1. Data representation (or datagram name) at Layer 4 of the OSI 7-Layer Model. 2. A portion of a larger network, usually isolated by firewalls or routers at either end from other portions of the network. See also Microsegmented Networks, Microsegmentation.
68
Simple Network Management Protocol (SNMP)
An IP protocol for collecting and organizing information about managed devices on IP networks. It can be used to determine the “health” of networking devices including routers, switches, servers, workstations, printers, and modem racks.
69
Smurf
ICMP echo request sent to the network broadcast address of a spoofed victim causing all nodes to respond to the victim with an echo reply.
70
Software-Defined Networking (SDN)
Any of a broad range of techniques that enable network management, routing, forwarding, and control functions to be directed by software. This is generally done by abstracting the control and management planes from the data plane and its forwarding functions.
71
Software-Defined Wide Area Network (SD-WAN)
An extension of the SDN practices to connect to entities spread across the internet to support WAN architecture especially related to cloud migration.
72
Terminal Emulation Protocol (Telnet)
A command-line protocol designed to give command-line access from one host to another.
73
Transmission Control Protocol (TCP)
The major transport protocol in the internet suite of protocols that provides reliable, connection- oriented, full-duplex streams.
74
Transmission Control Protocol over Internet Protocol (TCP/IP)
The name of the IETF’s four-layer networking model, and its protocol stack.
75
Transport Control Protocol/Internet Protocol (TCP/ IP) Model
Internetworking protocol model created by the IETF, which specifies four layers of functionality: link layer (physical communications), internet layer (network-to- network communication), transport layer (basic channels for connections and connectionless exchange of data between hosts), and application layer, where other protocols and user applications programs make use of network services.
76
Trusted Platform Module (TPM)
A tamper-resistant integrated circuit built into some computer motherboards that can perform cryptographic operations (including key generation) and protect small amounts of sensitive information, such as passwords and cryptographic keys.
77
Unbound (Wireless) Network(s)
Network in which physical layer interconnections are done using radio, light, or other means not confined to wires, cables, or fibers. Devices on unbound networks may or may not be mobile. See also Bound Networks.
78
Virtual Local Area Networks (VLANs)
Allow network administrators to use switches to create software-based LAN segments that can be defined based on factors other than physical location.
79
Voice over Internet Protocol (VoIP)
A set of technologies that enables voice to be sent over a packet network.
80
Web Application Firewall (WAF)
A software-based firewall, which monitors and filters exchanges between an applications program and a host. WAFs usually involve inspection and filtering of HTTP and HTTPS conversations.
81
Wi-Fi (Wireless LAN IEEE 802.11x)
Primarily associated with computer networking, Wi-Fi uses the IEEE 802.11x specification to create a wireless LAN either public or private.
82
WiMAX (Broadband Wireless Access IEEE 802.16)
A well-known example of wireless broadband. WiMAX can potentially deliver data rates of more than 30 Mbps.
83
Zero Trust Model/ Architecture
Replaces trust, but verify as security design principle by asserting that all activities attempted, by all users or entities, must be subject to control, authentication, authorization, and management at the most granular level possible. NIST and others have proposed zero trust architectures as guidance frameworks for organizations to use as they combine microsegmentation, access control, behavior modeling, and threat intelligence (among other techniques) in moving toward a zero trust implementation.
84
Open Systems Interconnection (OSI) model
A standardized reference model defined by ISO to categorize the process of communication between computers in terms of seven layers.
85
deencapsulation
The process of stripping a layer’s header and footer from a protocol data unit (PDU) as it travels up the OSI model layers.
86
encapsulation
The act of enclosing or encasing one item inside another. Commonly used to describe tunneling, in which one protocol is enclosed in another or, in the context of the Open Systems Interconnection (OSI) model, each layer’s content is encapsulated as the payload in the next- lower layer and a header is added. The inverse of encapsulation is de- encapsulation.
87
peer layer communication
Within the OSI model, the information removed by each layer contains instructions, checksums, and so on that can be understood only by the peer layer that originally added or created the information.
88
protocol data unit (PDU)
The name of the network container at OSI layers 7, 6, and 5 (Application, Presentation, and Session).
Goes on to segments/datagrams, packets, frames, bits in lower layers
89
Protocol Analyzer
A physical device that listens in on (sniffs) network traffic and looks for items it can make sense of. There is a legitimate purpose for these devices: administrators use them to analyze traffic. However, when they’re used by sources other than the administrator, they become security risks. Aka protocol analyzer, network evaluator, network analyzer, traffic monitor, or packet capturing utility.
90
Telnet
A protocol that functions at the Application layer of the OSI model, providing terminal- emulation capabilities. Telnet has been deprecated in favor of Secure Shell (SSH)
91
Trivial File Transfer Protocol (TFTP)
A protocol similar to FTP that doesn’t provide the security or error- checking features of FTP. This is a network application that supports an exchange of files that does not require authentication. Used to host network device configuration files and can support multicasting. TFTP should not be used since it operates in cleartext. See File Transfer Protocol (FTP).
92
File Transfer Protocol (FTP)
A protocol used over TCP/IP that permits the transferring of files between computer systems. Because FTP has been implemented on numerous types of computer systems, files can be transferred between disparate systems (for example, a personal computer and a minicomputer).
93
Simple Mail Transfer Protocol (SMTP)
The primary protocol used to transfer or send email messages from clients to servers and from server to server.
94
Simple Network Management Protocol (SNMP)
The management protocol created for sending information about the health of the network to network management consoles.
95
Internet Message Access Protocol (IMAP)
A protocol used to transfer email messages from an email server to an email client. Allows for messages to be saved or archived on the email server rather than the client (as is the limitation with Post Office Protocol [POP]).
96
Post Office Protocol (POP)
An email access program that can be used to retrieve email from an email server. POP results in archiving messages only on the client; they are fully removed from the server. See Internet Message Access Protocol (IMAP).
97
Dynamic Host Configuration Protocol (DHCP)
A protocol used to assign TCP/IP configuration settings to systems upon bootup, including TCP/IP addresses, default gateways, subnet masks, and DNS configurations. DHCP uses UDP port 67 for server point- to- point response and port 68 for client request broadcast. DHCP supports centralized control and management of network addressing.
98
Hypertext Transfer Protocol (HTTP)
The protocol used to transmit web page elements from a web server to web browsers (over the well- known service TCP/UDP port address 80).
99
Hypertext Transfer Protocol Secured (HTTPS)
The encrypted form of HTTP that currently uses TLS (previously used SSL) and mostly operates over TCP port 443.
100
Line Printer Daemon (LPD)
This is a network service that is used to spool print jobs and send print jobs to printers. port 515
101
X Window
A GUI API for command- line operating systems. Port 6000-6063
102
Network File System (NFS)
A protocol that enables users to access files on remote computers as if the files were local. TCP Port 2049
103
User Datagram Protocol (UDP)
A connectionless protocol located at layer 4 of the OSI model.
104
connection oriented
Describes communications between two hosts that have a previous session established for synchronizing sent data. The receiving system acknowledges the data. This method allows for guaranteed delivery of data between systems. Within the Transmission Control Protocol/Internet Protocol (TCP/IP) protocol suite, TCP is used for connection- oriented communication. A connection- oriented protocol such as TCP provides increased reliability but has more overhead and is therefore slower.
105
connectionless
Describes communications between two hosts that have no previous session established for synchronizing sent data. The data isn’t acknowledged at the receiving end. This method can allow data loss. Within the Transmission Control Protocol/Internet Protocol (TCP/IP) protocol suite, User Datagram Protocol (UDP) is used for connectionless communication. The advantage of a connectionless protocol such as UDP is increased speed; however, this comes with less reliability.
106
fully qualified domain name (FQDN)
The human- friendly name of a system or resource that is associated with an IP address. An FQDN is composed of a hostname or subdomain, a registered domain name, and a top- level domain (TLD) name.
107
DNSSEC (DNS Security)
A security improvement to the existing Domain Name System (DNS) infrastructure. The primary function of DNSSEC is to provide reliable authentication between devices during DNS operations. Each DNS server is issued a digital certificate, which is then used to perform mutual certificate authentication.
108
DNS poisoning
The act of falsifying the Domain Name System (DNS) information used by a client to reach a desired system. Usually employed by planting false information into a zone file, caching DNS system, or a HOSTS file. Often the malicious site looks exactly like the site the user intended to visit and can be difficult to identify.
109
rogue DNS server
A false DNS server that can listen in on network traffic for any DNS query or specific DNS queries related to a target site. Then the rogue DNS server sends a DNS response to the client with false IP information. Once the client receives the response from the rogue DNS server, the client closes the DNS query session, which causes the response from the real DNS server to be dropped and ignored as an out- of- session packet.
110
DNS cache poisoning
An attack against a caching DNS server where false data is injected. This can potentially occur without notice for a significant period of time.
111
pharming, DNS pharming
The malicious redirection of a valid website’s URL or IP address to a fake website that hosts a false version of the original valid site.
112
DNS query spoofing
A type of attack that occurs when the hacker is able to eavesdrop on a client’s query to a DNS server. The attacker then sends back a reply with false information. In order for this to be successful, the false reply must include the correct query ID (QID) cloned from the query.
113
proxy falsification
Attacks that could modify the local system proxy configuration, the configuration script, or the routing table to redirect communications to a false proxy. This method works only against web communications (or other services or protocols that use a proxy). A rogue proxy server can modify traffic packets to reroute requests to whatever site the hacker wants.
114
split DNS, split- DNS
Deploying a DNS server for public use and a separate DNS server for internal use. All data in the zone file on the public DNS server is accessible by the public via queries or probing. Aka split- horizon DNS, split- view DNS, and split- brain DNS.
115
DNS sinkhole
Systems that provide false responses to DNS queries from malware, such as bots. This technique is effectively DNS spoofing. It can be used for both malicious and benign/investigative/defensive purposes. This is a specific example of a false telemetry system. Aka sinkhole server, internet sinkhole, and blackhole DNS.
116
domain hijacking, domain theft
The malicious action of changing the registration of a domain name without the authorization of the valid owner. This may be accomplished by stealing the owner’s logon credentials; using XSRF, session hijacking, or MitM; or exploiting a flaw in the domain registrar’s systems.
117
homograph attack
A DNS attack that leverages the similarities in character sets to register phony international domain names (IDNs) that to the naked eye appear legitimate.
118
Class A
1-126 first octet
119
Class B
128-191 First Octet
120
Class C
192-223 First Octet
121
Class D
224-239 first Octet
122
Class E
240-255 First Octet
123
loopback, loopback address
A means to reference the local machine, often used in testing for network faults. Often the IPv4 address of 127.0.0.1 is used, but the entire Class A range of 127 was set aside to be used for this purpose. In IPv6, the loopback address is ::/128. The loopback address is used to create a software interface that connects to itself via TCP/IP. The loopback address is handled by software alone. It permits testing of the TCP/IP protocol stack even if network interfaces or their device drivers are missing or damaged.
124
Class A Default subnet Mask
255.0.0.0 /8
125
Class B Default subnet Mask
255.255.0.0 /16
126
Class C Default Subnet Mask
255.255.255.0 /24
127
Classless Inter-Domain Routing (CIDR)
CIDR provides for a subnet masking notation
that uses mask bit counts rather than a full dotted-decimal notation subnet mask. Thus, instead of 255.255.0.0, a CIDR notation is added to the IP address after a slash, as in
172.16.1.1/16, for example.
128
Internet Control Message Protocol (ICMP)
A message and management protocol for
TCP/IP. The ping utility uses ICMP. See also ping and Transmission Control Protocol/Internet
Protocol (TCP/IP).
129
Internet Group Management Protocol (IGMP)
A protocol used for multicasting operations across the Internet.
130
ARP cache poisoning, ARP poisoning
An attack where an attacker inserts bogus
information into the ARP cache (the local memory store of discovered IP to MAC relationships). Aka ARP spoofing.
131
gratuitous ARP
A gratuitous Address Resolution Protocol (ARP) broadcast may be sent
as an announcement of a node’s existence, to update an ARP mapping due to a change in IP
address or MAC address, or when redundant devices are in use that share an IP address and
may also share the same MAC address (regularly occurring gratuitous ARP announcements
help to ensure reliable failover). This occurs when a system announces its MAC-to-IP mapping without being prompted by an ARP query. Aka unsolicited ARP.
132
Kerberos
A ticket-based authentication mechanism that employs a trusted third party to
provide identification and authentication. Typically used in private LANs as an SSO solution.
133
Internet Protocol Security (IPsec)
The standard of IP security extensions used as an addon for IPv4 and integrated into IPv6. IPsec provides encrypted communication tunnels between individual systems or entire networks. See Authentication Header (AH), Encapsulating
Security Payload (ESP), Internet Key Exchange (IKE), and Internet Security Association and
Key Management Protocol (ISAKMP).
134
Secure Remote Procedure Call (S-RPC)
An authentication service. S-RPC is a means to
prevent unauthorized execution of code on remote systems.
135
Transport Layer Security (TLS)
Based on SSL technology, TLS incorporated many security enhancements and was eventually adopted as a replacement for SSL in most applications. Early versions of TLS supported downgrading communications to SSL v3.0 when both parties did not support TLS. However, in 2011, TLS v1.2 dropped this backward compatibility. TLS uses TCP port 443.
136
converged protocols
The merging of specialty or proprietary protocols with standard protocols, such as those from the TCP/IP suite. Some common examples of converged protocols
are FCoE, MPLS, iSCSI, and VoIP
137
storage area network (SAN)
A secondary network (distinct from the primary communications network) used to consolidate and manage various storage devices.
138
FCoE (Fibre Channel over Ethernet)
A means to encapsulate Fibre Channel communications over Ethernet networks. FCoE typically requires 10 Gbps Ethernet to support the Fibre Channel protocol.
139
FCIP (Fibre Channel over IP)
An alternate implementation of Fibre Channel signaling that
no longer requires any specific network speed and operates over standard Ethernet cables.
It is the SAN equivalent of VoIP.
140
multiprotocol label switching (MPLS)
A high-throughput, high-performance network
technology that directs data across a network based on short path labels rather than longer
network addresses.
141
Real-time Transport Protocol (RTP)
A common protocol of VoIP that supports the
transmission of the data packets of the conversation. See Secure Real-time Transport Protocol (SRTP).
142
Secure Real-time Transport Protocol (SRTP, Secure RTP)
A security improvement over
the Real-time Transport Protocol (RTP) that is used in many Voice over IP (VoIP) communications. SRTP aims to minimize the risk of VoIP DoS through robust encryption and reliable
authentication.
143
software-defined network (SDN), software defined network, software-defined networking, software defined networking
A unique approach to network operation, design,
and management. The concept is based on the theory that the complexities of a traditional network with on-device configuration (i.e., routers and switches) often force an organization to
stick with a single device vendor and limit the flexibility of the network to changing physical
and business conditions. SDN aims at separating the infrastructure layer (i.e., hardware and
hardware-based settings) from the control layer (i.e., network services of data transmission
management). SDN offers a new network design that is directly programmable from a central
location, is flexible, is vendor neutral, and is based on open standards. See Network Functions
Virtualization (NFV). Aka virtualized network, virtual network, and network virtualization.
144
software-defined storage (SDS)
Another derivative of SDN. SDS is a SDN version of a SAN or NAS. SDS is storage management and provisioning solution that is policy driven and is independent of the actual underlying storage hardware. It is effectively virtual storage.
145
ad hoc, ad hoc mode
A peer-to-peer 802.11 wireless network connection between two
(or more) individual systems without the need for a wireless base station. Ad hoc does not
support encryption. An updated version is known as Wi-Fi Direct. See also peer-to-peer mode
and Wi-Fi Direct.
146
Wi-Fi Direct
The name for the wireless topology of ad hoc or peer-to-peer connections.
It is a means for wireless devices to connect directly to each other without the need for an
intermediary mbase station.
147
extended service set identifier (ESSID)
The name of a wireless network when a wireless
base station or wireless access point (WAP) is used (that is, infrastructure mode).
148
infrastructure mode
A configuration of an 802.11 wireless network in which a wireless
access point (WAP) is used to support connections of wireless clients for communication with
each other as well as to an attached wired network.
149
stand-alone mode, standalone mode
A wireless network that uses a wireless access point
to connect wireless clients together but does not offer any access to a wired network. Aka
stand-alone mode infrastructure.
150
wired extension mode
A wireless network configuration where the wireless access point
acts as a connection point to link the wireless clients to the wired network. Aka wired
extension mode infrastructure.
151
enterprise extended mode infrastructure
An arrangement in which multiple wireless
access points (WAPs) are used to support a single wireless network over a larger geographic
area than could be supported by a single wireless access point and connect a large physical
area to the same wired network.
152
fat access point
A base station that is a fully managed wireless system, which operates as a
standalone wireless solution
153
bridge mode, bridge mode infrastructure
A form of wireless access point deployment
that is used to link two wired networks together over a wireless bridged connection.
154
thin access point
A WAP that is little more than a wireless transmitter/receiver, which
must be managed from a separate external centralized management console called a wireless
controller.
155
wireless controller
A separate external centralized management console used to control
thin access points.
156
basic service set identifier (BSSID)
The name of a wireless network when in ad hoc or
peer-to-peer mode (that is, when a base station or wireless access point isn’t used).
157
beacon frame
A type of wireless network packet that broadcasts the presence of the
wireless network. This management frame contains various information such as the Service
Set Identifier (SSID), beacon interval, time stamp, and so on.
158
independent service set identifier (ISSID)
The SSID used by Wi-Fi Direct and ad hoc
mode networks.
159
channels
Subdivisions of wireless frequencies. Aka wireless channels.
160
wireless cell
An area within a physical environment where a wireless device can connect to
a wireless access point (WAP).
161
heat map
(1) A mapping of wireless signal strength measurements over a building’s blueprint. A site survey often produces a heat map. (2) See risk matrix.
162
site survey
A formal assessment of wireless signal strength, quality, and interference
using an RF signal detector. A site survey is performed by placing a wireless base station in a desired location and then collecting signal measurements from throughout the area. A site survey often produces a heat map.
Site Survery SS SSID
163
open system authentication (OSA)
A connection scheme for wireless networks where no
real authentication is required; as long as a radio signal can be transmitted between the client
and WAP, communications are allowed. An open Wi-Fi network with no authentication and
no encryption.
164
shared key authentication (SKA)
One of the original authentication options of 802.11 in
relation to WEP. A fixed value, similar to a password, is used to authenticate as well as
encrypt the session.
165
Temporal Key Integrity Protocol (TKIP)
A security solution designed as the replacement
for Wired Equivalent Privacy (WEP) without requiring replacement of legacy wireless
hardware. TKIP was implemented in 802.11 wireless networking under the name Wi-Fi Protected Access (WPA). TKIP and WPA were officially replaced by WPA2 in 2004.
166
Wi-Fi Protected Access (WPA) A
An early alternative to WEP was Wi-Fi Protected
Access (WPA), which was based on a secret passphrase and employed the LEAP and TKIP
cryptosystems. WPA uses the RC4 algorithm and employs the Temporal Key Integrity
Protocol (TKIP) or the Cisco alternative Lightweight Extensible Authentication Protocol
(LEAP). However, it is no longer secure enough to use. It is attackable through passphrase
guessing and encryption key compromise/discovery. WPA can be deployed using authentication in personal mode with a preshared key authentication or in enterprise mode using
802.1X to use existing network authentication.
167
Wi-Fi Protected Access 2 (WPA2)
A revision of WPA that upgraded the encryption to an
Advanced Encryption Standard (AES) variant known as Counter Mode with Cipher Block
Chaining Message Authentication Code Protocol (CCMP). WPA2 supports two authentication options: preshared key (PSK) or personal (PER) and IEEE 802.1X or enterprise (ENT).
Aka IEEE 802.11i.
168
Wi-Fi Protected Access 3 (WPA3)
The replacement or upgrade of wireless authentication and encryption of WPA2. WPA3-ENT uses 192-bit AES CCMP encryption. WPA3-PER
replaces the preshared key authentication with Simultaneous Authentication of Equals
(SAE). WPA3 also implements IEEE 802.11w-2009 management frame protection so that a
majority of network management operations have confidentiality, integrity, authentication of
source, and replay protection.
169
Wi-Fi Protected Setup (WPS)
A wireless technology intended to simplify the effort
involved in adding new clients to a secured wireless network. It operates by autoconnecting
the first new wireless client to seek the network once WPS is triggered. WPS can be initiated
by a button on the WAP or a code or PIN that can be sent to the base station remotely. This
can allow for a brute-force guessing attack to discover the WPS code in less than six hours.
170
Lightweight Extensible Authentication Protocol (LEAP)
A Cisco proprietary alternative
to the Temporal Key Integrity Protocol (TKIP) for Wi-Fi Protected Access (WPA). This was
developed to address deficiencies in TKIP before the 802.11i/WPA2 system was ratified as a
standard. LEAP is now a legacy solution to be avoided.
171
Simultaneous Authentication of Equals (SAE)
An authentication option of WPA3 that
uses a password, but it no longer encrypts and sends that password across the connection.
Instead, SAE performs a zero-knowledge proof process known as Dragonfly Key Exchange,
which is itself a derivative of Diffie–Hellman. The process uses a preset password and the
MAC addresses of the client and AP to perform authentication and session key exchange.
172
Extensible Authentication Protocol (EAP)
An authentication expansion system in which
new or custom mechanisms to perform authentication can be added to existing systems.
173
Protected Extensible Authentication Protocol (PEAP)
A protocol tool that encapsulates
EAP methods within a Transport Layer Security (TLS) tunnel that provides authentication
and potentially encryption
174
MAC filter, MAC filtering
A list of authorized wireless client interface media access control
(MAC) addresses that is used by a wireless access point (WAP) to block access to all nonauthorized devices. See MAC limiting.
175
direct sequence spread spectrum (DSSS)
A wireless or radio wave communication process that employs all the available frequencies simultaneously in parallel.
176
Frequency Hopping Spread Spectrum (FHSS)
An early implementation of the spread
spectrum concept. This wireless access technology transmits data in a series while constantly
changing the frequency in use.
177
spread spectrum
Communication that occurs over multiple frequencies at the same time.
178
Orthogonal Frequency-Division Multiplexing (OFDM)
A wireless technology that
employs a digital multicarrier modulation scheme that allows for a more tightly compacted
transmission. It is a variation on frequency multiplexing that employs a digital multicarrier
modulation scheme that allows for a more tightly compacted transmission.
179
bluejacking
The process of sending messages to Bluetooth-capable devices without the permission of the owner/user.
180
bluesmacking
A denial-of-service (DoS) attack against a Bluetooth device.
181
bluesnarfing
An attack that allows hackers to connect with your Bluetooth devices
without your knowledge and extract information from them. This form of attack can offer
attackers access to your contact lists, your data, and even your conversations.
182
bluesniffing
Eavesdropping or packet-capturing Bluetooth communications.
183
Bluetooth (IEEE 802.15)
A 2.4 GHz wireless protocol used to pair devices together to
support communications and control.
184
Bluetooth Low Energy (Bluetooth LE, BLE), Bluetooth Smart
A low-power consumption
derivative of standard Bluetooth. BLE was designed for Internet of Things, edge/fog devices,
mobile equipment, medical devices, and fitness trackers. It uses less power while maintaining a similar transmission range to that of standard Bluetooth. Standard Bluetooth and BLE are
not compatible, but they can coexist on the same device.
185
bluebugging
An attack that grants hackers remote control over the hardware and software
features and functions of a Bluetooth device. This could include the ability to turn on the
microphone to use the phone as an audio bug
186
near-field communication (NFC)
A standard that establishes radio communications between devices in close proximity. It lets you perform a type of automatic synchronization and
association between devices by touching them together or bringing them within inches of
each other. NFC is a derivative technology from RFID and is itself a form of field-powered or
field-triggered device
187
radio frequency identification (RFID)
A tracking technology based on the ability to power
a radio transmitter using current generated in an antenna when placed in a magnetic field.
RFID can be triggered/powered and read from a considerable distance away (often hundreds of meters). Each RFID tag includes a unique identifier so that when a nearby antenna/
transceiver activates the tag, it transmits that identifier back to the antenna, where that value
is recorded or used to trigger some kind of action. RFID devices may also be used to track
individuals (carrying tags), equipment (bearing tags), and so forth, within the premises of an
enterprise for security monitoring.
188
war driving
The act of searching for wireless networks using any of a variety of wirelessdetection tools, from handheld scanners to notebook computers. Originally named after the
method of driving around office buildings looking for open access points.
189
evil twin
An attack in which a hacker operates a false wireless access point (WAP) that will
automatically clone, or twin, the identity of another access point based on a client device’s
automatic request to reconnect to a known wireless network from its connection history. See
rogue access point.
190
disassociation
One of the many types of wireless management frames. An attack can send
repeated disassociation frames to a client to prevent reassociation, thus causing a denial of
service (DoS).
191
light fidelity (LiFi)
A technology for wireless communications using light. It is used to
transmit both data and position information between devices. It uses visible light, infrared,
and the ultraviolet light spectrums to support digital transmissions. It has a theoretical transmission rate of 100 Gbps. LiFi has the potential to be used in areas where interference to
electromagnetic radiation would be a problem for radio wave–based solutions. Although
direct line of sight between devices provides optimum throughput, signals can be transmitted
off reflective surfaces in order to maintain at least some level of data transmission.
192
satellite communication (SATCOM)
A means of audio and data transmission using satellites orbiting in near-earth orbit.
193
geostationary orbit (GEO)
Satellites can be positioned in three primary orbits: low Earth
orbit (LEO), 160–2,000 km, medium Earth orbit (MEO), 2,000–35,786 km, and geostationary orbit (GEO), 35,786 km. GEO satellites appear motionless in the sky as they are
rotating around the earth at the same angular velocity as the earth rotates. Thus, GEO satellites maintain a fixed position above a terrestrial location. GEO satellites have a larger
transmission footprint than MEO satellites but also a higher latency. But GEO satellites do
not require that a ground station track the movement of the satellite across the sky as is
necessary with LEO and MEO satellites, so GEO ground stations can use fixed antennas. See
low Earth orbit (LEO) and medium Earth orbit (MEO).
194
narrow-band, narrow-band wireless
A type of radio wave communication that is widely
used by SCADA systems to communicate over a distance or geographic space where cables or
traditional wireless are ineffective or inappropriate.
195
Zigbee
An IoT equipment communication’s concept that is based on Bluetooth. Zigbee has
low power consumption, has a low throughput rate, and requires close proximity of devices.
196
content distribution network (CDN), content delivery network
A collection of resource
services deployed in numerous data centers across the internet in order to provide low
latency, high performance, and high availability of the hosted content. CDNs provide the
desired multimedia performance quality demanded by customers through the concept of
distributed data hosts. Rather than having media content stored in a single central location
to be transmitted to all parts of the internet, the media is distributed to numerous geographically distributed prestaging internet locations that are closer to groups of customers.
197
extranet
A privately controlled network segment or subnet that functions as a screened
subnet for business-to-business transactions. It allows an organization to offer specialized services to a limited number of specific outsiders but not the entire public, such as
business partners, suppliers, distributors, or high-end customers. Often access into an extranet from the internet requires a virtual private network (VPN) connection. Extranets are
often used in business-to-business (B2B) applications, between customers and suppliers. See
screened subnet.
198
screened subnet
A method of placing web and other servers that serve the general public
outside the firewall and, therefore, isolating them from internal network access. These servers
should be hardened and trust relationships limited to prevent transitive trust attacks. Placing
virtualized servers inside the screened subnet is considered a bad security practice for similar
reasons, even though virtualization security has improved significantly in the last few years.
Previously known as DMZ. See extranet.
199
repeater
A network device used to amplify signals on network cabling to allow for longer
distances between nodes. Aka a concentrator or amplifier.
200
hub
A network device used to connect multiple systems together in a star topology.
Hubs repeat inbound traffic over all outbound ports. Hubs are a legacy networking device
that you are unlikely to find in standard networks today.
201
modem
(1) A traditional landline modem (modulator-demodulator) is a communications
device that covers or modulates between an analog carrier signal and digital information in
order to support computer communications of PSTN (public switched telephone network)
lines. (2) With the advancement of digital broadband communication technologies, the term
modem is now often used to refer to the intermediary device between business or personal
equipment and the broadband network (typically internet) carrier or service (such as DSL,
cable, cellular/wireless/mobile, Wi-Fi, ISDN, etc.), even when modulation and demodulation
are not actually taking place.
202
bridge
A network device used to connect networks with different speeds, cable types, or
topologies that still use the same protocol. A bridge is a layer 2 device.
203
switch
A layer 2 network device that tracks the media access control (MAC) addresses
of the systems connected on each port. Instead of repeating traffic on every outbound port,
a switch repeats only traffic out of the port on which the destination is known to exist.
Switches offer greater efficiency for traffic delivery, create separate broadcast and collision
domains, and improve the overall throughput of data.
204
router
A network device used to control traffic flow on networks. A router determines the
best path for data packets from source to destination. Routers are often used to connect similar networks together and control traffic flow between them. They can function using statically defined routing tables or employ a dynamic routing system.
205
LAN extender
A remote access, multilayer switch used to connect distant networks over
WAN links. This is a strange beast of a device in that it creates WANs, but marketers of this
device steer clear of the term WAN and use only the terms LAN and extended LAN. The
idea behind this device was to make the terminology easier to understand and thus make the
device easier to sell than a more conventional WAN device grounded in complex concepts
and terms.
206
jump server, jumpbox
A remote access system deployed to make accessing a specific system or
network easier or more secure. A jump server is often deployed in extranets, DMZs, or cloud networks where a standard direct link or private channel is not available or is not considered safe.
207
sensor
A hardware or software tool used to monitor digital or physical activities or events
to record information or at least take notice of an occurrence. A sensor may monitor network activity, heat, humidity, wind movement, doors and windows opening, the movement
of data, the types of protocols in use on a network, when a user logs in, any activity against
sensitive servers, and much more. A sensor collects information and then transits it back to a
central system for storage and analysis. Sensors are common elements of fog computing, ICS,
IoT, IDS/IPS, and SIEM/security orchestration, automation, and response (SOAR) solutions.
See collector.
208
collector, security collector
Any system that gathers data into a log or record file.
A collector is similar to the functions of auditing, logging, and monitoring. A collector watches
for a specific activity, event, or traffic, and then records the information into a record file.
See sensor.
209
aggregator
A type of multiplexor. Numerous inputs are received and directed or transmitted to a single destination. MPLS is an example of an aggregator.
210
network access control (NAC)
A concept of controlling access to an environment through
strict adherence to and implementation of security policy. The goals of NAC are to prevent/
reduce zero-day attacks, enforce security policy throughout the network, and use identities to
perform access control.
211
static packet-filtering firewall
A firewall that filters traffic by examining data from a message header. Usually, the rules are concerned with source, destination, and port addresses.
Aka screening router.
212
application-level firewall, application-layer firewall
A firewall that operates at OSI layer
7, the Application layer, where it filters traffic for a specific application or service, such as a
web proxy. Aka application-level gateway.
213
circuit-level firewall
A firewall that filters traffic around a circuit (i.e., communication
session or connection) rather than around only a specific application or protocol. Typically,
a circuit-level gateway functions at layer 4 or 5 of the Open Systems Interconnection (OSI)
model. Aka circuit-level gateway, circuit-level gateway firewall, and circuit proxies.
214
stateful inspection firewall
A firewall that evaluates the state or the context of network
traffic. By examining source and destination addresses, application usage, source of origin,
and relationship between current packets with the previous packets of the same session,
stateful inspection firewalls are able to grant a broader range of access for authorized users
and activities and actively watch for and block unauthorized users and activities. A type of
firewall that is aware that any valid outbound communication (especially related to Transmission Control Protocol [TCP]) will trigger a corresponding response or reply from the
external entity. Aka dynamic packet filtering firewall.
215
next-generation firewall (NGFW)
A unified threat management (UTM) device that is
based on a traditional firewall with numerous other integrated network and security services,
such as application filtering, deep packet inspection, intrusion prevention, TSL offloading
and/or inspection, domain name and website filtering, QoS, bandwidth management, antimalware, authentication services, and identity management. See unified threat management
(UTM) and multifunction device (MFD).
216
internal segmentation firewall (ISFW)
A firewall deployed between internal network segments or company divisions. Its purpose is to prevent the further spread of malicious code or
harmful protocols already within the private network. With an ISFW, network segments can
be created without resorting to air gaps, VLANs, or subnet divisions. An ISFW is commonly
used in microsegmentation architectures.
217
proxy, proxy server
A mechanism that copies packets from one network into another. The
copy process also changes the source and destination address to protect the identity of the
internal or private network (i.e., NAT/PAT). Proxies may be transparent or nontransparent.
Proxies may cache static content to improve network throughput. Aka forward proxy, forwarding proxy, standard proxy, common proxy, or reverse proxy
218
forward proxy
A standard or common proxy that acts as an intermediary for queries of
external resources. A forward proxy handles queries from internal clients when accessing
outside services.
219
reverse proxy
A proxy system that handles inbound requests from external systems to internally
located services. A reverse proxy is similar to the functions of port forwarding and static NAT.
220
nontransparent proxy
A proxy that manages client traffic because the client is specifically
configured to send communications to the proxy.
221
proxy auto-config (PAC)
The settings for a nontransparent proxy. PAC can be implemented with a script or via DHCP.
222
content inspection (content filtering)
The security filtering function in which the contents of the application protocol payload are inspected.
223
coaxial cable
A form of copper cable that is no longer in widespread use for networking
because it has been replaced by unshielded twisted pair (UTP), shielded twisted pair (STP),
fiber-optic cables, or wireless. Coaxial cable used for networking is known as 10Base2 and
10Base5. A cable with a center core of copper wire surrounded by a layer of insulation and
then by a conductive braided shielding and finally encased in an insulation sheath. Coaxial
cable is fairly resistant to electromagnetic interference (EMI), has a low cost, and is easy
to install.
224
Twisted pair cable, twisted-pair cabling
A form of cable commonly used in network
applications. It’s named after its twisting of pairs of conductors within the cable itself. Standard networking cable has eight wires or four pairs. See also unshielded twisted pair (UTP)
or shielded twisted pair (STP) (if shielded). See 10BaseT.
225
shielded twisted-pair (STP)
A twisted-pair wire that includes a metal foil shielding
wrapper inside the outer sheath to provide additional protection from electromagnetic interference (EMI).
226
unshielded twisted-pair (UTP)
A twisted-pair wire that does not include additional
electromagnetic interference (EMI) protection. Most twisted-pair wiring is UTP.
227
attenuation
Loss of signal strength over a distance of a copper cable or wireless transmission, caused by resistance and noise picked up from the environment. Attenuation is what
limits the maximum use length of a copper cable and is one factor that limits the distance
of wireless transmissions. Fiber-optic connections also experience attenuation in the form of
transmission loss (weaker light over greater distance).
228
logical topology
The logical operation of a network. It defines the arrangement and organization of devices as well as the means used to communicate to and with each other. Aka
signal topology.
229
network topology
The physical layout and organization of computers and networking
devices. Aka physical topology.
230
ring topology
A network structure that connects each system as points on a circle.
231
bus topology
A network structure that connects each system to a trunk or backbone cable.
All systems on the bus can transmit data simultaneously, which can result in collisions.
232
star topology
A network structure that employs a centralized connection device. This
device can be a simple hub or switch. Each system is connected to the central hub by a dedicated segment.
233
mesh topology
A network structure that connects systems to other systems using
numerous paths or links. A full-mesh topology connects each system to all other systems on
the network. A partial-mesh topology connects many systems to many other systems. Mesh
topologies provide redundant connections to systems, allowing multiple segment failures
without seriously affecting connectivity.
234
analog communications
A continuous signal that varies in frequency, amplitude, phase,
voltage, and so on. The variances in the continuous signal produce a wave shape (as opposed
to the square shape of a digital signal). The actual communication occurs by variances in the
constant signal.
235
digital communications
Network transmissions that occur through the use of a discontinuous electrical signal and a state change (i.e., high and low voltages) or on-off pulses.
236
asynchronous communications
A means of data transfer that relies on a stop and start
delimiter bit to manage the transmission of data. Because of the use of delimiter bits and
the stop and start nature of its transmission, asynchronous communication is best suited
for smaller amounts of data. PSTN (public switched telephone network) modems are good
examples of asynchronous communication devices.
237
baseband, baseband technology
A form of communication in which the cable or communication media is able to support only a single transmission at a time.
238
broadband, broadband technology
A form of communication in which the cable or
communication medium is able to support multiple transmissions at one time.
239
broadcast
A communications transmission to multiple but unidentified recipients.
240
multicast
A communications transmission to multiple identified recipients. Aka multicasting.
241
unicast
A communications transmission to a single identified recipient.
242
Carrier-Sense Multiple Access (CSMA)
A LAN media access technology that does not
directly address collisions. If a collision occurs, the communication would not have been successful, and thus an acknowledgment would not be received. This causes the sending system
to retransmit the data and perform the CSMA process again.
243
Carrier-Sense Multiple Access with Collision Avoidance (CSMA/CA)
A LAN media
access technology that attempts to avoid collisions by granting only a single permission to
communicate at any given time. This system requires designation of a primary system, which
responds to the requests and grants permission to send data transmissions.
244
Carrier-Sense Multiple Access with Collision Detection (CSMA/CD)
A LAN media
access technology that responds to collisions by having each member of the collision domain
wait for a short but random period of time before starting the process over. Unfortunately,
allowing collisions to occur and then responding or reacting to collisions causes delays in
transmissions as well as a required repetition of transmissions. This results in about 40 percent loss in potential throughput.
245
token passing
A LAN media access technology that performs communications using a
digital token. Possession of the token allows a host to transmit data. Once its transmission is
complete, it releases the token to the next system. Token passing was used by ring topology–
based networks.
246
polling
A LAN media access technology that performs communications using a primarysecondary configuration. One system is labeled as the primary system. All other systems
are labeled as secondary. The primary system polls or inquires of each secondary system in
turn whether they have a need to transmit data. If a secondary system indicates a need, it is
granted permission to transmit. Once its transmission is complete, the primary system moves
on to poll the next secondary system. Mainframes often supported polling.
247
Point-to-Point Protocol (PPP)
A full-duplex line protocol that supersedes Serial Line Internet Protocol (SLIP), which was used over various non-LAN connections, such as modem
dial-up links.`
248
Serial Line Internet Protocol (SLIP)
A legacy protocol that was used in early remote access
environments. SLIP was originally designed to connect Unix systems together in a
dial-up environment, and it only supports serial communications. Was replaced by PPP.
249
Challenge-Handshake Authentication Protocol (CHAP), Challenge Handshake Authentication Protocol
A protocol that challenges a system to verify its identity. CHAP is an
improvement over Password Authentication Protocol (PAP), in which one-way hashing is
incorporated into a multistep, nonrepeatable challenge-response handshake.
250
Password Authentication Protocol (PAP)
An insecure plaintext password-logon mechanism. A standardized authentication protocol for PPP. PAP transmits usernames and passwords in the clear.
251
Extensible Authentication Protocol (EAP)
An authentication expansion system in which
new or custom mechanisms to perform authentication can be added to existing systems.
252
Port security
(1) The physical control of all connection points, such as RJ-45 wall jacks
or device ports, so that no unauthorized user or devices can attempt to connect into an open
port. (2) The management of Transmission Control Protocol (TCP) and User Datagram Protocol (UDP) ports through the use of firewall, intrusion detection system (IDS), and intrusion
prevention system (IPS) tools. (3) The need to authenticate to a port before being allowed to
communicate through or across the port. This may be implemented on a switch, router, smart
patch panel, or even a wireless network. This concept is often referred to as IEEE 802.1X,
which is titled Port-Based Network Access Control. (4) Port knocking.
253
quality of service (QoS)
The oversight and management of the efficiency and performance
of network communications. Items to measure include throughput rate, bit rate, packet loss,
latency, jitter, transmission delay, and availability.
254
split tunnel
A virtual private network (VPN) configuration that allows a VPN-connected
system to access both the organizational network over the VPN as well as the internet
directly at the same time. The split tunnel thus grants a simultaneously open connection to
the internet as well as the organizational network. See full tunnel.
255
full tunnel
A virtual private network (VPN) configuration in which all of the client’s traffic
is sent to the organizational network over the VPN link, and then any internet-destined
traffic is routed out of the organizational network’s proxy or firewall interface to the internet. A full tunnel ensures that all traffic is filtered and managed by the organizational network’s security infrastructure. See split tunnel.
256
Point-to-Point Tunneling Protocol (PPTP)
An enhancement of PPP that creates encrypted
tunnels between communication endpoints (i.e., virtual private networks [VPNs]). PPTP is
often replaced by L2TP.
257
Layer 2 Tunneling Protocol (L2TP)
A tunneling protocol that adds functionality to the
Point-to-Point Protocol (PPP). This protocol was created by Microsoft and Cisco and is often
used with virtual private networks (VPNs). A point-to-point tunneling protocol developed by
combining elements from PPTP and L2F. L2TP uses 802.1X for authentication. L2TP lacks a
built-in encryption scheme but typically relies on IPsec’s ESP as its encryption mechanism.
258
