Glossary of Key Terms - CCNP Security FIREWALL 642-618 Official Cert Guide (2012)

CCNP Security FIREWALL 642-618 Official Cert Guide (2012)

Appendix C. Glossary of Key Terms

A

active-active failover

A high availability mode where both ASAs in a failover pair can stay active and inspect traffic. Each ASA must be active for a different group of security contexts.

active-standby failover

A high availability mode where one ASA functions as the active unit, providing all traffic inspection, while the other ASA stays idle and waits to take over the active role.

admin context

A special Security Context used for overall device management in multiple mode.

administrative distance

An arbitrary index from 0 to 255 that reflects the trustworthiness of a routing information source.

AIP-SSM

Cisco Advanced Intrusion and Prevention Security Services Module, designed to help protect the network from attacks and misuse.

application inspection and control (AIC) filtering

Security policies that are based on information inside the application layer protocols.

application inspection engine

An ASA feature that is used to inspect traffic related to a specific application or protocol.

application layer access control

Security policies based on information found in the Layers 5 through 7 packet headers and packet content.

application layer gateway (ALG)

Also referred to as a proxy, a device that acts as a gateway or intermediary between clients and servers.

application layer signature

Detection of known bad content or payloads in packets used by a specific application.

ARP inspection

An ASA feature that prevents ARP spoofing attacks. The ASA inspects ARP reply packets and compares the source IP address, source MAC address, and source interface against known static entries in the configuration.

asymmetric routing

A condition where packets from a single traffic flow are forwarded through one ASA of an active-active failover pair, but the return traffic arrives on the alternate ASA. Because one ASA is not aware of any connection state that the other ASA has built, packets are subject to loss.

auto NAT

Also referred to as object NAT, auto NAT contains translation rules defined as part of the network object definition itself. This allows each object definition to contain a single translation only.

B

Base license

The basic license for an SSM on the Cisco ASA.

best-effort queue (BEQ)

A buffer that holds packets waiting for transmission, but services them in the order that they were received.

bidirectional NAT

Applying both inside NAT and outside NAT to the same traffic flow (almost always due to overlapping IP addresses on a network requiring communication).

blacklist

A static list of known bad servers that are involved in botnet activity.

botnet attack

Malicious activity that infects individual hosts in a protected network, allowing them to be remotely controlled to align them in a coordinated attack against other resources.

bump-in-the-wire

A transparent mode firewall that is positioned between two network segments but does not break or alter the IP subnet on either side.

C

class map

Defines which traffic will be matched in a security policy.

CSC-SSM

Cisco Content Security and Control Security Services Module, designed to help protect users of the network from encountering malicious content such as viruses and spyware.

cut-through proxy

The ability to configure different network access policies based on the identity of a user that is attempting to communicate through a Cisco ASA.

D

dead connection detection (DCD)

A mechanism used to probe for defunct idle connections, indicating that a host is dead or unresponsive.

deep packet inspection (DPI)

Examination beyond simple UDP or TCP header inspection, to look further into the UDP or TCP packet payloads to understand their contents.

default class

The resource class assigned to all Security Contexts on the Cisco ASA by default. Newly created resource classes inherit the limits defined in the default class.

demilitarized zone (DMZ)

An area of the network that is positioned between the trusted, internal network and the untrusted Internet.

DHCP relay

An ASA feature that relays DHCP requests received on one interface to a DHCP server found on another interface.

DHCP server

An ASA feature that provides IP addresses and parameters dynamically to requesting clients.

DNS Rewrite

An ASA feature that resolves issues in a network where internal clients make DNS queries to an external DNS server, when looking for an internal server.

dynamic inside NAT

A translation feature that creates a temporary translation entry (slot) in the translation table when a host on a more secure interface sends traffic through the ASA to a less secure interface.

dynamic NAT

Temporary translation where an original host is assigned an address from an available pool, and that address is returned to the pool after a configurable idle time.

dynamic outside NAT

A translation mechanism that is applied to packets that ingress an interface with a lower security level than that of the interface they egress (inbound traffic).

E

egress interface

Interface where the packet will exit the ASA.

EIGRP

Enhanced Interior Gateway Routing Protocol, a Cisco proprietary dynamic routing protocol that uses a complex routing metric and exchanges routing information to neighboring Layer 3 devices.

embryonic connection

A TCP connection that has been initiated, but not completely opened with a three-way handshake.

EtherChannel

A logical link built up of two or more physical interfaces between an ASA and a switch.

EtherType access list

A special access list that can be used in transparent firewall mode to filter packets based on hexadecimal EtherType values.

F

Fail Closed

The configuration of IPS or IDS that states traffic should be dropped if there is a failure of the inspection device.

Fail Open

The configuration of IPS or IDS that states traffic should be passed through if there is a failure of the inspection device.

failover group

A logical grouping of security contexts that is used by an active-active failover pair of ASAs. Each failover group is active on one ASA and standby on the other ASA.

firewall

A device that enforces an access control policy between two or more security domains.

G–H

global configuration mode

The CLI mode that allows commands to be entered to configure features that affect the ASA as a whole. Global configuration mode is reached only from the privileged-EXEC mode.

hardware name

The interface hardware type, module, and port number that uniquely identifies a physical interface, as in Ethernet0/0 or GigabitEthernet3/0.

HTTP redirection

Method by which the Cisco ASA actively listens for HTTP requests on TCP port 80 and, upon detecting those requests, redirects internal users to a local web page that is a form for users to input their appropriate credentials.

I–K

ingress interface

Interface where the original packet enters the ASA.

inline operation

The configuration of IPS in which traffic is passing through the inspecting device.

inside NAT

The address translation performed if the packets arriving at the ASA from a host subject to translation ingress an interface with a security level higher than that of the interface they egress.

interface name

An arbitrary logical name used to reference an ASA interface from a security perspective, as in “inside” or “outside.”

intrusion detection

The process of inspecting network traffic and alerting an administrator about malicious traffic.

intrusion prevention

The process of identifying malicious traffic attempting to enter the network and dropping that traffic.

L

LACP (Link Aggregation Control Protocol)

A standards-based protocol that is used to negotiate an EtherChannel between an ASA and a switch.

LAN failover interface

A link that is used between two ASAs in a failover pair. Each ASA uses the link to check on the health of its failover peer.

low-latency queue (LLQ)

A buffer that holds packets that are time sensitive and are to be transmitted ahead of other packets in the BEQ. The LLQ is also called the priority queue.

M

MAC address learning

The default process that an ASA uses to learn the location of source MAC addresses from packets as they are received. When MAC addresses are spoofed by malicious hosts, MAC address learning can be disabled and replaced by static entries.

manual NAT

Allows an administrator to define translation rules to be compared to traffic flows before the other NAT rules. These rules are usually very specific. For example, you can add entries using manual NAT if a host requires multiple translation rules, which depend on the input or output interfaces or the destination address. Also, manual NAT—after auto NAT—allows for translation rules that could conflict with the entries in higher priority NAT rules. These entries are configured the same way as other manual NAT rules (but are generally less specific).

maximum transmission unit (MTU)

The maximum size packet that can be transmitted on an interface without fragmentation.

member interface

A physical interface that has been configured to be a member of a redundant interface pair.

Mobility Proxy

Enables the ASA to act as a proxy for the TLS signaling used between Cisco Unified Mobile Communicator (UMC) and the Cisco Unified Mobility Advantage (UMA) server.

Modular Policy Framework (MPF)

A modular, hierarchical scheme used to configure ASA security policies.

MTU

Maximum transmission unit, which indicates the maximum Ethernet frame size that can be sent over a physical interface.

multiple mode

The mode of operation that permits the creation of virtual firewalls.

N

NAT

Network Address Translation, a mechanism used to translate private (local) IP addresses to public (global), routable addresses when a host on a private network needs to communicate with hosts outside of that private network.

NAT control

A feature that configures the ASA to enforce NAT usage.

NAT exemption

A method to perform no translation in situations where NAT control is enabled.

NAT Table

The NAT Table contains three sections. NAT rules are searched from top to bottom in the NAT Table, and the first rule that matches the packet being analyzed is always applied, regardless of whether it is a static or dynamic rule, a translation exemption, or whether the source is on a higher or lower security interface than the destination.

network behavior analysis (NBA) system

A system that examines network traffic over time to build statistical models of normal, baseline activity.

network intrusion prevention system (NIPS)

A security strategy that examines and analyzes network traffic and compares it to a database of known malicious activity.

network layer access control

Security functions that use decisions based on information found in the Layers 2 through 4 headers.

network object

A network object defines a single IP address, range of addresses, network, or FQDN. The host, range, or subnet that is defined by a network object is used to identify the real, nontranslated, IP address in a NAT configuration. A network object can also be used to define any available translation addresses.

O

optional licenses

Licenses on the Cisco ASA that allow the devices to scale to more users or add additional features.

OSPF

Open Shortest Path First, a standards-based link-state routing protocol that can partition a network into a hierarchy of distinct numbered areas.

outside NAT

The address translation performed if packets arriving from a host subject to translation ingress an interface with a lower security level than that of the interface they egress.

P-Q

PAT

Port Address Translation, a method of translating IP addresses, translating source port numbers in TCP or UDP packets, thus allowing many-to-one translation of source IP addresses. This allows numerous internal hosts to share a single public IP address when communicating with external networks.

payload minimization

The process of limiting the payload of packets such that they contain only expected content.

permissive access control

Allow all traffic to pass through a firewall unless it is explicitly blocked.

Phone Proxy

Permits the ASA to terminate Cisco SRTP/TLS encrypted IP Phone connections that permit secure remote access.

physical interface

An ASA interface that has physical hardware and connects to a network through physical cabling.

policy map

Defines the actions that are to be taken on matched traffic in a security policy.

Presence Federation Proxy

Permits the ASA to terminate TLS communications between Unified Presence servers and apply and the appropriate security policies.

privileged-EXEC mode

The highest-level CLI mode, which offers full access to all ASA commands and information.

promiscuous operation

The configuration of IDS in which traffic is copied to the device that is doing the inspection.

protocol minimization

The process of limiting the protocol features to the absolute minimum needed for an application or service to function.

protocol verification

The process of verifying that packets conform to a protocol standard or definition.

proxy ARP

A technique in which one host, usually a router, answers ARP requests intended for another machine. By “faking” its identity, the router accepts responsibility for routing packets to the “real” destination. Proxy ARP can help machines on a subnet reach remote subnets without the need to configure routing or a default gateway.

R

redundant interface

A logical interface that comprises two physical interfaces configured in a redundant pair. Only one of the two interfaces takes on the active role at any given time.

regular expression (regex)

A string of characters and special metacharacters that defines the content that should be matched in a text field.

resource class

An object for setting resource limits on virtual firewalls.

restrictive access control

Allows no traffic to pass through the firewall unless it is explicitly allowed.

RIPv2

Routing Information Protocol Version 2, a dynamic distance vector routing protocol used to exchange routing information with other Layer 3 devices.

ROMMON (ROM monitor) mode

The CLI mode available as an ASA is booting, only by escaping the normal booting sequence when a countdown option is presented. Only a limited set of commands is available.

routed firewall mode

The ASA operating mode by which packets are forwarded based on IP address and routing information.

running configuration

The set of configuration commands the firewall uses while it is running. The running configuration is stored in RAM.

S

security context

A virtual instance of a firewall. One physical firewall hardware platform can run multiple security contexts, each acting as an independent firewall.

security domain

A trusted portion of a network.

security level

An arbitrary number between 0 and 100 that denotes the relative protection or security that will be applied to an interface. A higher number indicates more trust or more security.

SensorBase

A dynamic database of known botnet servers, as provided by Cisco.

service policy

An entire set of security policies that is applied to one or all ASA interfaces.

shared interface

An interface used by multiple Security Contexts when in multiple mode.

single mode

The operational mode of a Cisco ASA when not capable of virtual firewalls.

SLA monitor

A process that monitors the reachability of a target device to implement a conditional static route.

specific configuration modes

CLI modes where specific ASA features can be configured. These modes are reachable only from global configuration mode.

startup configuration

The set of configuration commands that the firewall applies when it starts up. The startup configuration is permanent and is stored in nonvolatile flash memory.

stateful failover

A failover mode where the active ASA inspects traffic and passes connection state and many other types of information to the standby ASA so that it can take over immediately if active unit fails.

stateful packet filtering (SPF)

Decisions to forward or block a packet are based on a dynamic state table for each active connection.

stateless failover

A failover mode where the active ASA inspects traffic but never informs the standby ASA of any of its activities. If the active unit fails, the standby unit will have to rebuild all of its connection state information.

stateless packet filtering

Decisions to forward or block a packet are made on each packet independently, with no concept of a connection state.

static inside NAT

A translation mechanism that creates a permanent, fixed translations between a local address on the inside network and a global address on the outside network.

static NAT

Fixed translation, where an original address is permanently mapped to the translated IP address.

static outside NAT

A translation mechanism that creates a permanent, fixed translation between a global address on the outside network and a local address on the inside network.

static route

A route that is manually configured and does not change.

T

TCP normalizer

An inspection feature that examines information in the TCP header of packets and can normalize or alter the values so that they conform to configured limits.

threat detection

An ASA feature that can discover suspicious activity passing through an ASA by monitoring traffic statistics and detecting abnormal conditions that might indicate an attack in progress.

TLS Proxy

Permits the ASA to intercept and decrypt encrypted information from Unified Communication endpoints en route to the Cisco Unified Communications Manager (CUCM).

traffic policing

A method of measuring the bandwidth of traffic and limiting it to a predefined threshold or limit. Packets above the limit are usually dropped.

traffic shaping

A method of measuring the bandwidth of traffic and buffering it so that it is sent at or below an average rate. Because the limit is seldom exceeded, packets are not normally dropped.

transparent firewall mode

The ASA operating mode by which packets are forwarded based on Layer 2 MAC address information.

Trend Micro InterScan GUI

Management software for the CSC-SSM on a Cisco ASA.

twice NAT

Technically, all manual NAT rules are twice NAT rules. However, the term is more commonly used only for a manual NAT rule, which actually performs translation on both source and destination address and/or port parameters.

U–V

user EXEC mode

The default CLI mode, which offers a limited set of commands.

unidirectional manual static NAT

A manual NAT rule that applies only to traffic sourced from a defined network object. Traffic destined to the object won’t use the NAT rule. Normally, manual NAT rules apply bidirectionally.

virtual HTTP

Method that enables users to authenticate against a Cisco ASA using an IP address of the virtual HTTP server inside the Cisco ASA.

virtual reassembly

The process by which fragmented packets are buffered and reassembled in memory so that the ASA can inspect them.

VLAN interface

A logical ASA interface that connects to a virtual LAN, either internally or externally through a VLAN trunk link.

VLAN trunk link

A physical interface that is configured as an IEEE 802.1Q trunk. Packets from multiple VLANs can be carried over a trunk by adding a VLAN tag to each. At the far end of the trunk link, the VLAN tags are removed and the packets are sent into the respective VLAN.

W–Z

whitelist

A static list of known good or trusted servers.

xlate table

Maintained by a Cisco ASA device for each host that makes connection. Any active connection defines a host’s xlate entry. An xlate entry is created only when the relevant traffic passes through the firewall. The xlate table can also be formed dynamically as any new connection is established.

zero downtime upgrade

The software image upgrade process on a pair of ASAs operating in stateful failover mode. The operating system images can be upgraded on each ASA individually, without interrupting network connectivity.