Network+ (Chapter 11 Definitions)

  1. Authentication, Authorization, and Accounting (AAA)
    A security philosophy wherein a computer trying to connect to a network must first present some form of credential in order to be authenticated and then must have limitable permissions within the network.  The authenticating server should also record session information about the client.
  2. Encryption
    A method of securing messages by scrambling and encoding each packet as it is sent across an unsecured medium, such as the Internet.  Each encryption level provides multiple standards and options.
  3. Nonrepudiation
    The process that guarantees that data is as originally sent and that it came from the source you think it should have come from.
  4. Authentication
    A process that proves good data traffic truly came from where it says it originated by verifying the sending and receiving users and computers.
  5. Authorization
    A step in the AAA philosophy during which a client's permissions are decided upon.
  6. Complete Algorithm
    A cipher and the methods used to implement that cipher.
  7. Cipher
    A series of complex and hard-to-reverse mathematics run on a string of ones and zeroes in order to make a new set of seemingly meaningless ones and zeroes.
  8. Ciphertext
    The output when cleartext is run through a cipher algorithm using a key.
  9. Symmetric-key algorithm
    Any encryption method that uses the same key for both encryption and decryption.
  10. Asymmetric-key Algorithm
    An encryption method in which the key used to encrypt a message and the key used to decrypt it are different, asymmetrical.
  11. Block Cipher
    An encryption algorithm in which data is encrypted in "chunks" of a certain length at a time.  Popular with wired networks.
  12. Stream Cipher
    An encryption method that encrypts a single bit at a time.  Popular when data comes in long streams (such as with older wireless networks or cell phones).
  13. Data Encryption Standard (DES)
    A symmetric-key algorithm developed by the U.S. government in the 1970s and formerly in use in a variety of TCP/IP applications.  DES used a 64-bit block and a 56-bit key.  Over time, the 56-bit key made DES susceptible to brute-force attacks.
  14. Rivest Cipher 4 (RC4)
    A popular streaming symmetric-key algorithm.
  15. Advanced Encryption Standard (AES)
    A block cipher created in the late 1990s that uses 128-bit block size and a 128-, 192-, or 256 bit key size.  Practically uncrackable.
  16. Public-Key Cryptography
    A method for exchanging digital keys securely.
  17. Rivest Shamir Adleman (RSA)
    An improved public-key cryptography algorithm that enables secure digital signatures.
  18. Hash
    A mathematical function used in cryptography that is run on a string of binary digits of any length that results in a value of some fixed length (often called a checksum or a digest).
  19. Message-Digest Algorithn Version 5
    Cryptographic hash function most common for files.
  20. Secure Hash Algorithm (SHA)
    A popular cryptographic hash.
  21. Challenge-Response Authenication Mechanism-Message Digest 5 (CRAM-MD5)
    A tool for server authentication.
  22. Digital Signature
    A string of characters, created from a private encryption key, that verifies a sender's identity to those who receive encrypted data or messages.
  23. Certificate
    A public encryption key signed with the digital signature from a trusted third party called a certificate authority (CA).  This key serves to validate the identity of its holder when that person or company sends data to other parties.
  24. public-key infrastructure (PKI)
    The system for creating and distributing digital certificates using sites like VeriSign, Thawte, or GoDaddy.
  25. NAC (Network Access Control)
    Control over information, people, access, machines, and everything in between.
  26. Access Control List (ACL)
    A clearly defined list of permissions that specifies what actions an authenticated user may perform on a shared resource.
  27. Mandatory Access Control (MAC)
    A security model in which every resource is assigned a label that defines its security level.  If the user lacks that security level, they do not get access.
  28. Discretionary Access Control (DAC)
    Authorization method based on the idea that there is an owner of a resource who may at his or her discretion assign access to that resource.  DAC is considered much more flexible than MAC.
  29. Role-Based Access Control (RBAC)
    The most popular authentication model used in file sharing, defines a user's access to a resource based on the roles the user plays in the network environment.  This leads to the idea of creation of groups.  A group in most networks is nothing more than a name that has clearly defined accesses to different resources.  User accounts are placed into various groups.
  30. Point-to-Point Protocol (PPP)
    A protocol that enables a computer to connect to the Internet through a dial-in connection and to enjoy most of the benefits of a direct connection.  PPP is considered to be superior to SLIP because of its error detection and data compression features, which SLIP lacks, and the capability to use dynamic IP addresses.
  31. Password Authentication Protocol (PAP)
    The older and most basic form of authentication and also the least safe because it sends all passwords in cleartext.
  32. 802.1X
    A port-authentication network access control mechanism for networks.
  33. Challenge Handshake Authentication Protocol (CHAP)
    A remote access authentication protocol.  It has the serving system challenge the remote client, which must provide an encrypted password.
  34. MS-CHAP
    Microsoft's dominant variation of the CHAP protocol, uses a slightly more advanced encryption protocol.
  35. Remote Authentication Dial-In User Service (RADIUS)
    An AAA standard created to support ISPs with hundreds if not thousands of modems in hundreds of computers to connect a single central database.  RADIUS consists of three devices: the RADIUS server that has access to a database of user names and passwords, a number of network access servers (NAS) that control the modems, and a group of systems that dial into the network.
  36. Terminal Access Controller Access Control System Plus (TACACS+)
    A proprietary protocol developed by CISCO to support AAA in a network with many routers and switches.  It is similar to RADIUS in function, but uses TCP port 49 by default and separates authorization, authentication, and accounting into different parts.
  37. Kerberos
    An authentication standard designed to allow different operating systems and applications to authenticate each other.
  38. Domain Controller
    A Microsoft Windows Server systems specifically configured to store user and server account information for its domain.  Often abbreviated as "DC."  Windows domain controllers store all account and security information in the Active Directory Service.
  39. Key Distribution Center (KDC)
    System for granting authentication in Kerberos. (Has two processes: the Authentication Server (AS) and the Ticket-Granting Service (TGS).
  40. Authentication Server (AS)
    In Kerberos, a system that hands out Ticket-Granting Tickets to clients after comparing the client hash to its own.
  41. Ticket Granting Ticket
    Sent by an Authentication Server in a Kerberos setup if a client's hash matches its own, signaling that the client is authenticated but not yet authorized.
  42. Extensible Authentication Protocol (EAP)
    Authentication wrapper that EAP-compliant applications can use to accept one of many types of authentication.  While EAP is a general-purpose authentication wrapper, its only substantial use is in wireless networks.
  43. Transport Layer Security (TLS)
    A robust update to SSL that works with almost any TCP application.
  44. Protected Extensible Authentication Protocol (PEAP)
    An authentication protocol that uses a password function on MS-CHAPv2 with the addition of an encrypted TSL tunnel similar to EAP-TLS.
  45. Lightweight Extensible Authentication Protocol (LEAP)
    A proprietary EAP authentication used almost exclusively by Cisco wireless products.  LEAP is an interesting combination of MS-CHAP authentication between a wireless client and a RADIUS server.
  46. Tunnel
    An encrypted link between two programs on two separate computers.
  47. Port Number
    Number used to identify the requested service (such as SMTP or FTP) when connecting to a TCP/IP host.  Some example port numbers include 80  (HTTP), 20 (FTP), 69 (TFTP), 25 (SMTP), and 110 (POP3)
  48. Secure Sockets Layer (SSL)
    A protocol developed by Netscape for transmitting private documents over the Internet.  SSL works using a public key to encrypt sensitive data.  This encrypted data is sent over an SSL connection and then decrypted at the receiving end using a private key.
  49. IP security (IPsec)
    A IP packet encryption protocol.  IPsec is the only IP encryption protocol to work at Layer 3 of the OSI model.  IPsec is most commonly seen on virtual private networks.  Works in two different modes: Transport mode and Tunnel mode.  In Transport mode only the actual payload of the IP packet is encrypted.  In tunnel mode the entire IP packet is encrypted and then place into an IPsec endpoint where it is encapsulated inside another IP packet.
  50. Secure Copy Protocol (SCP)
    One of the first SSH-enabled programs to appear after the introduction of SSH.  SCP was one of the first protocols used to transfer data securely between two host and thus might have replaced FTP.  SCP works well but lacks features such as directory listing.
  51. Secure FTP (SFTP)
    Designed as a replacement for FTP after many of the inadequacies of SCP(such as the inability to see the files on the other computer) were discovered.
  52. Simple Network Management Protocol (SNMP)
    A set of standards for communication with devices connected to a TCP/IP network.  Examples of these devices include routers, hubs, and switches.
  53. Lightweight Directory Access Protocol (LDAP)
    The tool that programs use to query and change a database used by the network.  LDAP uses TCP port 389 by default.
  54. Network Time Protocol (NTP)
    Protocol that gives the current time.
Card Set
Network+ (Chapter 11 Definitions)
TCP/IP safety