Cisco Acs 5x User Guide
Have a look at the manual Cisco Acs 5x User Guide online for free. It’s possible to download the document as PDF or print. UserManuals.tech offer 53 Cisco manuals and user’s guides for free. Share the user manual or guide on Facebook, Twitter or Google+.
GL-1 User Guide for Cisco Secure Access Control System 5.3 OL-24201-01 GLOSSARY A AAAAuthentication, authorization, and accounting (AAA) is a term for a framework for intelligently controlling access to computer resources, enforcing policies, auditing usage, and providing the information necessary to bill for services. These combined processes are considered important for effective network management and security. A system in IP-based networking to control what computer resources users have access to and to keep track of the activity of users over a network. AAA client IP addressAn IP address of the AAA client, used to configure the AAA client in Access Control Server (ACS) to interact with the network device. To represent multiple network devices, specify multiple IP addresses. Separate each IP address by pressing Enter. AAA serverA server program that handles user requests for access to computer resources and, for an enterprise, provides authentication, authorization, and accounting (AAA) services. The AAA server typically interacts with network access and gateway servers and with databases and directories containing user information. The current standard by which devices or applications communicate with an AAA server is the Remote Authentication Dial-In User Service (RADIUS). accessThe capability to get to what you need. Data access is being able to get to (usually having permission to use) particular data on a computer. Access ControlEnsures that resources are only granted to those users who are entitled to them. Access Control List (ACL)A mechanism that implements access control for a system resource by listing the identities of the system entities that are permitted to access the resource. Access Control System (ACS)A AAA server that performs authentication, authorization, and accounting to manage devices in a network. Access Control ServiceA security service that provides protection of system resources against unauthorized access. The two basic mechanisms for implementing this service are ACLs and tickets. APaccess point. The Hub of a wireless network. Wireless clients connect to the access point, and traffic between two clients must travel through the access point. access policiesThe policies that limit access to the ACS web interface by IP address, TCP port range, and secure socket layer (SSL). ARaccess registrar . A RADIUS-compliant, access policy server designed to support the delivery of dial, ISDN, and new services including DSL, cable with telco-return, wireless and Voice over IP ADRaccessibility design requirements. Provides detail on how to design accessible products, web sites, and documentations
Glossary GL-2 User Guide for Cisco Secure Access Control System 5.3 OL-24201-01 accountsThe capability of ACS to record user sessions in a log file. ACS System AdministratorsAdministrators with different access privileges defined under the System Configuration section of the ACS web interface. They administer and manage ACS deployments in your network. ARPaddress resolution protocol. A protocol for mapping an Internet Protocol address to a physical machine address that is recognized in the local network. A table, usually called the ARP cache, is used to maintain a correlation between each MAC address and its corresponding IP address. ARP provides the protocol rules for making this correlation and providing address conversion in both directions. AESadvanced encryption standard. A Federal Information Processing Standard (FIPS) Publication that will specify a cryptographic algorithm for use by U.S. Government organizations to protect sensitive (unclassified) information. This standard specifies Rijndael as a FIPS-approved symmetric encryption algorithm that may be used by U.S. Government organizations (and others) to protect sensitive information. anonymous (LDAP)An LDAP session is described as anonymous if no user DN or secret is supplied when initiating the session (sending the bind). anti-virusA software program designed to identify and remove a known or potential computer virus API application program interface. The specific methodology by which a programmer writing an application program may make requests of the operating system or another application. applet Java programs; an application program that uses the clients web browser to provide a user interface. ARP Address Resolution Protocol. A protocol used to obtain the physical addresses (such as MAC addresses) of hardware units in a network environment. A host obtains such a physical address by broadcasting an ARP request, which contains the IP address of the target hardware unit. If the request finds a unit with that IP address, the unit replies with its physical hardware address. ARPANETAdvanced Research Projects Agency Network. A pioneer packet-switched network that was built in the early 1970s under contract to the US Government, led to the development of todays Internet, and was decommissioned in June 1990. Asymmetrical Key ExchangeAsymmetric or public key cryptography is based on the concept of a key pair. Each half of the pair (one key) can encrypt information so that only the other half (the other key) can decrypt it. One part of the key pair, the private key, is known only by the designated owner; the other part, the public key, is published widely but is still associated with the owner. attribute (LDAP)The data in an entry is contained in attribute-value pairs. Each attribute has a name (and sometimes a short form of the name) and belongs to an objectClass. The attributes characteristics are fully described by an ASN.1 definition. One or more objectClasses may be included in a Schema. Depending on the ASN.1 definition of the attribute there can be more that one attribute-value pair of the same named attribute in an entry. One (or more) attribute(s), the naming attribute or RDN will always uniquely identify an entry. auditingThe information gathering and analysis of assets to ensure such things as policy compliance and security from vulnerabilities. authenticated (LDAP)A session is described as authenticated if a user DN and secret is supplied when initiating the session (sending the bind). authenticationThe process of confirming the correctness of the claimed identity.
Glossary GL-3 User Guide for Cisco Secure Access Control System 5.3 OL-24201-01 authenticityThe validity and conformance of the original information. authorizationThe approval, permission, or empowerment for someone or something to do something. authorization profileThe basic permissions container for a RADIUS-based network access service. The authorization profile is where you define all permissions to be granted for a network access request. VLANs, ACLs, URL redirects, session timeout or reauthorization timers, or any other RADIUS attributes to be returned in a response are defined in the authorization profile. B basic authenticationThe simplest web-based authentication scheme that works by sending the username and password with each request. BINDBerkeley Internet Name Domain. An implementation of DNS. DNS is used for domain name to IP address resolution. bind (LDAP) When connection is made to an LDAP server the first operation of the sequence is called a bind. The bind operation sends the dn of the entry that will be used for authentication and the password to be used. In the case of an anonymous bind both values will be NULL. block cipherEncrypts one block of data at a time. bridgeA product that connects a local area network (LAN) to another local area network that uses the same protocol (for example, Ethernet or token ring). broadcastTo simultaneously send the same message to multiple recipients. One host to all hosts on network. broadcast addressAn address used to broadcast a datagram to all hosts on a given network using UDP or ICMP protocol. browserA client computer program that can retrieve and display information from servers on the World Wide We b. C CA SignatureA digital code that vouches for the authenticity of a digital certificate. The CA signature is provided by the certificate authority (CA) that issued the certificate. cacheA special high-speed storage mechanism. It can be either a reserved section of main memory or an independent high-speed storage device. Two types of caching are commonly used in personal computers: memory caching and disk caching. CSScascading style sheet. A Web page derived from multiple sources with a defined order of precedence where the definitions of any style element conflict. CAcertificate authority. An authority in a network that issues and manages security credentials and public keys for message encryption and decryption. As part of a public key infrastructure (PKI), a CA checks with a registration authority (RA) to verify information provided by the requestor of a digital certificate. If the RA verifies the requestors information, the CA can then issue a certificate.
Glossary GL-4 User Guide for Cisco Secure Access Control System 5.3 OL-24201-01 certificate-based authenticationThe use of Secure Sockets Layer (SSL) and certificates to authenticate and encrypt HTTP traffic. certificateDigital representation of user or device attributes, including a public key, that is signed with an authoritative private key. CGIcommon gateway interface. This mechanism is used by HTTP servers (web servers) to pass parameters to executable scripts in order to generate responses dynamically. CHAPChallenge-Handshake Authentication Protocol. A protocol that uses a challenge/response authentication mechanism where the response varies every challenge to prevent replay attacks. CHAP is an authentication technique where after a link is established, a server sends a challenge to the requestor. The requestor responds with a value obtained by using a one-way hash function. The server checks the response by comparing it its own calculation of the expected hash value. If the values match, the authentication is acknowledged otherwise the connection is usually terminated. challenge-responseA common authentication technique whereby an individual is prompted (the challenge) to provide some private information (the response). Most security systems that rely on smart cards are based on challenge-response. A user is given a code (the challenge) which he or she enters into the smart card. The smart card then displays a new code (the response) that the user can present to log in. checksumA value that is computed by a function that is dependent on the contents of a data object and is stored or transmitted together with the object, for the purpose of detecting changes in the data. cipherA cryptographic algorithm for Encryption and Decryption. The method used to transform a readable message (called plaintext or cleartext) into an unreadable, scrambled, or hidden message (called ciphertext). ciphertextThe encrypted form of the message being sent. Ciphertext is data that has been encrypted. It is the output of the encryption process and can be transformed back into a readable form (plaintext) with the appropriate decryption key. clientA system entity that requests and uses a service provided by another system entity, called a server. In some cases, the server may itself be a client of some other server. client/server Describes the relationship between two computer programs in which one program, the client, makes a service request from another program, the server, which fulfills the request. Although the client/server idea can be used by programs within a single computer, it is a more important idea in a network. In a network, the client/server model provides a convenient way to interconnect programs that are distributed efficiently across different locations. collisionOccurs when multiple systems transmit simultaneously on the same wire. command setsContains a set of permitted commands for TACACS+ based, per-command authorization. community stringA character string used to identify valid sources for Simple Network Management Protocol (SNMP) requests, and to limit the scope of accessible information. Ravlin units use a community string, such as a password, allowing only a limited set of management stations to access its MIB. computer networkA collection of host computers together with the sub-network or inter-network through which they can exchange data. confidentialityThe need to ensure that information is disclosed only to those who are authorized to view it.
Glossary GL-5 User Guide for Cisco Secure Access Control System 5.3 OL-24201-01 configuration managementThe process of establishing a known baseline condition and managing it. cookieData exchanged between an HTTP server and a browser (a client of the server) to store state information on the client side and retrieve it later for server use. An HTTP server, when sending data to a client, may send along a cookie, which the client retains after the HTTP connection closes. A server can use this mechanism to maintain persistent client-side state information for HTTP-based applications, retrieving the state information in later connections. corruptionA threat action that undesirably alters system operation by adversely modifying system functions or data. CoSClass of Service. A way of managing traffic in a network by grouping similar types of traffic (for example, e-mail, streaming video, voice, large document file transfer) together and treating each type as a class with its own level of service priority. countermeasureReactive methods used to prevent an exploit from successfully occurring once a threat has been detected. Intrusion Prevention Systems (IPS) commonly employ countermeasures to prevent intruders form gaining further access to a computer network. Other counter measures are patches, access control lists and malware filters. covert channelsThe means by which information can be communicated between two parties in a covert fashion using normal system operations. For example by changing the amount of hard drive space that is available on a file server can be used to communicate information. CRL certificate revocation list. A list of certificates (more accurately: their serial numbers) which have been revoked, are no longer valid, and should not be relied upon by any system user. CRUDCreate, read, update and delete. The basic management operations that are performed on managed data cryptanalysisThe mathematical science that deals with analysis of a cryptographic system in order to gain knowledge needed to break or circumvent the protection that the system is designed to provide. In other words, convert the cipher text to plaintext without knowing the key. cryptographic algorithm or hashAn algorithm that employs the science of Cryptography, including Encryption algorithms, Cryptographic Algorithm or Hash, Digital Signature Algorithm (DSA), and key agreement algorithms. cryptographyGarbles a message in such a way that anyone who intercepts the message cannot understand it. CSVcomma-separated value. This file format is a delimited data format that has fields separated by the comma character and records separated by new lines. SGASecurity Group Access CUECommon User Experience cut-throughA method of switching where only the header of a packet is read before it is forwarded to its destination. CRC Cyclic Redundancy Check. Sometimes called cyclic redundancy code. A type of checksum algorithm that is not a cryptographic hash but is used to implement data integrity service where accidental changes to data are expected.
Glossary GL-6 User Guide for Cisco Secure Access Control System 5.3 OL-24201-01 D daemonA program which is often started at the time the system boots and runs continuously without intervention from any of the users on the system. The daemon program forwards the requests to other programs (or processes) as appropriate. The term daemon is a Unix term, though many other operating systems provide support for daemons, though theyre sometimes called other names. Windows, for example, refers to daemons and System Agents and services. DESData Encryption Standard. A widely-used method of data encryption using a private (secret) key. There are 72,000,000,000,000,000 (72 quadrillion) or more possible encryption keys that can be used. For each given message, the key is chosen at random from among this enormous number of keys. Like other private key cryptographic methods, both the sender and the receiver must know and use the same private key. datagramRequest for Comment 1594 says, a self-contained, independent entity of data carrying sufficient information to be routed from the source to the destination computer without reliance on earlier exchanges between this source and destination computer and the transporting network. The term has been generally replaced by the term packet. Datagrams or packets are the message units that the Internet Protocol deals with and that the Internet transports. A datagram or packet needs to be self-contained without reliance on earlier exchanges because there is no connection of fixed duration between the two communicating points as there is, for example, in most voice telephone conversations. (This kind of protocol is referred to as connectionless.) decapsulationThe process of stripping off one layers headers and passing the rest of the packet up to the next higher layer on the protocol stack. decryptionThe process of transforming an encrypted message into its original plaintext. denial of serviceThe prevention of authorized access to a system resource or the delaying of system operations and functions. device administrationCapability to control and audit the administration operations performed on network devices. The network device administrator role has full access to perform the administrative operations on network devices. dictionariesA store to configure attributes of RADIUS and TACACS+ protocols, internal users, and internal hosts. dictionary attackAn attack that tries all of the phrases or words in a dictionary, trying to crack a password or key. A dictionary attack uses a predefined list of words compared to a brute force attack that tries all possible combinations. Diffie-HellmanA key agreement algorithm published in 1976 by Whitfield Diffie and Martin Hellman. Diffie-Hellman does key establishment, not encryption. However, the key that it produces may be used for encryption, for further key management operations, or for any other cryptography. Digest AuthenticationAllows a web client to compute MD5 hashes of the password to prove it has the password. digital certificateAn electronic credit card that establishes your credentials when doing business or other transactions on the Web. It is issued by a certification authority. It contains your name, a serial number, expiration dates, a copy of the certificate holders public key (used for encrypting messages and digital signatures), and the digital signature of the certificate-issuing authority so that a recipient can verify that the certificate is real.
Glossary GL-7 User Guide for Cisco Secure Access Control System 5.3 OL-24201-01 digital envelopeAn encrypted message with the encrypted session key. digital signatureA hash of a message that uniquely identifies the sender of the message and proves the message hasnt changed since transmission. DSAdigital signature algorithm. An asymmetric cryptographic algorithm that produces a digital signature in the form of a pair of large numbers. The signature is computed using rules and parameters such that the identity of the signer and the integrity of the signed data can be verified. (DSSDigital Signature Standard. The US Government standard that specifies the Digital Signature Algorithm (DSA), which involves asymmetric cryptography. disassemblyThe process of taking a binary program and deriving the source code from it. disruptionA circumstance or event that interrupts or prevents the correct operation of system services and functions. DITdirectory information tree (also known as the naming context). The hierarchy of objects that make up the local directory structure. More than one DIT may be supported by an LDAP server. The Root DSE will provide this information. DNDistinguished Name. A DN is comprised of a series of RDNs that uniquely describe the naming attributes on the path UP the DIT from the required entry to the directory root. A DN is written LEFT to RIGHT and looks something like this: domainA sphere of knowledge, or a collection of facts about some program entities or a number of network points or addresses, identified by a name. On the Internet, a domain consists of a set of network addresses. In the Internets domain name system, a domain is a name with which name server records are associated that describe sub-domains or host. In Windows NT and Windows 2000, a domain is a set of network resources (applications, printers, and so forth) for a group of users. The user need only to log in to the domain to gain access to the resources, which may be located on a number of different servers in the network. domain nameLocates an organization or other entity on the Internet. For example, the domain name www.sans.org locates an Internet address for sans.org at Internet point 199.0.0.2 and a particular host server named www. The org part of the domain name reflects the purpose of the organization or entity (in this example, organization) and is called the top-level domain name. The sans part of the domain name defines the organization or entity and together with the top-level is called the second-level domain name. DNSDomain Name System. The way that Internet domain names are located and translated into IP addresses. A domain name is a meaningful and easy-to-remember handle for an Internet address. DSA Directory System AgentX.500 term for any DAP or LDAP enabled directory service e.g. an LDAP server. DSE DSA Specific EntryAn entry in a local directory server. due diligenceThe requirement that organizations must develop and deploy a protection plan to prevent fraud, abuse, and additional deploy a means to detect them if they occur.
Glossary GL-8 User Guide for Cisco Secure Access Control System 5.3 OL-24201-01 dumpsecA security tool that dumps a variety of information about a systems users, file system, registry, permissions, password policy, and services. DLL Dynamic Link Library. A collection of small programs, any of which can be called when needed by a larger program that is running in the computer. The small program that lets the larger program communicate with a specific device such as a printer or scanner is often packaged as a DLL program (usually referred to as a DLL file). E eavesdroppingListening to a private conversation which may reveal information which can provide access to a facility or network. Egress FilteringFiltering outbound traffic. encapsulationThe inclusion of one data structure within another structure so that the first data structure is hidden for the time being. encryptionCryptographic transformation of data (called plaintext) into a form (called cipher text) that conceals the datas original meaning to prevent it from being known or used. entry (LDAP)The name given to a stored object in a LDAP enabled directory. Each entry has one parent entry (object) and zero or more child entries (objects). The data content of an entry consist of one or more attributes one (or more) of which is (are) used as the naming attribute (more correctly the RDN) to uniquely identify this object in the DIT. equality (LDAP)Equality defines the comparison rule of an attribute when used in a search filter that contains no wildcards, and both the content and length must be exactly the same. When wildcards are used, this is called a substring and the SUBSTR rule is used. external identity storeExternal databases that ACS accesses to perform credential and authentication validations for internal and external users (as defined by you within a policy). EthernetThe most widely-installed LAN technology. Specified in a standard, IEEE 802.3, an Ethernet LAN typically uses coaxial cable or special grades of twisted pair wires. Devices are connected to the cable and compete for access using a CSMA/CD protocol. eventAn observable occurrence in a system or network. Exponential Backoff AlgorithmUsed to adjust TCP timeout values on the fly so that network devices dont continue to timeout sending data over saturated links. exposureA threat action whereby sensitive data is directly released to an unauthorized entity. extended ACLs A more powerful form of standard ACLs on Cisco routers. They can make filtering decisions based on IP addresses (source or destination), Ports (source or destination), protocols, and whether a session is established.
Glossary GL-9 User Guide for Cisco Secure Access Control System 5.3 OL-24201-01 EAPExtensible Authentication Protocol. A protocol for wireless networks that expands on Authentication methods used by the PPP (Point-to-Point Protocol), a protocol often used when connecting a computer to the Internet. EAP can support multiple authentication mechanisms, such as token cards, smart cards, certificates, one-time passwords, and Public Key Encryption authentication. EAP-MD5Extensible Authentication Protocol-Message Digest 5. An EAP security algorithm developed by RSA Security that uses a 128-bit generated number string, or hash, to verify the authenticity of a data communication. EAP-TLS Extensible Authentication Protocol-Translation Layer Security. A high-security version of EAP that requires authentication from both the client and the server. If one of them fails to offer the appropriate authenticator, the connection is terminated. Used to create a secured connection for 802.1X by preinstalling a digital certificate on the client computer. EAP-TLS is the protocol that serves for mutual authentication and integrity-protected cipher suite negotiation and key exchange between a client and server. Both the client and the server use X.509 certificates to verify their identities to each other. F false rejectsWhen an authentication system fails to recognize a valid user. FTPFile Transfer Protocol . A TCP/IP protocol specifying the transfer of text or binary files across the network. filterUsed to specify which packets will or will not be used. It can be used in sniffers to determine which packets get displayed, or by firewalls to determine which packets get blocked. filtering routerAn inter-network router that selectively prevents the passage of data packets according to a security policy. A filtering router may be used as a firewall or part of a firewall. A router usually receives a packet from a network and decides where to forward it on a second network. A filtering router does the same, but first decides whether the packet should be forwarded at all, according to some security policy. The policy is implemented by rules (packet filters) loaded into the router. firewallA TCP/IP Fragmentation Attack that is possible because IP allows packets to be broken down into fragments for more efficient transport across various media. The TCP packet (and its header) are carried in the IP packet. In this attack the second fragment contains incorrect offset. When packet is reconstructed, the port number will be overwritten. fragmentationThe process of storing a data file in several chunks or fragments rather than in a single contiguous sequence of bits in one place on the storage medium. framesData that is transmitted between network points as a unit complete with addressing and necessary protocol control information. A frame is usually transmitted serial bit by bit and contains a header field and a trailer field that frame the data. (Some control frames contain no data.) full duplexA type of duplex communications channel which carries data in both directions at once. Refers to the transmission of data in two directions simultaneously. Communications in which both sender and receiver can send at the same time. fully-qualified domain nameA server name with a hostname followed by the full domain name.
Glossary GL-10 User Guide for Cisco Secure Access Control System 5.3 OL-24201-01 G gatewayA network point that acts as an entrance to another network. global system optionsConfiguring TACACS+, EAP-TTLS, PEAP, and EAP-FAST runtime characteristics and generating EAP-FAST PAC. H hash functionsUsed to generate a one way check sum for a larger text, which is not trivially reversed. The result of this hash function can be used to validate if a larger file has been altered, without having to compare the larger files to each other. Frequently used hash functions are MD5, SHA1, and SHA2. headerThe extra information in a packet that is needed for the protocol stack to process the packet. hostAny computer that has full two-way access to other computers on the Internet. Or a computer with a web server that serves the pages for one or more Web sites. Host-Based IDHost-based intrusion detection systems use information from the operating system audit records to watch all operations occurring on the host that the intrusion detection software has been installed upon. These operations are then compared with a pre-defined security policy. This analysis of the audit trail imposes potentially significant overhead requirements on the system because of the increased amount of processing power which must be utilized by the intrusion detection system. Depending on the size of the audit trail and the processing ability of the system, the review of audit data could result in the loss of a real-time analysis capability. HTTPSHypertext Transfer Protocol over Secure Socket Layer, or HTTP over SSL. HTTPS is a Web protocol developed by Netscape and built into its browser that encrypts and decrypts user page requests as well as the pages that are returned by the Web server. When used in the first part of a URL (the part that precedes the colon and specifies an access scheme or protocol), this term specifies the use of HTTP enhanced by a security mechanism, which is usually SSL.HTTPS uses port 443 instead of HTTP port 80 in its interactions with the lower layer, TCP/IP and an additional encryption/authentication layer between HTTP and TCP. hubA network device that operates by repeating data that it receives on one port to all the other ports. As a result, data transmitted by one host is retransmitted to all other hosts on the hub. The central device in a star network, whether wired or wireless. Wireless access points act as hubs in wireless networks. hybrid attackBuilds on the dictionary attack method by adding numerals and symbols to dictionary words. hybrid encryptionAn application of cryptography that combines two or more encryption algorithms, particularly a combination of symmetric and asymmetric encryption. (HTMLHypertext Markup Language. The set of markup symbols or codes inserted in a file intended for display on a World Wide Web browser page. (HTTPHypertext Transfer Protocol. The protocol in the Internet Protocol (IP) family used to transport hypertext documents across an internet.