AAA – authentication, authorization and accounting – who are you, what are you allowed to do, and we’re watching you do it.
ACE – access control entry – one line of an access control list, generally consisting of a “permit” or “deny” followed by matching criteria
ACS – access control server – a server used in conjunction with AAA clients.
authentication method – how a router can determine whether the user is allowed access to the device. (RADIUS, TACACS+, local, none, etc.)
authentication server – in the context of 802.1X, this is the server that authenticates the client.
authenticator – in the context of 802.1X, this is the device that arbitrates between the supplicant and the authentication server
DAI – dynamic ARP inspection – a switch dropping naughty ARP messages
DHCP snooping – a switch dropping naughty DHCP messages (i.e., server messages showing up on ports where there’s no known DHCP server). Also creates a DHCP snooping binding database.
DHCP snooping binding database – this is what the switch has learned while performing DHCP snooping.
EAP – extensible authentication protocol – 802.1X authentication protocol (RFC3748)
EAPoL – EAP over LAN – encapsulation of EAP inside of a LAN frame, used between the “supplicant” and “authenticator”
enable password – password used to access privileged mode on the router
enable secret – password used to access privileged mode on the router, stored in a secret-squirrel MD5 hash
fraggle attack – a UDP echo attack – like a smurf attack
IEEE 802.1X – a standard for user authentication that must be satisfied before a port will be enabled on a switch
IP source guard – uses the DHCP snooping database to make sure that IP and MAC of a frame entering a port is what’s expected
man-in-the-middle attack – where an attacker positions himself in the middle of a flow by lying about MAC and/or IP addresses. Once the attacker sees the traffic, he forwards to the true recipient, hoping no one will be the wiser.
MD5 hash – message digest 5 – using a cipher with a private encryption key and sometimes a shared secret. The digest is included in the message. Both sides perform the same math to make sure that the message wasn’t tampered with.
OTP – one-time password – a shared ket and secret key are used by a hash to create a password. The shared key is not ever used again, so the password is only good for that one cycle.
port security – limiting the number of MAC addresses allowed on a port, and/or actually limiting the MACs themselves
RADIUS – RFC2865 – an authentication scheme for usernames/passwords. Authenticated users can have RADIUS attributes associated with their accounts that grant them certain permissions on the device they are authenticating against.
SAFE blueprint – a Cisco whitepaper on securing a network. Uses a tiered approach and defined mitigation strategy for common network threats.
smurf attack – an ICMP echo is sent via directed broadcast to a subnet. The source of the echo is spoofed to be a host on that LAN. That host gets all of the echo replies from all over the subnet, therefore being attacked.
sticky learning – when a switch running port-security with sticky learning learns a MAC, he applies that entry to his startup-configuration automatically
supplicant – in the context of 802.1X, this is the device the user is sitting in front of, where he enters his username/password. The device will send this information to the switch via EAP.
TACACS+ – Cisco proprietary – like RADIUS in concept. A meansof authenticating a user to a device via username/password.
TCP intercept – the router pays close attention to TCP conversations, either monitoring the status of 3-way handshakes, or actually taking on the burden of a 3-way handshake, protected the server.
TCP SYN flood – sending a ton of SYNs, causing the victim to SYN/ACK, but never responding with the final ACK. The victim sits there with tons of half-open TCP connections, potentially running out of resources in his TCP stack.