Glossary of Key Terms – CCNP and CCIE Security Core SCOR 350-701 Official Cert Guide

Glossary of Key Terms


802.1Q 802.1Q is an IEEE standard protocol used for VLAN tagging of Ethernet frames. 802.1Q defines the procedures to be used by switches, wireless access points, and other network devices when handling such frames. The most critical piece of information in an 802.1Q VLAN tag is the VLAN ID.

802.1X 802.1X is an IEEE standard that is used to implement port-based access control. In simple terms, an 802.1X access device will allow traffic on the port only after the device has been authenticated and authorized.


AAA Authentication, authorization, and accounting.

Access control list (ACL) This is the simplest way to implement a DAC-based system. ACLs can apply to different objects (like files) or they can also be configured statements (policies) in network infrastructure devices (routers, firewalls, and so on). For instance, an ACL, when applied to an object, will include all the subjects that can access the object and their specific permissions. There is also the concept of ACLs in routers and firewalls. In those implementations, the ACL provides packet filtering to protect “internal” networks from the “outside” systems and to filter traffic leaving the inside network. ACL criteria could be the source address of the traffic, the destination address of the traffic, destination port, source port, and the upper-layer protocol (otherwise known as the five-tuple).

Access control matrix (ACM) This is an access control mechanism that is usually associated with a DAC-based system. An ACM includes three elements: the subject, the object, and the set of permissions. Each row of an ACM is assigned to a subject, while each column represents an object. The cell that identifies a subject/object pair includes the permission that subject has on the object. An ACM could be seen as a collection of access control lists or a collection of capability tables, depending on how you want to read it.

Accounting Accounting is the process of auditing and monitoring what a user does once a specific resource is accessed. This process is sometimes overlooked; however, as a security professional, it is important to be aware of accounting and to advocate that it be implemented because of the great help it provides during detection and investigation of cybersecurity breaches.

Apache Mesos A distributed Linux kernel that provides native support for launching containers with Docker and AppC images. You can download Apache Mesos and access its documentation at

Asymmetric algorithm An encryption algorithm that uses two different keys—a public key and a private key. Together they make a key pair.

Attribute-based access control (ABAC) Attribute-based access control (ABAC) is a logical access control model that controls access to objects by evaluating rules against the attributes of entities (both subject and object), operations, and the environment relevant to a request.

Authentication server An entity that provides an authentication service to an authenticator. The authentication server determines whether the supplicant is authorized to access the service. This is sometimes referred to as the Policy Decision Point (PdP). The Cisco Identity Services Engine (ISE) is an example of an authentication server.

Authenticator An entity that facilitates authentication of other entities attached to the same LAN. This is sometimes referred to as the Policy Enforcement Point (PeP). Cisco switches, wireless routers, and access points are examples of authenticators.

Authorization Authorization is the process of assigning an authenticated subject’s permission to carry out a specific operation. The authorization model defines how access rights and permission are granted. The three primary authorization models are object capability, security labels, and ACLs.


BeyondCorp Google’s implementation of zero trust. This model shifts access control from the network perimeter firewalls and other security devices to individual devices and users.

Black hat hackers These individuals perform illegal activities, such as organized crime.

Block cipher A block cipher is a symmetric key (same key to encrypt and decrypt) cipher that operates on a group of bits called a block. A block cipher encryption algorithm may take a 64-bit block of plain text and generate a 64-bit block of cipher text. With this type of encryption, the same key to encrypt is also used to decrypt.

BPDU Guard A Cisco switch feature that allows a switch to protect itself if bridge protocol data units (BPDUs) show up where they should not.


Capability table A collection of objects that a subject can access, together with the granted permissions. The key characteristic of a capability table is that it is subject centric instead of being object centric, like in the case of an access control list.

CDP Cisco Systems introduced the Cisco Discovery Protocol (CDP) in 1994 to provide a mechanism for the management system to automatically learn about devices connected to the network. CDP runs on Cisco devices (routers, switches, phones, and so on) and is also licensed to run on some network devices from other vendors. Using CDP, network devices periodically advertise their own information to a multicast address on the network, making it available to any device or application that wishes to listen and collect it.

Certificate authority A system that generates and issues digital certificates to users and systems.

Cisco FDM The Cisco Firepower Device Manager (FDM) is used to configure small Cisco FTD deployments. To access the Cisco FDM, you just need to point your browser at the firewall in order to configure and manage the device.

Cisco FMC Cisco FTD devices, Cisco Firepower devices, and the Cisco ASA FirePOWER modules can be managed by the Firepower Management Center (FMC), formerly known as the FireSIGHT Management Center.

Cloud access security broker (CASB) CASB provides visibility and compliance checks, protects data against misuse and exfiltration, and provides threat protections against malware such as ransomware.

Continuous Delivery (CD) Continuous Delivery (CD) sits on top of Continuous Integration (CI) and provides a way for automating the entire software release process. When you adopt CI/CD methodologies, each change in code should trigger an automated build-and-test sequence. This automation should also provide feedback to the programmers who made the change.

Continuous Integration (CI) A software development practice where programmers merge code changes in a central repository multiple times a day.

Contiv Contiv is an open source project that allows you to deploy micro-segmentation policy-based services in container environments.

Control plane The control plane includes protocols and traffic that the network devices use on their own without direct interaction from an administrator. An example is a routing protocol. A routing protocol can dynamically learn and share routing information that the router can then use to maintain an updated routing table. If a failure occurs in the control plane, a router might lose the capability to share or correctly learn dynamic routing information, and as a result might not have the routing intelligence to be able to route for the network.

Crypter A crypter functions to encrypt or obscure the code. Some crypters obscure the contents of the Trojan by applying an encryption algorithm. Crypters can use anything from AES, RSA, to even Blowfish, or might use more basic obfuscation techniques such as XOR, Base64 encoding, or even ROT13. Again, these techniques are used to conceal the contents of the executable program, making it undetectable by antivirus and resistant to reverse-engineering efforts.


Data plane The data plane includes traffic that is being forwarded through the network (sometimes called transit traffic). An example is a user sending traffic from one part of the network to access a server in another part of the network; the data plane represents the traffic that is either being switched or forwarded by the network devices between clients and servers. A failure of some component in the data plane results in the customer’s traffic not being able to be forwarded. Other times, based on policy, you might want to deny specific types of traffic that is traversing the data plane.

Designated port The switch port that can send the best bridge protocol data unit (BPDU) for a particular VLAN on a switch is considered the designated port.

DevOps DevOps is the outcome of many trusted principles from software development, manufacturing, and leadership to the information technology value stream. DevOps relies on bodies of knowledge from Lean, Theory of Constraints, resilience engineering, learning organizations, safety culture, human factors, and many others.

DevSecOps DevSecOps is a concept used in recent years to describe how to move security activities to the start of the development lifecycle and have built-in security practices in the CI/CD pipeline. The business environment, culture, law compliance, and external market drive relate to how a secure development life cycle (also referred to as SDLC) and a DevSecOps program are implemented in an organization.

DHCP Snooping A Cisco switch feature that prevents rogue DHCP servers from impacting the network.

Diameter An authentication protocol. RADIUS and TACACS+ were created with the aim of providing AAA services to network access via dial-up protocols or terminal access. Due to their success and flexibility, they have been used in several other scopes. To respond to newer access requirements and protocols, the IETF has proposed a new protocol called Diameter, which is described in RFC 6733.

Diffie-Hellman Diffie-Hellman is a key agreement protocol that enables two users or devices to authenticate each other’s pre-shared keys without actually sending the keys over the unsecured medium. R1 sends the Key Exchange (KE) payload and a randomly generated value called a nonce.

Digital certificate A digital entity used to verify that a user is who he or she claims to be, and to provide the receiver with the means to encode a reply. Digital certificates also apply to systems, not only to individuals.

Discretionary access control (DAC) A discretionary access control (DAC) is defined by the owner of the object. DACs are used in commercial operating systems. The object owner builds an ACL that allows or denies access to the object based on the user’s unique identity. The ACL can reference a user ID or a group (or groups) that the user is a member of. Permissions can be cumulative.

DMVPN DMVPN is a technology created by Cisco that aims to reduce the hub router configuration. In a legacy hub-and-spoke IPsec configuration, each spoke router has a separate block of configuration lines on the hub router that defines the crypto map characteristics, the crypto ACLs, and the GRE tunnel interface. When deploying DMVPN, you configure a single mGRE tunnel interface, a single IPsec profile, and no crypto access lists on the hub router. The main benefit is that the size of the configuration on the hub router remains the same even if spoke routers are added at a later point.

Docker Swarm A container cluster management integrated with the Docker Engine. You can access the Docker Swarm documentation at

Domain Keys Identified Mail (DKIM) DKIM is an industry standard defined in RFC 5585. DKIM provides a means for gateway-based cryptographic signing of outgoing messages. This allows you to embed verification data in an email header and for email recipients to verify the integrity of the email messages. DKIM uses DNS TXT records to publish public keys.

Downloadable ACL (dACL) A downloadable ACL (dACL), also called a per-user ACL, is an ACL that can be applied dynamically to a port. The term downloadable stems from the fact that these ACLs are pushed from the authenticator server (for example, from a Cisco ISE) during the authorization phase. When a client authenticates to the port (for example, by using 802.1X), the authentication server can send a dACL that will be applied to the port and that will limit the resources the client can access over the network.

Dropper A dropper is software designed to install a malware payload on the victim’s system. Droppers try to avoid detection and evade security controls by using several methods to spread and install the malware payload.

DTLS Datagram Transport Layer Security (DTLS), defined in RFC 6347, provides security and privacy for UDP packets. This allows UDP-based applications to send and receive traffic in a secure fashion without concern about packet tampering and message forgery. Thus, applications can avoid the delays associated with TCP but still communicate securely by using DTLS.

Dynamic ARP Inspection A Cisco switch feature that prevents spoofing of Layer 2 information by hosts.


EAP over LAN (EAPoL) An encapsulation defined in 802.1X that’s used to encapsulate EAP packets to be transmitted from the supplicant to the authentication server.

Endpoint group (EPG) Cisco ACI allows organizations to automatically assign endpoints to logical security zones called endpoint groups (EPGs). EPGs are used to group VMs within a tenant and apply filtering and forwarding policies to them. These EPGs are based on various network-based or VM-based attributes.

Ethos Ethos is a “fuzzy fingerprinting” engine that uses static or passive heuristics. The engine creates generic file signatures that can match polymorphic variants of a threat. This is useful because when a threat morphs or a file is changed, the structural properties of that file often remain the same, even though the content has changed. Unlike most other signature tools, Ethos uses distributed data mining to identify suitable files. It uses in-field data for sources, which provides a highly relevant collection from which to generate the signatures.

Exploit An exploit refers to a piece of software, a tool, a technique, or a process that takes advantage of a vulnerability that leads to access, privilege escalation, loss of integrity, or denial of service on a computer system. Exploits are dangerous because all software has vulnerabilities; hackers and perpetrators know that there are vulnerabilities and seek to take advantage of them.

Extensible Authentication Protocol (EAP) An authentication protocol used between the supplicant and the authentication server to transmit authentication information.


Federated Identity Management A collection of shared protocols that allows user identities to be managed across organizations.

Federation Provider An identity provider that offers single sign-on, consistency in authorization practices, user management, and attributes-exchange practices between identity providers (issuers) and relying parties (applications).

“Five-tuple” The source and destination IP addresses, source and destination ports, and IP protocol.

FlexVPN FlexVPN is an IKEv2-based VPN technology that provides several benefits beyond traditional site-to-site VPN implementations. FlexVPN is a standards-based solution that can interoperate with non-Cisco IKEv2 implementations. It supports different VPN topologies, including point-to-point, remote-access, hub-spoke, and dynamic mesh (including per-user or per-peer policies). FlexVPN combines all these different VPN technologies using one command-line interface (CLI) set of configurations. FlexVPN supports unified configuration and show commands, underlying interface infrastructure, and features across different VPN topologies.

FlowCollector A physical or virtual appliance that collects NetFlow data from infrastructure devices.

FlowReplicator A physical appliance used to forward NetFlow data as a single data stream to other devices. The FlowReplicator is also known as the UDP Director.

FlowSensor A physical or virtual appliance that can generate NetFlow data when legacy Cisco network infrastructure components are not capable of producing line-rate, unsampled NetFlow data.

Forest A collection of domains managed by a centralized system.


GDOI GDOI is defined as the ISAKMP Domain of Interpretation (DOI) for group key management. The GDOI protocol operates between a group member and a group controller or key server (GCKS), which establishes SAs among authorized group members.

GETVPN Cisco’s Group Encrypted Transport VPN (GETVPN) provides a collection of features and capabilities to protect IP multicast group traffic or unicast traffic over a private WAN. GETVPN combines the keying protocol Group Domain of Interpretation (GDOI) and IPsec. GETVPN enables the router to apply encryption to “native” (non-tunneled) IP multicast and unicast packets and removes the requirement to configure tunnels to protect multicast and unicast traffic. DMVPN allows Multiprotocol Label Switching (MPLS) networks to maintain full-mesh connectivity, natural routing path, and Quality of Service (QoS).

Gray hat hackers These individuals usually follow the law but sometimes venture over to the darker side of black hat hacking. It would be unethical to employ these individuals to perform security duties for your organization because you are never quite clear where they stand.

GRE Generic Routing Encapsulation (GRE) Protocol is defined by RFC 2784 and extended by RFC 2890. GRE provides a simple mechanism to encapsulate packets of any protocol (the payload packets) over any other protocol (the delivery protocol) between two endpoints. In a GRE tunnel implementation, the GRE protocol adds its own header (4 bytes plus options) between the payload (data) and the delivery header.


Hashed Message Authentication Code (HMAC) HMAC uses the mechanism of hashing, but instead of using a hash that anyone can calculate, it includes in its calculation a secret key of some type. Thus, only the other party who also knows the secret key and can calculate the resulting hash can correctly verify the hash. When this mechanism is used, an attacker who is eavesdropping and intercepting packets cannot inject or remove data from those packets without being noticed because he cannot recalculate the correct hash for the modified packet because he does not have the key or keys used for the calculation.

Hashing Hashing is a method used to verify data integrity. An example of using a hash to verify integrity is the sender running a hash algorithm on a packet and attaching that hash to it. The receiver runs the same hash against the packet and compares his results against the results the sender had (which are attached to the packet as well). If the hash generated matches the hash that was sent, they know that the entire packet is intact. If a single bit of the hashed portion of the packet is modified, the hash calculated by the receiver will not match, and the receiver will know that the packet had a problem (specifically with the integrity of the packet). Examples of hashing algorithms are MD5 and SHA.

Hashing algorithms Algorithms used to verify data integrity.


IaaS IaaS describes a cloud solution in which you rent infrastructure. You purchase virtual power to execute your software as needed. This is much like running a virtual server on your own equipment, except you are now running a virtual server on a virtual disk. This model is similar to a utility company model because you pay for what you use.

Identification Identification is the process of providing the identity of a subject or user. This is the first step in the authentication, authorization, and accounting process. Providing a username, a passport, an IP address, or even pronouncing your name is a form of identification.

Identity certificate An identity certificate is similar to a root certificate, but it describes the client and contains the public key of an individual host (the client). An example of a client is a web server that wants to support Secure Sockets Layer (SSL) or a router that wants to use digital signatures for authentication of a VPN tunnel.

Identity Provider (IdP) An application, website, or service responsible for coordinating identities between users and clients. IdPs can provide a user with identifying information and provide that information to services when the user requests access.

Implicit deny If no rule is specified for the transaction of the subject/object, the authorization policy should deny the transaction.

Indicator of compromise (IOC) An indicator of compromise (IOC) is any observed artifact on a system or a network that could indicate an intrusion. There may be artifacts left on a system after an intrusion or a breach, and they can be expressed in a language that describes the threat information, known as an IOC. The sets of information describe how and where to detect the signs of the intrusion or breach. IOCs can be host-based and/or network-based artifacts, but the scan actions are carried out on the host only.

Internet Message Access Protocol (IMAP) An email client communication protocol that allows users to keep messages on the server. An IMAP-enabled mail user agent (MUA) displays messages directly from the server. However, you can also download messages using IMAP for archiving purposes.

IP Source Guard A Cisco switch feature that prevents spoofing or Layer 2 information by hosts.

IPFIX The Internet Protocol Flow Information Export (IPFIX) is a network flow standard led by the Internet Engineering Task Force (IETF). IPFIX was created to provide a common, universal standard of export for flow information from routers, switches, firewalls, and other infrastructure devices.


Kerberos A ticket-based protocol for authentication built on symmetric-key cryptography.

Kubernetes (k8s) A container and application orchestration platform. Kubernetes automates the distribution, scheduling, and orchestration of application containers across a cluster.

L2F Layer 2 Forwarding (L2F) Protocol is a legacy VPN protocol created by Cisco for Layer 2 VPN implementations.

LLDP 802.1AB (Station and Media Access Control Connectivity Discovery, or Link Layer Discovery Protocol [LLDP]). LLDP, which defines basic discovery capabilities, was enhanced to specifically address the voice application; this extension to LLDP is called LLDP-MED or LLDP for Media Endpoint Devices.

MAC Authentication Bypass (MAB) MAB is feature that relies on a MAC address for authentication. For instance, you can “whitelist” a MAC address to bypass 802.1X authentication. This is done for devices that do not have an 802.1X supplicant (such as printers, IP phones, and so on). A MAC address is a globally unique identifier that is assigned to all network-attached devices. Subsequently, it can be used in authentication. However, since you can spoof a MAC address, MAB is not a strong form of authentication and can be abused by attackers.

Mail delivery agent (MDA) A component of a mail transfer agent (MTA) responsible for the final delivery of an email message to a person’s inbox (mailbox).

Mail Exchanger (MX) record DNS MX records are used to route the mail traffic on the Internet. An MX record is a type of verified resource record in DNS that specifies a mail server responsible for accepting email messages on behalf of a recipient’s domain, and a preference value is used to prioritize mail delivery if multiple mail servers are available. The set of MX records of a domain name specifies how email should be routed with Simple Mail Transfer Protocol (SMTP).

Mail transfer agent (MTA) The entity responsible for transferring emails from a sender to the recipient.

Mail user agent (MUA) A component of a mail transfer agent (MTA) that accepts new mail messages from a mail server. The MUA is also known as the “email client”.

Management plane The management plane includes the protocols and traffic that an administrator uses between his workstation and the router or switch itself. An example is using a remote management protocol such as Secure Shell (SSH) to monitor or configure the router or switch.

Mandatory access control (MAC) A mandatory access control (MAC) is defined by policy and cannot be modified by the information owner. MACs are primarily used in secure military and government systems that require a high degree of confidentiality. In a MAC environment, objects are assigned a security label that indicates the classification and category of the resource. Subjects are assigned a security label that indicates a clearance level and assigned categories (based on the need to know).

Mobile device management (MDM) Software that is used for the administration of mobile devices, including smartphones, tablets, and laptops.

Multifactor authentication Multifactor authentication is when two or more factors are presented.

Multilayer authentication Multilayer authentication is when two or more of the same type of factors are presented.

Multitenancy A term in computing architecture referring to the serving of many users (tenants) from a single instance of an application. Software as a Service (SaaS) offerings are examples of multitenancy. They exist as a single instance but have dedicated shares served to many companies and teams.


NAT Traversal (NAT-T) NAT Traversal (NAT-T) is a technology to encapsulate IPsec packets in UDP. Traditionally, the IPsec tunnels fail to pass traffic if there is a PAT device between the peers. By default, IPsec devices use the Encapsulated Security Payload (ESP) protocol, which does not have any Layer 4 information, and therefore the PAT device ends up dropping the IPsec packet. NAT Traversal (NAT-T) is used to encapsulate the ESP packets into a UDP port connection on port 4500 so that any intermediate PAT device would have no trouble translating the encrypted packets. NAT-T is dynamically negotiated if both VPN peers are NAT-T capable or if there is a NAT or PAT device between the peers. If both conditions are met, VPN peers start their communication using ISAKMP (UDP port 500), and as soon as a NAT or PAT device is detected, they switch to UDP port 4500 to complete the rest of their negotiations. NAT-T is globally enabled on the Cisco ASA by default. In many cases, the NAT/PAT devices time out the NAT-T encrypted connection on UDP port 4500 entries if there is no active traffic passing through them.

Need to know A subject should be granted access to an object only if the access is needed to carry out the job of the subject.

NETCONF Defined in RFCs 6241 and 6242, NETCONF is a network management protocol created to overcome the challenges in legacy Simple Network Management Protocol (SNMP) implementations.

NetFlow NetFlow is a technology originally created by Cisco that provides comprehensive visibility into all network traffic that traverses a Cisco-supported device.

Network Functions Virtualization (NFV) NFV is a technology that addresses the virtualization of Layer 4 through Layer 7 services. These include things like load balancing and security capabilities such as firewall-related features. In short, with NFV, you convert certain types of network appliances into VMs. NFV was created to address the inefficiencies that were introduced by virtualization.

Neutron Neutron is the networking component in OpenStack. Neutron is designed to provide “networking as a service” in private, public, and hybrid cloud environments. Other OpenStack components, such as Horizon (Web UI) and Nova (compute service), interact with Neutron using a set of APIs to configure the networking services. Neutron uses plug-ins to deliver advanced networking capabilities and allow third-party vendor integration. Neutron has two main components: the neutron server and a database that handles persistent storage and plug-ins to provide additional services.

Nomad A container management and orchestration platform by HashCorp. You can download and obtain detailed information about Nomad at

Nondesignated port A switch port that does not forward packets so as to prevent the existence of loops within networks.


OAuth An open standard for authorization used by many APIs and modern applications. You can access OAuth and OAuth 2.x specifications and documentation at

One-time passcode (OTP) A one-time passcode (OTP) is a set of characteristics that can be used to prove a subject’s identity one time and one time only. Because the OTP is valid for only one access, if it’s captured, additional access would be automatically denied. The OTP is generally delivered through a hardware or software token device. The token displays the code, which must then be typed in at the authentication screen. Alternatively, the OTP may be delivered via email, text message, or phone call to a predetermined address or phone number.

Open vSwitch An open source implementation of a multilayer virtual switch inside the hypervisor.

OpenDaylight (ODL) OpenDaylight is a popular open source project that is focused on the enhancement of software-defined networking (SDN) controllers to provide network services across multiple vendors. OpenDaylight interacts with Neutron via a northbound interface and manages multiple interfaces southbound, including the Open vSwitch Database Management Protocol (OVSDB) and OpenFlow.

OpenID (or OpenID Connect) An open standard for authentication. OpenID Connect allows third-party services to authenticate users without clients needing to collect, store, and subsequently become liable for a user’s login information. Detailed information about OpenID can be accessed at

Out-of-band authentication Out-of-band authentication requires communication over a channel that is distinct from the first factor. A cellular network is commonly used for out-of-band authentication. For example, a user enters her name and password at an application logon prompt (factor 1). The user then receives a call on her mobile phone; the user answers and provides a predetermined code (factor 2). For the authentication to be compromised, the attacker would have to have access to both the computer and the phone.


PaaS PaaS provides everything except applications. Services provided by this model include all phases of the system development life cycle (SDLC) and can use application programming interfaces (API), website portals, or gateway software. These solutions tend to be proprietary, which can cause problems if the customer moves away from the provider’s platform.

Packer A packer is similar to a program such as WinZip, Rar, or Tar because it compresses files. However, whereas compression programs compress files to save space, packers do this to obfuscate the activity of the malware. The idea is to prevent anyone from viewing the malware’s code until it is placed in memory.

PFS Perfect Forward Secrecy (PFS) is a cryptographic technique where the newly generated keys are unrelated to any previously generated key.

Port security A Cisco switch feature that limits the number of MAC addresses to be learned on an access switch port.

Post Office Protocol (POP) An application-layer protocol used by an email client to retrieve (download) email from a remote server.

Posture assessment Posture assessment includes a set of rules in a security policy that define a series of checks before an endpoint is granted access to the network. Posture assessment checks include the installation of operating system patches, host-based firewalls, antivirus and antimalware software, disk encryption, and more.

PPTP Point-to-Point Tunneling Protocol (PPTP) is a legacy VPN protocol.

Proxy auto-configuration (PAC) files Files used to configure an end-user client’s web proxy settings.

pxGrid Cisco pxGrid provides a cross-platform integration capability between security monitoring applications, threat detection systems, asset management platforms, network policy systems, and practically any other IT operations platform. Cisco ISE supports Cisco pxGrid to provide a unified ecosystem to integrate multivendor tools to exchange information either unidirectionally or bidirectionally.


RADIUS The Remote Authentication Dial-In User Service (RADIUS) is an AAA protocol mainly used to provide network access services. Due to its flexibility, it has been adopted in other scenarios as well. The authentication and authorization parts are specified in RFC 2865, while the accounting part is specified in RFC 2866.

Ransomware A piece of malware that is designed to encrypt personal files on the victim’s system until a ransom is paid to the attacker.

Representational State Transfer (REST) REST is an API standard. REST is easier to use than SOAP. It uses JSON instead of XML, and it uses standards like Swagger and the OpenAPI specification ( for ease of documentation and to help with adoption.

RESTCONF A REST-based variant of NETCONF used to manage networking devices.

Role-based access control (RBAC) A role-based access control (also called a “nondiscretionary control”) is an access permission based on a specific role or function. Administrators grant access rights and permissions to roles. Users are then associated with a single role. There is no provision for assigning rights to a user or group account.

Root certificate A root certificate contains the public key of the CA server and the other details about the CA server.

Root Guard A Cisco switch feature that controls which ports are not allowed to become root ports to remote root switches.

Root port The switch port that is closest to the root bridge in terms of STP path cost (that is, it receives the best BPDU on a switch) is considered the root port. All switches, other than the root bridge, contain one root port.


SaaS SaaS is designed to provide a complete packaged solution. The software is rented out to the user. The service is usually provided through some type of front end or web portal. While the end user is free to use the service from anywhere, the company pays a per-use fee.

Scalable Group Tag Exchange Protocol (SXP) The Scalable Group Tag (SGT) Exchange Protocol (SXP) is a control plane protocol used to convey IP-to-SGT mappings to network devices when you cannot perform inline tagging. SXP provides capabilities to identify and classify IP packets to corresponding SGTs tracked in the mapping table within network devices. SPX uses peer-to-peer TCP connections over TCP port 64999.

Security Assertion Markup Language (SAML) SAML is an open standard for exchanging authentication and authorization data between identity providers. SAML is used in many single sign-on (SSO) implementations.

Security group–based ACL (SGACL) An ACL that implements access control based on the security group assigned to a user (for example, based on his role within the organization) and the destination resources. SGACLs are implemented as part of Cisco TrustSec policy enforcement. Cisco TrustSec is described in a bit more detail in the sections that follow. The enforced ACL may include both Layer 3 and Layer 4 access control entries (ACEs).

Security zone A security zone is a collection of one or more inline, passive, switched, or routed interfaces (or ASA interfaces) that you can use to manage and classify traffic in different policies. Interfaces in a single zone could span multiple devices. Furthermore, you can also enable multiple zones on a single device to segment your network and apply different policies.

Sender Policy Framework (SPF) SPF enables recipients to verify the sender’s IP addresses by looking up DNS records that list authorized mail gateways for a particular domain. SPF is an industry standard defined in RFC 4408. SPF uses DNS TXT resource records. The Cisco ESA supports SPF to verify HELO/EHLO and MAIL FROM identity (FQDN).

SenderBase A reputation service that enables you to control the messages that come through the Cisco ESA email gateway based on the senders’ trustworthiness (reputation).

Simple Object Access Protocol (SOAP) SOAP is a standards-based web services access protocol that was originally developed by Microsoft and has been used by numerous legacy applications for many years. SOAP exclusively uses XML to provide API services. XML-based specifications are governed by XML Schema Definition (XSD) documents. SOAP was originally created to replace older solutions such as the Distributed Component Object Model (DCOM) and Common Object Request Broker Architecture (CORBA).

SKEYID The SKEYID is a string derived from secret material that is known only to the active participants in the IKE exchange.

Social Identity Provider (Social IdP) A type of identity provider originating in social services like Google, Facebook, Twitter, and so on.

Spero A machine learning–based technology that proactively identifies threats that were previously unknown. It uses active heuristics to gather execution attributes, and because the underlying algorithms come up with generic models, they can identify malicious software based on its general appearance rather than basing identity on specific patterns or signatures.

Split tunneling After the tunnel is established, typically the default behavior of a VPN client is to encrypt traffic to all the destination IP addresses. This means that if an SSL VPN user wants to browse to a given site over the Internet, the packets are encrypted and sent to the VPN headend. After decrypting them, the VPN headend searches its routing table and forwards the packets to the appropriate next-hop IP address in clear text. These steps are reversed when traffic returns from the web server and is destined to the SSL VPN client. With split tunneling, the VPN headend notifies the client about the secured subnets. The VPN client, using the secured routes, encrypts only those packets that are destined for the networks behind the security appliance. With split tunneling, the remote computer is susceptible to threat actors, who can potentially take control over the computer and direct traffic over the tunnel.

Stealthwatch Management Console (SMC) The main management application in the Cisco Stealthwatch solution that provides detailed dashboards and the ability to correlate network flow and events.

Stream cipher A stream cipher is a symmetric key cipher (meaning the same key is used to encrypt and decrypt), where the plaintext data to be encrypted is done a bit at a time against the bits of the key stream, also called a cipher digit stream. The resulting output is a ciphertext stream. Because a cipher stream does not have to fit in a given block size, there may be slightly less overhead than with a block cipher that requires padding to complete a block size.

Stream Control Transmission Protocol (SCTP) IPFIX uses SCTP, which provides a packet transport service designed to support several features beyond TCP or UDP capabilities. Many refer to SCTP as a simpler state machine than features provided by TCP with an “a la carte” selection of features.

Structured Threat Information eXpression (STIX) STIX is a language to represent threat intelligence information. STIX details can contain data such as the IP addresses or domain names of command-and-control servers (often referred to C2 or CnC), malware hashes, and so on. STIX was originally developed by MITRE and is now maintained by OASIS. You can obtain more information at You can review numerous examples of STIX content, objects, and properties at

Supplicant An entity that seeks to be authenticated by an authenticator. For example, this could be a client laptop connected to a switch port. An example of a supplicant software is the Cisco AnyConnect Secure Mobility Client.

Symmetric algorithm An encryption algorithm that uses the same key to encrypt the data and decrypt the data.


TACACS+ Terminal Access Controller Access Control System Plus (TACACS+) is a proprietary protocol developed by Cisco. It also uses a client-server model, where the TACACS+ client is the access server and the TACACS+ server is the machine providing TACACS+ services (that is, authentication, authorization, and accounting).

TETRA An AMP for Endpoints engine that provides a full client-side antivirus solution.

Threat A threat is any potential danger to an asset. If a vulnerability exists but has not yet been exploited—or, more importantly, it is not yet publicly known—the threat is latent and not yet realized. Fire, someone stealing an asset, a cybersecurity attack are all examples of threats.

Threat intelligence Threat intelligence is referred to as the knowledge about an existing or emerging threat to assets, including networks and systems. Threat intelligence includes context, mechanisms, indicators of compromise (IoCs), implications, and actionable advice. Threat intelligence is referred to as the information about the observables, the intent of the IoCs, and capabilities of internal and external threat actors and their attacks. Threat intelligence includes specifics on the tactics, techniques, and procedures of these adversaries.

Trusted Automated eXchange of Indicator Information (TAXII) An open transport mechanism that standardizes the automated exchange of cyber-threat information. TAXII was originally developed by MITRE and is now maintained by OASIS. You can also obtain detailed information about TAXII at

TrustSec Security Group Tag (SGT) Cisco TrustSec is a solution for identity and policy enforcement. ISE can use Security Group Tags for authentication and authorization. SGTs are values that are inserted into the client’s data frames by a network device (for example, a switch, firewall, or wireless AP). This tag is then processed by another network device receiving the data frame and used to apply a security policy.


uSeg EPG A micro-segment in ACI is also often referred to as a uSeg EPG. You can group endpoints in existing application EPGs into new micro-segment (uSeg) EPGs and configure network or VM-based attributes for those uSeg EPGs. With these uSeg EPGs, you can apply dynamic policies. You can also apply policies to any endpoints within the tenant.

VLAN One way to identify a local area network is to say that all the devices in the same LAN have a common Layer 3 IP network address and that they also are all located in the same Layer 2 broadcast domain. A virtual LAN (VLAN) is another name for a Layer 2 broadcast domain. VLANs are controlled by the switch. The switch also controls which ports are associated with which VLANs.

VLAN ACL A VLAN access control list (VLAN ACL), also called a VLAN map, is not specifically a Layer 2 ACL; however, it is used to limit the traffic within a specific VLAN. A VLAN map can apply a MAC access list, a Layer 3 ACL, and a Layer 4 ACL to the inbound direction of a VLAN to provide access control.

Vulnerability A vulnerability is a weakness in the system design, implementation, software, or code, or the lack of a mechanism. A specific vulnerability might manifest as anything from a weakness in system design to the implementation of an operational procedure. Vulnerabilities might be eliminated or reduced by the correct implementation of safeguards and security countermeasures.

Web Cache Communication Protocol (WCCP) WCCP is a Cisco-developed content-routing protocol that provides a mechanism to redirect traffic flows in real time. It has built-in load balancing, scaling, fault tolerance, and service-assurance (failsafe) mechanisms.

Web Identity Identifying characters obtained from an HTTP request (often these are retrieved from an authenticated email address).

Web Proxy Auto-Discovery (WPAD) protocol You can advertise and configure clients with PAC settings by using the Web Proxy Auto-Discovery (WPAD) protocol. WPAD uses the auto-detect proxy settings found in every modern web browser.

White hat hackers These individuals perform ethical hacking to help secure companies and organizations. Their belief is that you must examine your network in the same manner as a criminal hacker to better understand its vulnerabilities.

Windows Identity This is how Active Directory in Microsoft Windows environments organizes user information.

Wrapper A wrapper is a program used to combine two or more executables into a single packaged program. Wrappers are also referred to as binders, packagers, and EXE binders because they are the functional equivalent of binders for Windows Portable Executable files. Some wrappers only allow programs to be joined; others allow the binding together of three, four, five, or more programs. Basically, these programs perform like installation builders and setup programs. Besides allowing you to bind a program, wrappers add additional layers of obfuscation and encryption around the target file, essentially creating a new executable file.

WS-Federation A common infrastructure (federated standard) for identity, used by web services and browsers on Windows Identity Foundation. Windows Identity Foundation is a framework created by Microsoft for building identity-aware applications.


YANG YANG is an API contract language used in many networking devices. In other words, you can use YANG to write a specification for what the interface between a client and networking device (server) should be on a particular topic. A YANG model typically concentrates on the data that a client processes using standardized operations.

Zero trust This concept assumes that no system or user will be “trusted” when requesting access to the corporate network, systems, and applications hosted on the premises or in the cloud. You must first verify their trustworthiness before granting access.

Zone-Based Firewall (ZBFW) The Cisco IOS Zone-Based Firewall is a stateful firewall used in Cisco IOS devices. ZBFW is the successor of the legacy IOS firewall or the context-based access control (CBAC).