Authentication Header (AH) A protocol that defines a method for digitally signing IP packets. Signing packets is accomplished by hashing the IP header and data payload.
certificate authority (CA) A trusted entity that is responsible for issuing digital certificates.
Cisco Adaptive Security Device Manager (ASDM) A management option for Cisco ASA appliances that can also manage the Cisco AnyConnect Secure Mobility Client.
Cisco Defense Orchestrator (CDO) A cloud-based management option for Cisco security devices ranging from the ASA Series to other firewall and network devices.
Cisco Secure Firewall Device Manager (FDM) A management option for multiple 1000 Series and 2100 Series devices and select 5500-x Series devices running the Cisco Secure Firewall Threat Defense (FTD) software image. Each FTD image is managed individually through FDM.
Cisco Secure Firewall Management Center (FMC) A centralized management option for Cisco Firepower Next Generation Firewall (NGFW), Cisco Firepower Next Generation IPS (NGIPS), and Cisco AMP (Advanced Malware Protection) for networks as well as threat correlation for network sensors and AMP for Endpoints.
connection profile A VPN profile (formerly called a tunnel group) that identifies the group policy for a specific connection. A connection profile consists of a set of records that determines tunnel connection policies.
crypto map A software configuration entity that selects data flows that need security processing and defines the policy for flows that are selected for security processing and the crypto peer toward which that traffic needs to flow. Crypto maps are applied to interfaces.
Datagram Transport Layer Security (DTLS) protocol A communication protocol that provides security for datagram-based applications, allowing them to communicate in a secure manner.
Diffie–Hellman (DH) A public key cryptography protocol that allows two parties to establish a shared secret over an insecure communications channel. It is used with IKE to establish session keys.
Dynamic Multipoint VPN (DMVPN) A dynamic tunneling VPN supported on Cisco IOS-based routers and other systems.
Easy VPN (EzVPN) A protocol that simplifies IPsec configuration by using the Unity client protocol, which allows most IPsec VPN parameters to be defined at an IPsec gateway (also called an EzVPN server).
elliptic curve algorithm A relatively new alternative to public key cryptography that functions on elliptic curves over finite fields for better efficiency and performance. Diffie–Hellman secure elliptic curve algorithms are typically used for very secure information, such as classified information.
Encapsulating Security Payload (ESP) A protocol that defines a method for encrypting data and ensuring the integrity of data packets.
Extensible Authentication Protocol (EAP) A protocol based on RFC 3748 that supports multiple authentication methods. It can be used across multiple data link layers, such as PPP or IEEE 802 and is commonly found in wireless networks.
FlexVPN A configuration framework designed to simplify the setup of remote access, site-to-site, and DMVPN topologies.
full mesh An architecture in which each site in a VPN can communicate with every other site in that VPN.
Group Domain of Interpretation (GDOI) A cryptographic protocol for group key management based on RFC 6407 and ISAKMP (RFC 2408).
Group Encrypted Transport VPN (GETVPN) A tunnel-less VPN solution that provides highly secure communication between systems grouped together in a network.
group policy A policy applied to a collection of users treated as a single entry.
hash algorithm An irreversible function that provides a fixed size value based on various inputs. Also known as a digital fingerprinting algorithm.
Internet Key Exchange (IKE) An IPsec standard protocol used to ensure security for VPN negotiation and remote host or network access.
Internet Key Exchange Version 2 (IKEv2) A protocol that dynamically establishes and maintains a shared state between the endpoints of an IP datagram. IKEv2 performs mutual authentication between two devices and establishes an IKEv2 Security Association (SA).
IP-Delivery Delay Detection Protocol (IP-D3P) A header that includes a timestamp that is used by the receivers of the packet to determine whether that packet was generated recently. Receivers compare the timestamp delivered in the IP packet to their local time and to determine whether the packet should be accepted.
IP Security (IPsec) A framework made up of open standards developed by the Internet Engineering Task Force (IETF) that is designed to offer data confidentiality, data integrity, and data authentication between participating peers.
key encryption key (KEK) An encryption rekeying message that group members use to decrypt rekeying messages from the key server.
Layer 2 Tunneling Protocol (L2TP) A tunneling protocol used to support VPNs or part of a service provided by an ISP.
multipoint Generic Routing Encapsulation (mGRE) A tunneling protocol that can encapsulate a wide variety of network layer protocols inside either a point-to-point link or a point-to-multipoint link over IP.
Multiprotocol Label Switching (MPLS) A data forwarding technology that routes data from one node to the next, based on short path labels rather than complex route table lookups.
network access server (NAS) A device that handles remote logins to establish a PPP connection such as a remote access VPN. Also called a media access gateway or remote access server.
Next Hop Resolution Protocol (NHRP) A protocol that enables routing communication and efficiency to occur over a non-broadcast multiple access (NBMA) network.
Point-to-Point Tunneling Protocol (PPTP) A networking standard for connecting to virtual private networks.
pseudorandom function (PRF) An algorithm used to derive keying material and hashing operations required by IKEv2 tunnel encryption.
public key algorithm A cryptographic algorithm that uses different keys for encryption and decryption. It is common to call these algorithms public/private key algorithms since one key is privately held and kept in secret while the other key is publicly available.
remote access VPN A VPN that enables individual users to connect to a private network from remote locations.
Secure Socket Tunneling Protocol (SSTP) A VPN tunnel protocol that provides a mechanism to transport PPP traffic through an SSL/TLS channel.
Secure Sockets Layer (SSL) A security standard for establishing an encrypted link between a server and a client. It typically uses a web server and a host browser.
security association (SA) A logical connections between two network entities to support security communications.
site-to-site VPN A VPN that allows branch offices to use the Internet as a conduit for access to other locations.
split tunneling A networking concept that permits a user to access dissimilar security domains, like the Internet (a public domain) and a local LAN (a private domain), at the same time, using the same or different network connections. This connection state can be facilitated through the use of a VPN client software application without the benefit of access control.
symmetric key algorithm A cryptographic secret key algorithm that uses the same key for encryption and decryption.
Time-Based Anti-Replay (TBAR) A replay mechanism used in a group key environment to prevent replay attacks.
traffic encryption key (TEK) A key that encrypts traffic and that is based on the IPsec security association for a group.
trapdoor function An algorithm that is easier in one direction than the other.
WebVPN A secure remote access VPN tunnel to a security appliance that a user can access by using a web browser. Users do not need a software or hardware client..