Networks Glossary PDF

Summary

This document provides a glossary of networking terms, covering various concepts such as IEEE standards, network protocols, and topologies. The definitions are concise and focused on essential networking terminology.

Full Transcript

IEEE standards for wireless networking based on spread spectrum radio transmission
in the 2.4 GHz and 5 GHz bands. The standard, known as Wi-Fi, has six main
802.11
iterations: a, b, g, Wi-Fi 4 (n), Wi-Fi 5 (ac), and Wi-Fi 6 (ax). These specify different
standards
modulation techniques, supported distances, and data rates, plus special features,
such as channel bonding, MIMO, and MU-MIMO.

Amendment to Wi-Fi standards that defines a Dynamic Frequency Selection (DFS)
802.11h mechanism to avoid interference with radar and cellular communications in the 5
GHz frequency band.

IEEE standard defining a 3-bit (0 to 7) class of service priority field within the 802.1Q
802.1p
format.

Trunking protocols enable switches to exchange data about VLAN configurations. The
802.1q 802.1Q protocol is often used to tag frames destined for different VLANs across trunk
links.

Standard for encapsulating EAP communications over a LAN (EAPoL) to implement
802.1x port-based authentication. Also called port-based network access control, and IEEE
802.1X.

802.3 Standards developed as the IEEE 802.3 series describing media types, access
ethernet methods, data rates, and distance limitations at OSI layers 1 and 2 using xBASE-y
standards designations.

A

The collection of access control entries (ACEs) that determines which
access control list subjects (user accounts, host IP addresses, and so on) are allowed or denied
(ACL) access to the object and the privileges given (read-only, read/write, and so
on).

A device that provides a connection between wireless devices and can
access point (AP)
connect to wired networks, implementing an infrastructure mode WLAN.

Lowest tier in a hierarchical network topology acting as the attachment point
access/edge layer
for end systems.

active-active High availability cluster configuration where all nodes are utilized continually.

High availability cluster configuration where one or more nodes are only
active-passive
utilized during failover.

Type of wireless network where connected devices communicate directly
ad hoc network with each other instead of over an established medium. Also called
Independent Basic Service Set (IBSS).
address resolution Broadcast mechanism by which the hardware MAC address of an interface is
protocol (ARP) matched to an IP address on a local network segment.

Unique identifier for a network node, such as a MAC address, IPv4 address, or
addressing
IPv6 address.

Troubleshooting issue where access points within range of one another are
adjacent channel
configured to use different but overlapping channels, causing increased
interference (ACI)
noise. Also called channel overlap.

administrative Metric determining the trustworthiness of routes derived from different
distance (AD) routing protocols.

administratively Switch or router port that has been purposefully disabled via the
down management interface.

Threat actors with the ability to craft novel exploits and techniques to obtain,
advanced persistent
maintain, and diversify unauthorized access to network systems over a long
threat (APT)
period.

angled physical
Fiber optic connector finishing type that uses an angled polish for the ferrule.
contact (APC)

Specially arranged metal wires that can send and receive radio signals,
antenna type
typically implemented as either an omnidirectional or a unidirectional type.

IP delivery mechanism whereby a packet is addressed to a single host from a
anycast
group sharing the same address.

application layer OSI model layer providing support to applications requiring network services
(Layer 7) (file transfer, printing, email, databases, and so on). Also called layer 7.

application
Methods exposed by a script, program, or web application that allow other
programming
scripts or apps to interact with it.
interface (API)

Utility to display and modify contents of host's cache of IP to MAC address
arp command
mappings, as resolved by address resolution protocol (ARP) replies.

A network-based attack where an attacker with access to the target local
network segment redirects an IP address to the MAC address of a computer
arp spoofing
that is not the intended recipient. This can be used to perform a variety of
attacks, including DoS, spoofing, and on-path.

Attenuation, or degradation of a signal as it travels over media, determines
attenuation
the maximum distance for a particular media type at a given bit rate.

authentication IPSec protocol that provides authentication for the origin of transmitted data
header (AH) as well as integrity and protection against replay attacks.
authoritative name DNS server designated by a name server record for the domain that holds a
server complete copy of zone records.

Mechanism for Windows hosts configured to obtain an address automatically
automatic private ip
that cannot contact a DHCP server to revert to using an address from the
addressing (APIPA)
range 169.254.x.y. This is also called a link local address.

Using scripts and APIs to provision and deprovision systems without manual
automation
intervention.

autonomous system Group of network prefixes under the administrative control of a single
(AS) organization used to establish routing boundaries.

availability Processes and tools that facilitate reporting and alerting when a host or app
monitoring cannot be contacted over the network.

B

backup Configuration settings that will be applied if an appliance, instance, or app is
configuration restored from backup media.

Feature of Wi-Fi that allows an access point to try to ensure that clients use a
band steering
particular frequency band, such as 5 GHz rather than 2.4 GHz.

Generally used to refer to the amount of data that can be transferred through a
bandwidth connection over a given period. Bandwidth more properly means the range of
frequencies supported by transmission media, measured in Hertz.

Hosted utility used to measure actual speed obtained by an Internet link to a
bandwidth speed
representative server or to measure the response times of websites from
tester
different locations on the Internet.

Values for resource utilization that assess the performance or stability of a
baseline metrics
service based on historical information or vendor guidance.

basic service set
MAC address of an access point supporting a basic service area.
identifier (BSSID)

bayonet neill-
concelman (BNC) Twist and lock connector for coaxial cable.
connector

bidirectional System that allows bidirectional data transfer over a single fiber strand by
wavelength division using separate wavelengths for transmit and receive streams. Also called
multiplexing (BWDM) wavelength division multiplexing (WDM).

Amount of data that can be transferred over a network connection in a given
bit rate amount of time, typically measured in bits or bytes per second (or some more
suitable multiple thereof). Transfer rate is also described variously as data
rate, bit rate, connection speed, transmission speed, or bandwidth. Transfer
 rates are often quoted as the peak, maximum, theoretical value; sustained,
actual throughput is often considerably less.

border gateway Path vector exterior gateway routing protocol used principally by ISPs to
protocol (BGP) establish routing between autonomous systems.

Group of hosts or devices that has been infected by a control program called a
botnet bot that enables attackers to exploit the hosts to mount attacks. Also
referred to as a zombie.

Troubleshooting issue where performance for a whole network or system is
bottleneck
constrained by the performance of a single link, device, or subsystem.

Intermediate system that isolates collision domains to separate segments
bridge
while joining segments within the same broadcast domain.

bring your own Security framework and tools to facilitate use of personally owned devices to
device (BYOD) access corporate networks and data.

Packet or frame addressed to all hosts on a local network segment, subnet, or
broadcast domain. Routers do not ordinarily forward broadcast traffic. The
broadcast
broadcast address of IP is one where the host bits are all set to 1; at the MAC
layer it is the address ff:ff:ff:ff:ff:ff.

Network segment in which all nodes receive the same broadcast frames at
broadcast domain
layer 2.

Traffic that is recirculated and amplified by loops in a switching topology,
broadcast storm
causing network slowdowns and crashing switches.

Type of password attack where an attacker uses an application to exhaustively
brute force
try every possible alphanumeric combination to crack encrypted passwords.

Update to software code that addresses a single discrete error and is typically
bugfix
applied in a development or test environment rather than a production one.

business continuity Collection of processes that enable an organization to maintain normal
plan (BCP) business operations in the face of some adverse event.

Systematic activity that identifies organizational risks and determines their
business impact
effect on ongoing, mission-critical operations. Also called process
analysis (BIA)
assessment.

C

cable crimper Tool to join a network jack to the ends of a network patch cable.

Physical plan showing cable routes through building spaces between
cable map
communications closets and work areas.

cable stripper Tool for stripping the cable jacket or wire insulation.
 Two-part tool used to test successful termination of copper cable by
cable tester attaching to each end of a cable and energizing each wire conductor in turn
with an LED to indicate an end-to-end connection.

Format for representing IPv6 addresses using hex double-bytes with colon
canonical notation
delimitation and zero compression.

Webpage or website to which a client is redirected before being granted full
captive portal
network access.

carrier sense multiple
Mechanism used by 802.11 Wi-Fi standards to cope with contention over
access with collision
the shared access media.
avoidance (CSMA/CA)

In a contention-based system, each network device competes with the
other connected devices for use of the transmission media. Contention-
based systems require a set of protocols that reduce the possibility of data
collisions, since if the devices compete and simultaneously send data
carrier sense multiple
packets, neither packet will reach its intended destination. The Carrier
access with collision
Sense Multiple Access (CSMA) protocols allow contention-based networks
detection (CSMA/CD)
to successfully communicate by detecting activity on the network media
(Carrier Sense) and reacting to this (for example, if the medium is busy).
CSMA/CD (Collision Detection) recognizes a signal collision on the basis of
electrical fluctuations produced when signals combine.

categories of cable ANSI/TIA/EIA cable category designations, with higher numbers
standards representing better support for higher data rates.

Standards for implementing data access over cellular networks are
implemented as successive generations. For 2G (up to about 48 Kb/s) and
cellular radio 3G (up to about 42 Mb/s), there are competing GSM and CDMA provider
networks. Standards for 4G (up to about 90 Mb/s) and 5G (up to about 300
Mb/s) are developed under converged LTE standards.

certificate authority A server that guarantees subject identities by issuing signed digital
(CA) certificate wrappers for their public keys.

Process for approving, preparing, supporting, and managing new or updated
change management
business processes or technologies.

Capability to aggregate one or more adjacent channels to increase
channel bonding
bandwidth.

Three principles of security control and management: confidentiality,
cia triad integrity, and availability. Also known as the information security triad. Also
referred to in reverse order as the AIC triad.

Lists of cryptographic algorithms that a server and client can use to
cipher suite
negotiate a secure connection.
cisco discovery Proprietary protocol used by Cisco network appliances to discover layer 2
protocol (CDP) adjacent devices or neighbors.

Legacy form of IP addressing where the network ID is determined
classful addressing automatically from the first octet of the address. Netmasks that align to
whole octet boundaries are still sometimes referred to as class A, B, or C.

Using network prefixes to aggregate routes to multiple network blocks
classless interdomain
("supernetting"). This replaced the old method of assigning class-based IP
routing (CIDR)
addresses based on the network size.

Administration paradigm where some host machines are designated as
client-server providing server and services, and other machines are designated as client
devices that only consume server services.

cloud access security Enterprise management software designed to mediate access to cloud
broker (CASB) services by users across all types of devices.

cloud deployment Classifying the ownership and management of a cloud as public, private,
model community, or hybrid.

cloud direct A dedicated connection between the on-premises network and a cloud
connection service provider.

In cloud infrastructure, a virtual router that facilitates routing between
cloud gateway subnets and public networks. External connectivity can be provisioned
using various types of NAT and VPN.

Classifying the provision of cloud services and the limit of the cloud service
cloud service model
provider's responsibility as software, platform, infrastructure, and so on.

Load balancing technique where a group of servers is configured as a unit
clustering
and works together to provide network services.

coarse wavelength
Technology for multiplexing up to 16 signal channels on a single fiber using
division multiplexing
different wavelengths.
(CWDM)

Media type using two separate conductors that share a common axis
coaxial
categorized using the Radio Grade (RG) specifications.

co-channel Troubleshooting issue where access points within range of one another are
interference (CCI) configured to use the same channel, causing increased contention.

Predetermined alternate location where a network can be rebuilt after a
cold site
disaster.

Two-tier hierarchical network topology where access layer switches
collapsed core
connect directly to a full mesh core layer.
 Network segment where nodes are attached to the same shared access
collision domain
media, such as a bus network or Ethernet hub.

Deploying private servers, network appliances, and interconnects to a
colocation
hosted datacenter facility shared with other customers.

command and control Infrastructure of hosts and services with which attackers direct, distribute,
(C&C or C2) and control malware over botnets. Also called C2.

In Simple Network Management Protocol (SNMP), a password-like value
community string
that permits a management system to access an agent.

Risk that systems and networks will deviate from a baseline or golden
configuration drift
configuration over time.

A process through which an organization's information systems
configuration
components are kept in a controlled state that meets the organization's
management
requirements, including those for security and compliance.

configuration Processes and tools that facilitate reporting and alerting when a host or
monitoring app's configuration deviates from a baseline or golden configuration.

Security measure performed on email and Internet traffic to identify and
content filtering block suspicious, malicious, and/or inappropriate content in accordance
with an organization’s policies.

Process whereby routers agree on routes through the network to establish
the same network topology in their routing tables (steady state). The time
convergence
taken to reach steady state is a measure of a routing protocol’s
convergence performance.

Highest tier in a hierarchical network topology providing interconnections
core layer
between blocks.

Phenomenon whereby one wire causes interference in another as a result of
crosstalk
their close proximity.

A function that converts an arbitrary-length string input to a fixed-length
cryptographic hash string output. A cryptographic hash function does this in a way that reduces
algorithm the chance of collisions, where two different inputs produce the same
output.

cyclic redundancy Calculation of a checksum based on the contents of a frame used to detect
check (CRC) errors.

D

Information that is primarily stored on specific media, rather than moving
data at rest
from one medium to another.
data center interconnect Technologies such as VXLAN and EVPN that establish links between hosts
(DCI) in two or more separate datacenter facilities.

Information that is being transmitted between two hosts, such as over a
data in transit
private network or the Internet.

OSI model layer responsible for transferring data between nodes. Also
data link layer (layer 2)
called layer 2.

Leftover information on a storage medium even after basic attempts have
data remnants
been made to remove that data. Also called a remnant.

In data protection, the principle that countries and states may impose
data sovereignty individual requirements on data collected or stored within their
jurisdiction.

Facility dedicated to the provisioning of reliable power, environmental
datacenters
controls, and network fabric to server computers.

Spoofing frames to disconnect a wireless station to try to obtain
deauthentication attack
authentication data to crack.

Loss of signal strength between a transmitter and receiver due to
decibel (dB) loss attenuation and interference measured in decibels. Also called insertion
loss.

In asset management, the policies and procedures that govern the
decommissioning removal of devices and software from production networks, and their
subsequent disposal through sale, donation, or as waste.

IP configuration parameter that identifies the address of a router on the
default gateway
local subnet that the host can use to contact other networks.

Entry in the routing table to represent the forwarding path that will be used
default route
if no other entries are matched.

default vlan Default VLAN ID (1) for all unconfigured switch ports.

Security strategy that positions the layers of network security as network
defense in depth traffic roadblocks; each layer is intended to slow an attack's progress,
rather than eliminating it outright.

Location that represents the end of the access provider’s network (and
therefore their responsibility for maintaining it). The demarc point is
demarcation point usually at the Minimum Point of Entry (MPOE). If routing equipment cannot
be installed at this location, demarc extension cabling may need to be
laid.

Any type of physical, application, or network attack that affects the
denial of service (DoS)
availability of a managed resource.
dense wavelength
Technology for multiplexing 40 or 80 signal channels on a single fiber using
division multiplexing
different wavelengths.
(DWDM)

Configuration of a router to forward DHCP traffic where the client and
dhcp relay
server are in different subnets

Type of password attack that compares encrypted passwords against a
dictionary
predetermined list of possible password values.

differentiated services Header field used to indicate a priority value for a layer 3 (IP) packet to
(DiffServ) facilitate quality of service (QoS) or class of service (CoS) scheduling.

Utility to query a DNS and return information about a particular domain
dig command
name.

Identification and authentication information presented in the X.509
format and issued by a Certificate Authority (CA) as a guarantee that a key
digital certificate
pair (as identified by the public key embedded in the certificate) is valid for
a particular subject (user or host).

directly connected Entry in the routing table representing a subnet in which the router has an
routes active interface.

Management frame handling process by which a station is disconnected
disassociation
from an access point.

disaster recovery plan Documented and resourced plan showing actions and responsibilities to
(DRP) be used in response to critical incidents.

discretionary access An access control model where each resource is protected by an access
control (DAC) control list (ACL) managed by the resource's owner (or owners).

Algorithm used by routing protocols that selects a forwarding path based
distance vector on the next hop router with the lowest hop count to the destination
network.

Attack that involves the use of infected Internet-connected computers
distributed dos (DDoS) and devices to disrupt the normal flow of traffic of a server or service by
overwhelming the target with traffic.

distribution or Intermediate tier in a hierarchical network topology providing
aggregation layer interconnections between the access layer and the core.

Connecting access points to a switched network via cabling to facilitate
roaming within an extended service area (ESA). A wireless distribution
distribution system (DS)
system uses a access points configured in repeater mode to facilitate
roaming.

dns caching Data store on DNS clients and servers holding results of recent queries.
dns over hypertext Protocol that mitigates risks from snooping and modification when a client
transfer protocol secure queries a DNS server by encapsulating DNS traffic within an HTTP-Secure
(DoH) (HTTPS) session.

Protocol that mitigates risks from snooping and modification when a client
dns over transport layer
queries a DNS server by encapsulating DNS traffic within a Transport Layer
security (DoT)
Security (TLS) session.

Attack where a threat actor injects false resource records into a client or
dns poisoning server cache to redirect a domain name to an IP address of the attacker's
choosing.

domain name system Service that maps fully qualified domain name labels to IP addresses on
(DNS) most TCP/IP networks, including the Internet.

domain name system
Security protocol that provides authentication of DNS data and upholds
security extensions
DNS data integrity.
(DNSSEC)

Format for expressing IPv4 addresses using four decimal values from 0 to
dotted decimal notation
255 for each octet.

Host operating multiple protocols simultaneously on the same interface.
dual stack
Most hosts are capable of dual stack IPv4 and IPv6 operation, for instance.

The social engineering technique of discovering things about an
dumpster diving
organization (or person) based on what it throws away.

dynamic host
Protocol used to automatically assign IP addressing information to hosts
configuration protocol
that have not been configured manually.
(DHCP)

Entry in the routing table that has been learned from another router via a
dynamic routing
dynamic routing protocol. Also called a learned route.

E

Design paradigm accounting for the fact that datacenter traffic between
east-west traffic
servers is greater than that passing in and out (north-south).

effective isotropic
Signal strength from a transmitter, measured as the sum of transmit power,
radiated power
antenna cable/connector loss, and antenna gain.
(EIRP)

Property by which a computing environment can instantly react to both
elasticity
increasing and decreasing demands in workload.

Noise that occurs when a magnetic field around one electrical circuit or
electromagnetic
device interferes with the signal being carried on an adjacent circuit. Also
interference (EMI)
called interference.
encapsulating
IPSec sub-protocol that enables encryption and authentication of the header
security protocol
and payload of a data packet.
(ESP)

A method by which protocols build data packets by adding headers and
encapsulation
trailers to existing data.

Scrambling the characters used in a message so that the message can be
seen but not understood or modified unless it can be deciphered. Encryption
provides for a secure means of transmitting data and authenticating users. It
encryption algorithm
is also used to store data securely. Encryption uses different types of
algorithm/cipher and one or more keys. The size of the key is one factor in
determining the strength of the encryption product.

Product life cycle phase where mainstream vendor support is no longer
end of life (EOL)
available.

end of support (EOS) Product life cycle phase where support is no longer available from the vendor.

enhanced igrp Advanced distance vector dynamic routing protocol using bandwidth and
(EIGRP) delay metrics to establish optimum forwarding paths.

enterprise Wireless network authentication mode where the access point acts as pass-
authentication through for credentials that are verified by an AAA server.

Attack that aims to list resources on the network, host, or system as a whole
enumeration to identify potential targets for further attack. Also referred to as footprinting
and fingerprinting.

In the context of support procedures, incident response, and breach-
escalation reporting, escalation is the process of involving expert and senior staff to
assist in problem management.

Fields in a frame used to identify source and destination MAC addresses,
ethernet headers
protocol type, and error detection.

Using Border Gateway Protocol (BGP) to advertise virtual extensible LAN
ethernet vpn (EVPN)
(VXLAN) networks as routes.

Wireless access point that deceives users into believing that it is a legitimate
evil twin
network access point.

Firewall ACL rule configured manually to block any traffic not matched by
explicit deny
previous rules.

Specific method by which malware code infects a target host, often via some
exploit
vulnerability in a software process. Also called exploit technique.

extended ssid Network name configured on multiple access points to form an extended
(ESSID) service area.
 IEEE's preferred term for a network interface's unique identifier. An EUI-48
extended unique
corresponds to a MAC address while an EUI-64 is one that uses a 64-bit
identifier (EUI)
address space.

Framework for negotiating authentication methods that enables systems to
extensible
use hardware-based identifiers, such as fingerprint scanners or smart card
authentication
readers, for authentication, and establish secure tunnels through which to
protocol (EAP)
submit credentials.

F

Access point whose firmware contains enough processing logic to be able to
fat ap function autonomously and handle clients without the use of a wireless
controller.

fiber distribution Type of distribution frame with pre-wired connectors used with fiber optic
panel cabling.

Network cable type that uses light signals as the basis for data transmission.
Infrared light pulses are transmitted down the glass core of the fiber. The
cladding that surrounds this core reflects light back to ensure transmission
fiber optic cable efficiency. At the receiving end of the cable, light-sensitive diodes re-convert the
light pulse into an electrical signal. Fiber optic cable is immune to
eavesdropping and EMI, has low attenuation, supports rates of 10 Gb/s+, and is
light and compact.

fibre channel High-speed network communications protocol used to implement SANs.

Application protocol used to transfer files between network hosts. Variants
file transfer
include S(ecure)FTP, FTP with SSL (FTPS and FTPES), and T(rivial)FTP. FTP utilizes
protocol (FTP)
ports 20 and 21.

Software or hardware device that protects a network segment or individual host
firewall
by filtering packets to an access control list.

first hop Provisioning failover routers to serve as the default gateway for a subnet. Also
redundancy referred to as Virtual Router Redundancy Protocol (VRRP) and Hot Standby
protocols (FHRPs) Router Protocol (HSRP).

Mechanism for splitting a layer 3 datagram between multiple frames to fit the
fragmentation
maximum transmission unit (MTU) of the underlying Data Link network.

frame Common term for the protocol data unit for layer 2.

Portion of the radio frequency spectrum in which wireless products operate,
frequency band
such as 2.4 GHz band or 5 GHz band. Also called frequencies.

f-type connectors Screw down connector used with coaxial cable.

full tunnel VPN configuration where all traffic is routed via the VPN gateway.
full-duplex Network link that allows interfaces to send and receive simultaneously.

fully qualified
Unique label specified in a DNS hierarchy to identify a particular host within a
domain name
subdomain within a top-level domain.
(FQDN)

G

Provisions and requirements protecting the personal data of European Union
general data
(EU) citizens. Transfers of personal data outside the EU Single Market are
protection regulation
restricted unless protected by like-for-like regulations, such as the US's
(GDPR)
Privacy Shield requirements.

generic routing Tunneling protocol allowing the transmission of encapsulated frames or
encapsulation (GRE) packets from different types of network protocol over an IP network.

Security control that can enforce a virtual boundary based on real-world
geofencing
geography.

giant Ethernet frame that is larger than the receiving interface will accept.

global positioning A means of determining a receiver's position on Earth based on information
system (GPS) received from orbital satellites.

H

half-duplex Network link where simultaneously sending and receiving is not possible.

Process of making a host or app configuration secure by reducing its attack surface,
through running only necessary services, installing monitoring software to protect
hardening
against malware and intrusions, and establishing a maintenance schedule to
ensure the system is patched to be secure against software exploits.

In a Wi-Fi site survey, a diagram showing signal strength and channel uitilization at
heat map
different locations.

Metric that defines how closely systems approach the goal of providing data
high availability
availability 100% of the time while maintaining a high level of system performance.

Host, network, or file set up with the purpose of luring attackers away from assets
honeypot of actual value and/or discovering attack strategies and weaknesses in the security
configuration. Also called a honeynet or a honeyfile.

One link in the path from a host to a router or from router to router. Each time a
hop
packet passes through a router, its hop count (or TTL) is decreased by one.

host name Label applied to a host computer that is unique on the local network.

List of static name to IP address mappings maintained on a host computer that will
hosts file
typically take precedence over name resolution queries.
 Fully configured alternate processing site that can be brought online either instantly
hot site
or very quickly after a disaster.

html5 vpn or Using features of HTML5 to implement remote desktop/VPN connections via
clientless vpn browser software (clientless). Also called clientless VPN.

Layer 1 (Physical) network device used to implement a star network topology on
hub
legacy Ethernet networks, working as a multiport repeater.

hub-and-spoke Wide area network topology with the same layout as a star topology.

hybrid A cloud deployment that uses both private and public elements.

A network that uses a combination of physical or logical topologies. In practice,
hybrid topology most networks use hybrid topologies. For example, modern types of Ethernet are
physically wired as stars but logically operate as buses.

hypertext
Application protocol used to provide web content to browsers. HTTP uses port 80.
transfer
HTTPS(ecure) provides for encrypted transfers, using SSL/TLS and port 443.
protocol (HTTP)

I

Security process that provides identification, authentication, and authorization
identity and access mechanisms for users, computers, and other entities to work with
management (IAM) organizational assets such as networks, operating systems, and applications.
Also referred to as identity management (IdM), and access management.

Deprecated Linux command tool used to gather information about the IP
ifconfig command
configuration of the network adapter or to configure the network adapter.

Firewall ACL rule configured by default to block any traffic not matched by
implicit deny
previous rules.

industrial control Network managing embedded devices (computer systems that are designed to
system (ICS) perform a specific, dedicated function).

infrastructure as a Cloud service model that provisions virtual machines and network
service (IaaS) infrastructure.

infrastructure as Provisioning architecture in which deployment of resources is performed by
code (IaC) scripted automation and orchestration.

instant secure Media sanitization command built into HDDs and SSDs that are self-encrypting
erase (ISE) that works by erasing the encryption key, leaving remnants unrecoverable.

insulation-
Block used to terminate twisted pair cabling at a wall plate or patch panel
displacement
available in different formats, such as 110, BIX, and Krone.
connection (IDC)
 Metrics recorded by a host or switch that enable monitoring of link state,
interface statistics
resets, speed, duplex setting, utilization, and error rates.

Passive wiring panel providing a central termination point for cabling. An IDF is
intermediate
an optional layer of distribution frame hierarchy that cross-connects "vertical"
distribution frame
backbone cabling to an MDF to "horizontal" wiring to wall ports on each floor of
(IDF)
a building or each building of a campus network.

internet control
IP-level protocol for reporting errors and status information supporting the
message protocol
function of troubleshooting utilities such as ping.
(ICMP)

Framework for creating a security association (SA) used with IPSec. An SA
internet key
establishes that two hosts trust one another (authenticate) and agree on
exchange (IKE)
secure protocols and cipher suites to use to exchange data.

internet message Application protocol providing a means for a client to access and manage
access protocol email messages stored in a mailbox on a remote server. IMAP4 utilizes TCP port
(IMAP) number 143, while the secure version IMAPS uses TCP/993.

internet of things Devices that can report state and configuration data and be remotely managed
(IoT) over IP networks.

internet protocol Network protocol suite used to secure data through authentication and
security (IPSec) encryption as the data travels across the network or the Internet.

internet service
Provides Internet connectivity and web services to its customers.
provider (ISP)

Security appliance or software that uses passive hardware sensors to monitor
intrusion detection
traffic on a specific segment of the network. Also called a network intrusion
system (IDS)
detection system (NIDS).

intrusion prevention Security appliance or software that combines detection capabilities with
system (IPS) functions that can actively block attacks.

ip address Software consolidating management of multiple DHCP and DNS services to
management (IPAM) provide oversight into IP address allocation across an enterprise network.

Linux command tool used to gather information about the IP configuration of
ip command
the network adapter or to configure the network adapter.

Command set in a router OS to support DHCP relay and other broadcast
ip helper
forwarding functionality.

Identifier for a protocol working over the Internet Protocol, such as TCP, UDP,
ip protocol type
ICMP, GRE, EIGRP, or OSPF.

Utility that can probe a network to detect which IP addresses are in use by
ip scanner
hosts. Also called IP scanning.
 Command tool used to gather information about the IP configuration of a
ipconfig command
Windows host.

iperf Utility used to measure the bandwidth achievable over a network link.

DNS query type whereby a server responds with information from its own data
iterative lookup
store only.

J

Variation in the time it takes for a signal to reach the recipient. Jitter manifests itself as an
jitter inconsistent rate of packet delivery. If packet loss or delay is excessive, then noticeable
audio or video problems (artifacts) are experienced by users.

jumbo
Ethernet frame with a payload larger than 1,500 bytes (up to 9,216 bytes).
frame

jump
A hardened server that provides access to other hosts.
server

K

Single sign-on authentication and authorization service that is based on a time-sensitive
kerberos
ticket-granting system.

L

The time it takes for a signal to reach the recipient. A video application can
support a latency of about 80 ms, while typical latency on the Internet can reach
latency
1,000 ms at peak times. Latency is a particular problem for two-way
applications, such as VoIP (telephone) and online conferencing.

Switch appliance capable of IP routing between virtual LAN (VLAN) subnets
layer 3 switch
using hardware-optimized path selection and forwarding.

Basic principle of security stating that something should be allocated the
least privilege minimum necessary rights, privileges, or information to perform its role. Also
referred to as the principle of least privilege.

Method to track the lifecycle phases of one or more hardware, service, or
lifecycle roadmap
software systems in your organization. Also called the system lifecycle.

lightweight Network protocol used to access network directory databases, which store
directory access information about authorized users and their privileges, as well as other
protocol (LDAP) organizational information.

link layer
Standards-based protocol used by network appliances to discover layer 2
discovery protocol
adjacent devices or neighbors.
(LLDP)

link local IP addressing scheme used within the scope of a single broadcast domain only.
 Algorithm used by routing protocols that builds a complete network topology to
link state
use to select optimum forwarding paths.

Type of switch, router, or software that distributes client requests between
load balancer different resources, such as communications links or similarly configured
servers. This provides fault tolerance and improves throughput.

local area network Network scope restricted to a single geographic location and owned/managed
(LAN) by a single organization.

local connector Small form factor push-pull fiber optic connector; available in simplex and
(LC) duplex versions.

Threshold for storing or forwarding an event message based on its severity index
logging level
or value. Also referred to as the severity level.

Packet data communications specification providing an upgrade path for 2G and
long term 3G cellular networks. LTE services use a SIM card to identify the subscriber and
evolution (LTE) network provider. LTE Advanced is designed to provide 4G standard network
access.

loopback address IP address by which a host can address itself over any available interface.

M

Data store on a switch that keeps track of the MAC addresses
associated with each port. As the switch uses a type of memory
mac address table
called content addressable memory (CAM), this is sometimes
called the CAM table.

Applying an access control list to a switch or access point so that
mac filtering
only clients with approved MAC addresses can connect to it.

Network attack where a switch's cache table is inundated with
mac flooding frames from random source MAC addresses so that it starts
flooding unicast traffic, facilitating snooping attacks.

Passive wiring panel providing a central termination point for
main distribution frame (MDF) cabling. A MDF distributes backbone or "vertical" wiring through a
building and connections to external access provider networks.

Software that serves a malicious purpose, typically installed
malware
without the user's consent (or knowledge).

Database that stores Simple Network Management Protocol
management information base
(SNMP) properties and values of a network device and its
(MIB)
components.

maximum tolerable downtime Longest period that a process can be inoperable without causing
(MTD) irrevocable business failure.
 Maximum size in bytes of a frame's payload. If the payload cannot
maximum transmission unit
be encapsulated within a single frame at the Data Link layer, it
(MTU)
must be fragmented.

mean time between failures Metric for a device or component that predicts the expected time
(MTBF) between failures.

Metric indicating average time a device or component is expected
mean time to failure (MTTF)
to be in operation.

Metric representing average time taken for a device or component
mean time to repair (MTTR)
to be repaired, replaced, or otherwise recover from a failure.

Hardware address that uniquely identifies each network interface
media access control (MAC) at layer 2 (Data Link). A MAC address is 48 bits long with the first
address half representing the manufacturer's Organizationally Unique
Identifier (OUI). Also called a client identifier.

Layer 1 (Physical) network device that translates signals received
media converter
over one media type for transmission over a different media type.

medium dependent System that distinguishes transmit and receive pins on different
interface/medium dependent interface types. The interface on an end system is MDI while that
interface crossover (MDI/MDIX) on an intermediate system is MDIX.

Usually a preliminary or exploratory agreement to express an
memorandum of understanding
intent to work together that is not legally binding and does not
(MOU)
involve the exchange of money.

A topology often used in WANs where each device has (in theory) a
point-to-point connection with every other device (fully
mesh topology
connected); in practice, only the more important devices are
directly interconnected (partial mesh).

Function of an Ethernet switch whereby collision domains are
microsegmentation
reduced to the scope of a single port only.

Troubleshooting issue where a routing table does not contain a
missing route required entry due either to manual misconfiguration or failure of a
dynamic routing protocol update.

Business or organizational activity that is too critical to be deferred
mission essential function (MEF)
for anything more than a few hours, if at all.

A packet addressed to a selection of hosts (in IP, those belonging
multicast
to a multicast group).

multifactor Authentication scheme that requires the user to present at least
two different factors as credentials, from something you know,
 something you have, something you are, something you do, and
somewhere you are. Specifying two factors is known as 2FA.

Fiber optic cable type that terminates multiple strands to a single
multi-fiber push-on (MPO)
compact connector, supporting parallel links.

Fiber optic cable type using LED or vertical cavity surface emitting
multimode fiber (MMF) laser optics and graded using optical multimode types for core
size and bandwidth.

Use of multiple reception and transmission antennae to boost
multiple input multiple output
bandwidth via spatial multiplexing and to boost range and signal
(MIMO)
reliability via spatial diversity.

Use of spatial multiplexing to connect multiple MU-MIMO-capable
multiuser mimo (MU-MIMO) stations simultaneously, providing the stations are not on the
same directional path.

N

IPv6 transition mechanism that uses Network Address Translation (NAT) to
nat64
convert destination IPv4 addresses to IPv6 format at routing boundaries.

VLAN ID used for any untagged frames received on a trunk port. The same ID
native vlan should be used on both ends of the trunk, and the ID should not be left as the
default VLAN ID (1).

neighbor
discovery (ND) IPv6 protocol used to identify link local nodes.
protocol

Cisco-developed means of reporting network flow information to a structured
netflow database. NetFlow allows better understanding of IP traffic flows as used by
different network applications and hosts.

Cross-platform command tool to show network information on a machine
netstat
running TCP/IP, notably active connections and the routing table.

network access General term for the collected protocols, policies, and hardware that
control (NAC) authenticate and authorize access to a network at the device level.

Adapter card that provides one or more Ethernet ports for connecting hosts to a
network adapter
network so that they can exchange data over a link.

Routing mechanism that conceals internal addressing schemes from the public
network address
Internet by translating between a single public address on the external side of a
translation (NAT)
router and private, non-routable addresses internally.

network attached Storage device enclosure with network port and an embedded OS that supports
storage (NAS) typical network file access protocols (FTP and SMB for instance).
 Processes and tools that facilitate identification of hosts present on a network or
network discovery
subnet.

network function
Provisioning virtual network appliances, such as switches, routers, and firewalls,
virtualization
via VMs and containers.
(NFV)

network layer
OSI model layer responsible for logical network addressing and forwarding.
(layer 3)

Troubleshooting issue where layer 2 frames are forwarded between switches or
network loop
bridges in an endless loop.

Number of bits applied to an IP address to mask the network ID portion from the
network mask host/interface ID portion. This can be expressed as a bit prefix in slash notation
or as a dotted decimal subnet mask.

network security Rules that filter communication between cloud networks and from cloud
group networks to the Internet.

network security In Oracle Cloud Infrastructure, traffic filtering rules that apply to a subnet, rather
list than just network interfaces.

Enforcing a security zone by separating a segment of the network from access by
network the rest of the network. This could be accomplished using firewalls or VPNs or
segmentation VLANs. A physically separate network or host (with no cabling or wireless links to
enforcement other networks) is referred to as air-gapped. Also referred to as segmentation or
network segmentation enforcement.

network time Application protocol allowing machines to synchronize to the same time clock
protocol (NTP) that runs over UDP port 123.

network time Method of securing NTP queries and responses using Transport Layer Security
security (NTS) (TLS). NTS typically uses TCP port 4460.

nmap security A highly adaptable, open-source network scanner used primarily to scan hosts
scanner and ports to locate services and detect vulnerabilites.

non-disclosure Agreement that stipulates that entities will not share confidential information,
agreement (NDA) knowledge, or materials with unauthorized third parties.

Network data flows that go into and out of an organization's network or
north-south
datacenter.

nslookup
Cross-platform command tool for querying DNS resource records.
command

O
 Attack where the threat actor makes an independent connection
on-path between two victims and is able to read and possibly modify
traffic. Formerly called a man-in-the-middle (MitM) attack.

Wireless network authentication mode where guest (unauthenticated)
open authentication
access is permitted.

open shortest path first Dynamic routing protocol that uses a link-state algorithm and a
(OSPF) hierarchical topology.

open systems Assigns network and hardware components and functions at seven
interconnection (OSI) discrete layers: Physical, Data Link, Network, Transport, Session,
reference model Presentation, and Application.

operational technology Communications network designed to implement an industrial control
(OT) system rather than data networking.

Assessment of allowable signal loss over a fiber optic link. Also
optical link budget
referred to as low optical link budget.

Classification system for multimode fiber designating core size and
optical multimode (OM)
modal bandwidth.

DHCP configuration that assigns additional parameters, such as DNS
option (DCHP) server addresses. In DHCPv4, an option is used to identify the default
gateway address.

orchestration Automation of multiple coordinated steps in a deployment process.

Accessing the administrative interface of a network appliance using a
out-of-band (OOB) separate network from the usual data network. This could use a
separate VLAN or a different kind of link, such as a dial-up modem.

Network protocols that use encapsulation to provision virtual tunnels
overlay network and networks without requiring reconfiguration of the underlying
transport network.

P

Network PDUs that do not reach their destination due to transmission errors,
congestion, or security policies. A packet drop or discard is where a switch or
packet loss
router does not forward a packet due to congestion or because the packet
does not match the requirements of an ACL.

Recording data from frames as they pass over network media, using
packet sniffer
methods such as a mirror port or tap device.

A small unit of supplemental code meant to address either a security
patch
problem or a functionality flaw in a software package or operating system.
 Type of distribution frame used with twisted pair cabling with IDCs to
patch panel terminate fixed cabling on one side and modular jacks to make cross-
connections to other equipment on the other. Also called a patch bay.

payment card
The information security standard for organizations that process credit or
industry data security
bank card payments.
standard (PCI DSS)

Administration paradigm whereby any computer device may be configured to
peer-to-peer
operate as both server and client.

Measurement of a value affecting system performance, such as CPU or
performance metrics
memory utilization.

personally identifiable Data that can be used to identify or contact an individual (or, in the case of
information (PII) identity theft, to impersonate them).

Email-based social engineering attack, in which the attacker sends email
phishing from a supposedly reputable source, such as a bank, to try to elicit private
information from the victim.

Lowest layer of the OSI model providing for the transmission and receipt of
data bits from node to node. This includes the network medium and
physical layer (PHY)
mechanical and electrical specifications for using the media. Also referred
to as layer 1.

ping command Cross-platform command tool for testing IP packet transmission.

platform as a service Cloud service model that provisions application and database services as a
(PaaS) platform for development of apps.

A checklist of actions to perform to complete a standard procedure or detect
playbook
and respond to a specific type of incident.

Cable for use in building voids designed to be fire resistant and to produce a
plenum
minimal amount of smoke if burned. Also called plenum cable.

A point-to-point topology is one where two nodes have a dedicated
point to point
connection to one another.

point-to-point Dial-up protocol working at layer 2 (Data Link) used to connect devices
protocol (PPP) remotely to networks.

polarization Orientation of the wave propagating from an antenna.

In TCP and UDP applications, a unique number assigned to a particular
port application protocol. Server ports are typically assigned well-known or
registered numbers while client ports use dynamic or ephemeral numbering.
port address Maps private host IP addresses onto a single public IP address. Each host is
translation (PAT) tracked by assigning it a random high TCP port for communications.

Combining the bandwidth of two or more switch ports into a single channel
port aggregation
link.

Copying ingress and/or egress communications from one or more switch
port mirroring ports to another port. This is used to monitor communications passing over
the switch. Also called a switched port analyzer (SPAN).

In Spanning Tree Protocol (STP), each port is assigned a role (root,
port role
designated, blocked, or disabled) depending on its position in the topology.

port scanner Utility that can probe a host to enumerate the status of TCP and UDP ports.

Preventing a device attached to a switch port from communicating on the
port security
network unless it matches a given MAC address or other protection profile.

In Spanning Tree Protocol (STP), topology changes cause ports to transition
port states through different states (blocking, listening, learning, forwarding, and
disabled).

On a switch with VLANs configured, a port with an end station host
port tagging connected operates in untagged mode (access port). A tagged port will
normally be part of a trunk link.

port-side Feature of switches that allows fans to switch between expelling hot air and
exhaust/intake drawing in cool air from the side with ports.

Audit process and tools for verifying compliance with a compliance
posture assessment
framework or configuration baseline.

When configuring Power over Ethernet, the maximum amount of power
power budget
available across all switchports.

Specification allowing power to be supplied via switch ports and ordinary
power over ethernet
data cabling to devices such as VoIP handsets and wireless access points.
(PoE)
Devices can draw up to about 13W (or 25W for PoE+).

precision time Provides clock synchronization to network devices to a higher degree of
protocol (PTP) accuracy than Network Time Protocol (NTP).

presentation layer OSI model layer that transforms data between the formats used by the
(Layer 6) network and applications. Also called layer 6.

Wireless network authentication mode where a passphrase-based
pre-shared key (PSK) mechanism is used to allow group authentication to a wireless network. The
passphrase is used to derive an encryption key.
 Routes incoming calls to direct dial numbers and provides facilities such as
private branch voice mail, Automatic Call Distribution (ACD), and Interactive Voice
exchange (PBX) Response (IVR). A PBX can also be implemented as software (virtual PBX). An
IP-based PBX or hybrid PBX allows use of VoIP.

private cloud A cloud that is deployed for use by a single entity.

In asymmetric encryption, the private key is known only to the holder and is
linked to, but not derivable from, a public key distributed to those with whom
private key
the holder wants to communicate securely. A private key can be used to
encrypt data that can be decrypted by the linked public key or vice versa.

production Configuration settings used when an appliance, instance, or app is booted or
configuration started.

Utility that can parse the header fields and payloads of protocols in captured
protocol analyzer
frames for display and analysis. Also called a packet analyzer.

protocol data unit Network packet encapsulating a data payload from an upper layer protocol
(PDU) with header fields used at the current layer.

Server that mediates the communications between a client and another
proxy server server. It can filter and often modify communications, as well as provide
caching services to improve performance. Also called a forward proxy.

public cloud A cloud that is deployed for shared use by multiple independent tenants.

During asymmetric encryption, this key is freely distributed and can be used
public key to perform the reverse encryption or decryption operation of the linked
private key in the pair.

Framework of certificate authorities, digital certificates, software, services,
public key
and other cryptographic components deployed for the purpose of validating
infrastructure (PKI)
subject identities.

public switched
telephone network Global network connecting national telecommunications systems.
(PSTN)

Some IP address ranges are designated for use on private networks only.
Packets with source IP addresses in public ranges are permitted to be
public versus private
forwarded over the Internet. Packets with source IP addresses from private
addressing
ranges should be blocked at Internet gateways or forwarded using some type
of translation mechanism.

Tool used to terminate solid twisted pair copper cable to an insulation
punch down tool
displacement connector.

Q
quad small form- Fiber optic transceiver module type supporting four individual duplex lanes at 1
factor pluggable Gbps (QSFP) or 10 Gbps (QSFP+) that can be aggregated into a single 4 Gbps or
(QSFP) 40 Gbps channel.

Systems that differentiate data passing over the network that can reserve
quality of service
bandwidth for particular applications. A system that cannot guarantee a level of
(QoS)
available bandwidth is often described as class of service (CoS).

R

Storage solution for server and network equipment. Racks are designed to a
rack standard width and height (measured in multiples of 1U or 1.75"). Racks
offer better density, cooling, and security than ordinary office furniture.

Physical plan of appliances installed in a network rack and their power and
rack diagram
network connections.

radio frequency (RF) Loss of signal strength due to distance and environmental factors. Also
attenuation referred to as free space path loss.

received signal
Signal strength as measured at the receiver, using either decibel units or an
strength indicator
index value.
(RSSI)

recovery point Longest period that an organization can tolerate lost data being
objective (RPO) unrecoverable.

recovery time
Maximum time allowed to restore a system after a failure event.
objective (RTO)

DNS query type whereby a server submits additional queries to other servers
recursive lookup
to obtain the requested information.

Series of jack/plug types used with twisted pair cabling, such as RJ45 and
registered jack (RJ)
RJ11.

remote authentication
AAA protocol used to manage remote and wireless authentication
dial-in user service
infrastructures.
(RADIUS)

Application protocol for operating remote connections to a host using a
remote desktop graphical interface. The protocol sends screen data from the remote host to
protocol (RDP) the client and transfer mouse and keyboards input from the client to the
remote host. It uses TCP port 3389.

Layer 1 device that regenerates and retransmits signals to overcome media
repeater
distance limitations.

DHCP configuration that assigns either a pre-reserved or persistent IP
reservation
address to a given host, based on its hardware address or other ID.
 Data file storing information about a DNS zone. The main records are as
follows: A (maps a host name to an IPv4 address), AAAA (maps to an IPv6
resource records
address), CNAME (an alias for a host name), MX (the IP address of a mail
server), and PTR (allows a host name to be identified from an IP address).

reverse dns DNS query type to resolve an IP address to a host name.

rfc 1918 Standards document that defines private address ranges.

Likelihood and impact (or consequence) of a threat actor exercising a
risk
vulnerability.

Wireless access point that has been enabled on the network without
rogue access point
authorization.

Access control model where resources are protected by ACLs that are
role-based access
managed by administrators and that provide user permissions based on job
control (RBAC)
functions.

In Spanning Tree Protocol (STP), the process and metrics that determine
root bridge selection which bridge or switch will be identified as root. Selection of an
inappropriate root device can cause performance and security issues.

Cross-platform command tools used to display and manage the routing
route command
table on a Windows or Linux host.

Intermediate system working at the Network layer capable of forwarding
router
packets around logical networks of different layer 1 and layer 2 types.

router advertisement Packet sent by an IPv6-capable router to notify hosts about prefixes and
(RA) autoconfiguration methods available on the local link

routing information Distance vector-based routing protocol that uses a hop count to determine
protocol (RIP) the least-cost path to a destination network.

Troubleshooting issue where a packet is forwarded between routers in a loop
routing loop
until its TTL expires.

Data store on an IP host used to determine the interface over which to
routing table
forward a packet.

Malformed Ethernet frame that is smaller than the permitted 64 byte
runt
minimum size.

S

Process of thoroughly and completely removing data from a storage
sanitization
medium so that file remnants cannot be recovered.

satellite System of microwave transmissions where orbital satellites relay signals
between terrestrial receivers or other orbital satellites. Satellite internet
 connectivity is enabled through a reception antenna connected to the PC
or network through a DVB-S modem.

Property by which a computing environment is able to gracefully fulfill its
scalability
ever-increasing resource needs.

Range of consecutive IP addresses in the same subnet that a DHCP server
scope
can lease to clients.

Segment isolated from the rest of a private network by one or more firewalls
that accepts connections from the Internet over designated
screened subnet
ports. Formerly referred to as a demilitarized zone (DMZ), this usage is
now deprecated.

A networking and security architecture that provides secure access to
secure access service cloud applications and services while reducing complexity. It combines
edge (SASE) security services like firewalls, identity and access management, and
secure web gateway with networking services such as SD-WAN.

secure erase (SE) Method of sanitizing a drive using the ATA command set.

Application protocol supporting secure tunneling and remote terminal
secure shell (SSH)
emulation and file copy. SSH runs over TCP port 22.

security assertion
An XML-based data format used to exchange authentication information
markup language
between a client and a service.
(SAML)

security information
Solution that provides real-time or near-real-time analysis of security alerts
and event management
generated by network hardware and applications.
(SIEM)

security service edge Design paradigm and associated technologies that mediate access to
(SSE) cloud services and web applications.

A digital certificate that has been signed by the entity that issued it, rather
self-signed certificate
than by a CA.

Application protocol used for requesting files from Windows servers and
delivering them to clients. SMB allows machines to share files and printers,
server message block thus making them available for other machines to use. SMB client software
(SMB) is available for UNIX-based systems. Samba software allows UNIX and
Linux servers or NAS appliances to run SMB services for Windows
clients. Also called Common Internet File System (CIFS).

service level agreement Agreement that sets the service requirements and expectations between a
(SLA) consumer and a provider.
 Application protocol used to establish, disestablish, and manage VoIP and
conferencing communications sessions. It handles user discovery (locating
session initiation
a user on the network), availability advertising (whether a user is prepared
protocol (SIP)
to receive calls), negotiating session parameters (such as use of audio/
video), and session management and termination.

OSI model layer that provides services for applications that need to
session layer (Layer 5)
exchange multiple messages (dialog control). Also referred to as layer 5.

Computer hardware, software, or services used on a private network
shadow it
without authorization from the system owner.

A lightweight block of malicious code that exploits a software vulnerability
shellcode
to gain initial access to a victim system.

Social engineering tactic to obtain someone's password or PIN by
shoulder surfing
observing them as they type it in.

Command tools used in router operating systems to list the contents of the
show arp command Address Resolution Protocol (ARP) cache of IP address to MAC address
mappings.

Set of commands in a switch OS to report configuration or interface
show commands
information.

Command tools used in router operating systems to list the contents of
show route command
routing tables.

Application protocol used to send mail between hosts on the Internet.
simple mail transfer
Messages are sent between servers over TCP port 25 or submitted by a mail
protocol (SMTP)
client over secure port TCP/587.

simple network
Application protocol used for monitoring and managing network devices.
management protocol
SNMP works over UDP ports 161 and 162 by default.
(SNMP)

simultaneous
Personal authentication mechanism for Wi-Fi networks introduced with
authentication of
WPA3 to address vulnerabilities in the WPA-PSK method.
equals (SAE)

Fiber optic cable type that uses laser diodes and narrow core construction
single mode fiber (SMF)
to support high bandwidths over distances of over 5 km.

small form factor Fiber optic transceiver module type supporting duplex 1 Gbps (SFP) or 10
pluggable (SFP) Gbps (SFP+) links.

small office/home Category of network type and products that are used to implement small-
office (SOHO) scale LANs and off-the-shelf Internet connection types.
 Activity where the goal is to use deception and trickery to convince
social engineering unsuspecting users to provide sensitive data or to violate security
guidelines.

Combination of a TCP/UDP port number and IP address. A client socket can
socket
form a connection with a server socket to exchange data.

software as a service Cloud service model that provisions fully developed application services to
(SaaS) users.

software defined APIs and compatible hardware/virtual appliances allowing for
networking (SDN) programmable network appliances and systems.

Services that use software-defined mechanisms and routing policies to
software-defined wans
implement virtual tunnels and overlay networks over multiple types of
(SD-WAN)
transport network.

Technologies that manage development of software code by tracking and
source control
merging or rejecting changes from multiple authors.

spanning tree protocol Protocol that prevents layer 2 network loops by dynamically blocking
(STP) switch ports as needed.

spectrum analyzer Device that can detect the source of interference on a wireless network.

Topology commonly used in datacenters comprising a top tier of
spine and leaf topology aggregation switches forming a backbone for a leaf tier of top-of-rack
switches.

VPN configuration where only traffic for the private network is routed via the
split tunnel
VPN gateway.

Attack technique where the threat actor disguises their identity or
spoofing
impersonates another user or resource.

standard operating Documentation of best practice and work instructions to use to perform a
procedure (SOP) common administrative task.

In a star network, each node is connected to a central point, typically a
switch or a router. The central point mediates communications between
the attached nodes. When a device such as a hub is used, the hub receives
signals from a node and repeats the signal to all other connected nodes.
star topology
Therefore the bandwidth is still shared between all nodes. When a device
such as a switch is used, point-to-point links are established between each
node as required. The circuit established between the two nodes can use
the full bandwidth capacity of the network media.
stateless address
Mechanism used in IPv6 for hosts to assign addresses to interfaces without
autoconfiguration
requiring manual intervention.
(SLAAC)

static route Entry in the routing table added manually by an administrator.

Network dedicated to provisioning storage resources, typically consisting
storage area network
of storage devices and servers connected to switches via host bus
(SAN)
adapters.

straight tip (ST) Bayonet-style twist-and-lock connector for fiber optic cabling.

structured query Programming and query language common to many relational database
language (SQL) management systems.

Configuring a router's physical interface with multiple virtual interfaces
subinterfaces
connected to separate virtual LAN (VLAN) IDs over a trunk.

Division of a single IP network into two or more smaller broadcast domains
subnet addressing by using longer netmasks within the boundaries of the network. Also
called a subnet mask.

subscriber connector
Push/pull connector used with fiber optic cabling.
(SC)

supervisory control and Type of industrial control system that manages large-scale, multiple-site
data acquisition devices and equipment spread over geographically large areas from a host
(SCADA) computer.

Intermediate system used to establish contention-free network segments
switch
at layer 2 (Data Link).

switch virtual interface Feature of layer 3 switches that allows a virtual interface assigned with an
(SVI) IP address to act as the default gateway for a VLAN.

Application protocol and event logging format enabling different appliances
syslog and software applications to transmit logs or event records to a central
server. Syslog works over UDP port 514 by default.

T

Twisted pair termination pinouts defined in the ANSI/TIA/EIA 568
t568a and t568b
Commercial Building Telecommunications Standards.

tabletop exercise A discussion of simulated emergency situations and security incidents.

Social engineering technique to gain access to a building by following
tailgating
someone who is unaware of their presence.

tap Hardware device inserted into a cable to copy frames for analysis.
 Field in the header of a TCP segment designating the connection state,
tcp flags
such as SYN, ACK, or FIN.

tcpdump Command line packet sniffing utility.

Application protocol supporting unsecure terminal emulation for remote
telnet
host management. Telnet runs over TCP port 23.

term Definition

terminal access controller
AAA protocol developed by Cisco that is often used to authenticate to
access control system
administrator accounts for network appliance management.
(TACACS+)

thin ap Access point that requires a wireless controller in order to function.

Potential for an entity to exercise a vulnerability (that is, to breach
threat
security).

Paradigm to simplify network design by separating switch and router
three-tier hierarchal
functionality and placement into three tiers each with a separate role,
model
performance requirements, and physical topology.

Amount of data transfer supported by a link in typical conditions. This
can be measured in various ways with different software applications.
throughput
Goodput is typically used to refer to the actual "useful" data rate at the
application layer (less overhead from headers and lost packets).

Counter field in the IP header recording the number of hops a packet can
time to live (TTL)
make before being dropped.

Used to identify one cable within a bundle by applying an audible
tone generator
signal. Also called fox and hound.

High-performance switch model designed to implement the leaf tier in a
top-of-rack (ToR)
spine and leaf topology.

Network specification that determines the network's overall layout,
topology
signaling, and dataflow patterns.

Diagnostic utilities that trace the route taken by a packet as it "hops" to
traceroute/tracert
the destination host on a remote network. tracert is the Windows
command
implementation, while traceroute runs on Linux.

Processes and tools that facilitate reporting of network communication
traffic analysis
flows summarized by host or protocol type.

Appliances and/or software that enable administrators to closely
traffic shapers monitor network traffic and to manage that network traffic. The primary
function of a traffic shaper is to optimize network media throughput to
 get the most from the available bandwidth. Also called a bandwidth
shaper.

Component in a network interface that converts data to and from the
transceiver media signalling type. Modular transceivers are designed to plug into
switches and routers.

transmission control Protocol in the TCP/IP suite operating at the Transport layer to provide
protocol (TCP) connection-oriented, guaranteed delivery of packets.

transport layer OSI model layer responsible for ensuring reliable data delivery.

transport layer security Security protocol that uses certificates for authentication and encryption
(TLS) to protect web communications and other application protocols.

trivial file transfer Simplified form of FTP supporting only file copying. TFTP works over UDP
protocol (TFTP) port 69.

Structured approach to problem-solving using identification, theory of
troubleshooting
cause, testing, planning, implementation, verification, and
methodology
documentation steps.

Backbone link established between switches and routers to transport
trunks
frames for multiple virtual LANs (VLANs).

Encapsulating data from a local protocol within another protocol's PDU
to transport it to a remote network over an intermediate network.
tunneling
Tunneling protocols are used in many contexts, including virtual private
networks (VPNs) and transport IPv6 packets over IPv4 networks.

Media type similar to coax but with two inner conductors to improve
twinaxial
performance.

Network cable construction with insulated copper wires twisted about
each other. A pair of color-coded wires transmits a balanced electrical
twisted pair cable
signal. The twisting of the wire pairs at different rates acts to reduce
interference and crosstalk.

U

ultra physical contact Fiber optic connector finishing type that uses a slightly curved polish for
(UPC) the ferrule.

A packet addressed to a single host. If the host is not on the local
unicast
subnet, the packet must be sent via one or more routers.

uniform resource locator Type of content filter applied to restrict client queries to particular
(URL) filtering uniform resource locator (URL) web addresses.
uninterruptible power Battery-powered device that supplies AC power that an electronic device
supply (UPS) can use in the event of power failure.

unshielded twisted pair Media type that uses copper conductors arranged in pairs that are
(UTP) twisted to reduce interference. Typically cables are 4-pair or 2-pair.

user datagram protocol Protocol in the TCP/IP suite operating at the Transport layer to provide
(UDP) connectionless, non-guaranteed communication.

V

variable length
Using network prefixes of different lengths within an IP network to create subnets
subnet masking
of different sizes.
(VLSM)

Within a source control system, a process that assigns an identification number
version control
to each release of an app or script.

A preconfigured, self-contained virtual machine image ready to be deployed and
virtual appliance
run on a hypervisor.

Technology used to implement an overlay network so that hosts in separate
virtual extensible
subnets can establish layer 2 adjacency in a discrete logical segment. The 24-bit
lan (VXLAN)
VXLAN ID space supports up to 16 million logical segments.

Public address of a load balanced cluster that is shared by the devices
virtual ip
implementing the cluster.

A logical network segment comprising a broadcast domain established using a
feature of managed switches to assign each port a VLAN ID. Even though hosts
virtual lan (VLAN)
on two VLANs may be physically connected to the same switch, local traffic is
isolated to each VLAN, so they must use a router to communicate.

virtual private A private network segment made available to a single cloud consumer on a
cloud (VPC) public cloud.

visual fault
Troubleshooting tool used to identify breaks or imperfections in fiber optic cable.
locator

Exploiting a misconfiguration to direct traffic to a different VLAN without
vlan hopping
authorization.

Feature of VoIP handsets and switches to segregate data and voice traffic while
voice or auxiliary
using a single network wall port to attach the handset and the computer. Also
vlan
called auxiliary VLAN.

voice over ip
Generic name for protocols that carry voice traffic over data networks.
(VoIP)
 Handset or software client that implements a type of voice over Internet Protocol
voip phones
(VoIP) to allow a user to place and receive calls.

Weakness that could be triggered accidentally or exploited intentionally to cause
vulnerability
a security breach.

Evaluation of a system's security and ability to meet compliance requirements
vulnerability
based on the configuration state of the system, as represented by information
assessment
collected from the system. Also called vulnerability testing.

W

Alternate processing location that is dormant or performs noncritical functions
warm site under normal conditions, but which can be rapidly converted to a key operations
site if needed.

wide area Network scope that spans a large geographical area, incorporating more than one
networks site and often a mix of different media types and protocols plus the use of public
(WANs) telecommunications networks.

Device or software that can report characteristics of a WLAN, such as signal
wi-fi analyzer
strength and channel utilization.

wi-fi protected Standards for authenticating and encrypting access to Wi-Fi networks. Also called
access (WPA) WPA2 and WPA3.

wire map tester Tool to verify termination/pinouts of cable.

wireless
Device that provides wireless LAN management for multiple APs.
controller

Wireless network topology where all nodes—including client stations—are
wireless mesh
capable of providing forwarding and path discovery. This improves coverage and
network (WMN)
throughput compared to using just fixed access points and extenders.

wireshark Widely used protocol analyzer.

wiring diagram Documentation of connector pinouts and/or cable runs.

work recovery In disaster recovery, time additional to the RTO of individual systems to perform
time (WRT) reintegration and testing of a restored or upgraded system following an event.

Y

yaml ain't markup language Language for configuration files and applications such as Netplan
(YAML) and Ansible.

Z

zero trust The security design paradigm where any request (host-to-host or container-to-
architecture (ZTA) container) must be authenticated before being allowed.
 Vulnerability in software that is unpatched by the developer or an attack that
zero-day
exploits such a vulnerability.

Parameter assigned by a host to distinguish ambiguous interface addresses
zone index
within a link local scope.

Mechanism by which a secondary name server obtains a read-only copy of
zone transfer
zone records from the primary server.