Glossary

Quick “what is X” pages for the most common terms you see in Security+, CCNA, AWS and Azure exams.

All terms

Total: 172

AAA (Authentication, Authorization, Accounting) — AAA is a framework for controlling access and logging actions on network devices.
ACL (Access Control List) in Networking — An ACL is a rule list that permits/denies traffic based on matching criteria.
Air Gap — An air gap is a physical or logical separation from untrusted networks to reduce risk.
Antivirus (AV) — Antivirus detects and removes known malware using signatures and behavioral techniques.
ARP — ARP maps IPv4 addresses to MAC addresses on a local network.
ASN (Autonomous System Number) — An ASN identifies an autonomous system in BGP routing.
Asymmetric Encryption — Asymmetric encryption uses a public/private key pair for encryption and identity.
Attack Surface — Attack surface is the set of entry points an attacker can target.
Azure Policy — Azure Policy enforces rules and standards on resources (governance).
Backup (3-2-1 Rule) — Backups protect against data loss; the 3-2-1 rule improves resilience.
Bandwidth vs Throughput — Bandwidth is capacity; throughput is actual achieved data rate.
Bastion Host (Jump Box) — A bastion host is a hardened server used as a controlled entry point for admin access.
BGP (Basics) — BGP is the internet-scale routing protocol used between autonomous systems.
BPDU — BPDUs are control messages used by STP/RSTP to build a loop-free topology.
BPDU Guard — BPDU Guard disables an edge/PortFast port if it receives a BPDU, preventing loops.
Brute Force Attack — Brute force tries many passwords/keys until one works.
CASB (Cloud Access Security Broker) — A CASB enforces security policies between users and cloud services.
CDN (Content Delivery Network) — A CDN caches and delivers content closer to users, improving performance and resilience.
CDP — CDP is Cisco’s neighbor discovery protocol that shares device/interface info.
Chain of Custody — Chain of custody documents who handled evidence and when, to prove integrity.
CIDR — CIDR is a notation that defines network prefix length (e.g., /24).
Compensating Control — A compensating control provides alternative protection when a primary control can’t be used.
CSP (Content Security Policy) — CSP is a browser security standard that reduces XSS by restricting what scripts can run.
DAI (Dynamic ARP Inspection) — DAI blocks ARP spoofing by validating ARP packets against a trusted binding table.
Data Classification — Data classification labels data by sensitivity to apply correct security controls.
Data Masking — Data masking hides parts of sensitive data (e.g., showing only last 4 digits).
DDoS — DDoS floods a target with traffic to degrade or take down services.
Default Gateway — The default gateway is where a host sends traffic destined for other networks.
Default Route (0.0.0.0/0) — A default route sends traffic for unknown destinations to a next hop (gateway).
Defense in Depth — Defense in depth uses multiple layers of security controls to reduce risk.
DHCP — DHCP automatically assigns IP configuration to clients (IP, gateway, DNS).
DHCP Snooping — DHCP snooping blocks rogue DHCP servers by trusting only specific ports.
DHCPv6 — DHCPv6 assigns IPv6 configuration information; it can be stateful or stateless.
Digital Forensics — Digital forensics collects and analyzes digital evidence after an incident.
Disaster Recovery (DR) — DR restores systems and data after major outages using defined RTO/RPO targets.
DLP (Data Loss Prevention) — DLP helps prevent sensitive data from being leaked or exfiltrated.
DNS — DNS translates domain names into IP addresses using a distributed lookup system.
DSCP — DSCP marks IP packets to indicate QoS treatment (priority) in the network.
DTP (Dynamic Trunking Protocol) — DTP negotiates trunking between Cisco switches/ports automatically.
Dual-Stack — Dual-stack means running IPv4 and IPv6 simultaneously on the same network.
Duplex Mismatch — Duplex mismatch causes collisions/late collisions and leads to poor performance.
ECMP (Equal-Cost Multi-Path) — ECMP uses multiple equal-cost routes for load balancing and redundancy.
Encryption — Encryption transforms data into ciphertext to keep it confidential.
Encryption at Rest — Encryption at rest protects stored data (disks, databases, objects) using encryption keys.
Encryption in Transit — Encryption in transit protects data moving over networks, usually using TLS.
Endpoint Detection and Response (EDR) — EDR monitors endpoints for suspicious behavior and helps respond to threats.
EtherChannel — EtherChannel bundles multiple physical links into one logical link to increase bandwidth and redundancy.
Ethernet Cabling (Basics) — Ethernet cabling types (Cat5e/Cat6) affect speed, distance, and interference resistance.
Firewall — A firewall filters traffic between networks based on rules and inspection.
GLBP (Gateway Load Balancing) — GLBP is a Cisco FHRP that provides redundancy and load balancing for default gateways.
GRE Tunnel — GRE encapsulates packets to create tunnels across IP networks.
Hardening — Hardening reduces risk by securely configuring systems and removing unnecessary features.
Hashing — Hashing converts data into a fixed-length digest for integrity checks.
HMAC — HMAC uses a shared secret with a hash to provide integrity and authenticity.
Honeypot — A honeypot is a decoy system designed to attract attackers and detect activity.
HSRP (First-Hop Redundancy) — HSRP provides a virtual default gateway so hosts keep connectivity if a router fails.
HTTP vs HTTPS — HTTPS is HTTP protected by TLS encryption; HTTP is plaintext.
IAM (Identity and Access Management) — IAM manages identities, roles, and permissions to control access to resources.
IAM Role — An IAM role is an identity with permissions assumed by users or services for temporary access.
ICMP — ICMP is used for network diagnostics and error messages (e.g., ping).
Immutability (Immutable Backups) — Immutability prevents backups from being modified or deleted for a retention period.
Incident Response (IR) — Incident response is the structured process to detect, contain, and recover from security incidents.
Inter-VLAN Routing — Inter-VLAN routing allows devices in different VLANs to communicate using a Layer 3 device.
Intrusion Detection System (IDS) — IDS detects suspicious activity and generates alerts.
Intrusion Prevention System (IPS) — IPS detects and blocks suspicious traffic in-line.
IPsec — IPsec secures IP traffic using encryption and integrity, commonly for VPNs.
IPv6 — IPv6 is the next-generation IP protocol using 128-bit addresses and improved network features.
JWT (JSON Web Token) — JWT is a compact token format used to represent claims securely.
KMS (Key Management Service) — KMS manages encryption keys for encrypting data at rest and controlling key usage.
LACP — LACP is a standard protocol (802.3ad/802.1AX) used to negotiate link aggregation (EtherChannel).
Latency vs Jitter — Latency is delay; jitter is variation in delay, critical for voice/video quality.
Lateral Movement — Lateral movement is when an attacker moves from one compromised system to others inside a network.
Least Privilege — Least privilege means giving only the minimum permissions needed to do a task.
LLDP — LLDP is the standards-based neighbor discovery protocol for network devices.
LLMNR — LLMNR is a local name resolution protocol that can introduce security risks if abused.
Loop Guard — Loop Guard prevents loops if BPDUs stop arriving on a non-designated port.
Loopback Interface — A loopback is a logical interface that stays up as long as the device is running.
MAC Address — A MAC address is a Layer 2 hardware identifier used for local network delivery.
MAC Address Table (CAM Table) — A switch MAC table maps MAC addresses to ports for forwarding decisions.
Malware — Malware is software designed to damage, disrupt, or gain unauthorized access.
Man-in-the-Middle (MITM) — MITM intercepts communications between two parties to steal or alter data.
MTU (Maximum Transmission Unit) — MTU is the largest packet size a link can carry without fragmentation.
Multi-Factor Authentication (MFA) — MFA requires two or more verification factors to prove identity.
NAC (Network Access Control) — NAC controls which devices can connect to a network based on identity and posture checks.
NACL (Network ACL) — A NACL is a stateless subnet-level rule list that can allow or deny traffic.
NAT (Network Address Translation) — NAT translates IP addresses between networks, often private-to-public.
Native VLAN — Native VLAN is the VLAN sent untagged on an 802.1Q trunk.
NDP (Neighbor Discovery Protocol) — NDP is IPv6’s mechanism for neighbor discovery, address resolution, and router discovery.
NetFlow (Flow Monitoring) — NetFlow collects metadata about traffic flows for visibility and troubleshooting.
Network Segmentation — Segmentation isolates parts of a network to limit lateral movement and reduce blast radius.
Network Troubleshooting (Layered Approach) — Troubleshooting uses a structured approach (OSI layers) to isolate the root cause quickly.
Non-repudiation — Non-repudiation prevents someone from denying they performed an action.
NSG (Network Security Group) — An NSG filters network traffic to/from Azure resources using security rules.
NTLM (Basics) — NTLM is an older Windows authentication protocol with known security weaknesses.
NTP — NTP synchronizes clocks across systems to keep time accurate.
OAuth 2.0 — OAuth enables delegated authorization so apps can access resources without sharing passwords.
OpenID Connect (OIDC) — OIDC is an identity layer on top of OAuth 2.0 for authentication.
OSPF — OSPF is a link-state routing protocol that uses areas and SPF to compute routes.
OSPF ABR vs ASBR — ABR connects OSPF areas; ASBR injects routes from outside OSPF into OSPF.
OSPF Areas (Area 0) — OSPF uses areas to scale; Area 0 is the backbone that connects other areas.
OSPF Neighbor / Adjacency — OSPF neighbors form adjacencies to exchange routing information (LSAs).
OSPF Router ID — OSPF router ID is a unique 32-bit identifier used in OSPF operations and neighbor relationships.
PAgP — PAgP is Cisco’s proprietary link aggregation protocol for EtherChannel negotiation.
Passive Interface (OSPF) — A passive interface stops sending routing hellos on an interface while still advertising the network.
Password Policy — Password policy defines rules like length, complexity, reuse, and expiration.
Patching — Patching updates software to fix vulnerabilities, bugs, and stability issues.
Phishing — Phishing tricks users into revealing credentials or running malicious actions.
Port Scanning — Port scanning checks which network ports are open to identify exposed services.
Port Security — Port security limits which MAC addresses can use a switch port to reduce rogue device risk.
PortFast — PortFast makes an access port transition to forwarding immediately to speed up host connectivity.
Public Key Infrastructure (PKI) — PKI is the system of certificates, CAs, and processes used to manage public-key cryptography at scale.
QoS (Quality of Service) — QoS prioritizes certain traffic types (voice/video) to reduce latency and jitter.
RADIUS — RADIUS provides centralized authentication/authorization for network access and AAA.
Ransomware — Ransomware encrypts data and demands payment to restore access.
Rate Limiting — Rate limiting restricts request volume to protect services from abuse and DoS.
Role-Based Access Control (RBAC) — RBAC grants permissions based on roles instead of individual users.
Root Bridge (STP/RSTP) — The root bridge is the reference switch in STP; all path decisions are made relative to it.
Root Guard — Root Guard prevents a port from becoming a root port, protecting STP root placement.
Route Redistribution — Redistribution injects routes from one routing source/protocol into another.
Route Summarization — Summarization aggregates multiple routes into one to reduce routing table size.
Router-on-a-Stick — Router-on-a-stick performs inter-VLAN routing using one router interface with VLAN subinterfaces.
Routing — Routing chooses paths between networks and forwards packets using routing tables.
RPO (Recovery Point Objective) — RPO is the maximum acceptable amount of data loss measured in time.
RSTP (Rapid Spanning Tree Protocol) — RSTP is a faster convergence version of STP that reduces downtime after topology changes.
RTO (Recovery Time Objective) — RTO is the maximum acceptable time to restore a service after disruption.
Salt (Password Hashing) — A salt is random data added to passwords before hashing to prevent rainbow table attacks.
SAML — SAML is a standard for SSO that exchanges authentication/authorization data between IdP and SP.
Security Group — A security group is a stateful virtual firewall that controls traffic to resources.
Security Information and Event Management (SIEM) — SIEM collects and correlates logs to detect threats and support investigations.
Session (Web Session) — A session is a server-side or token-based way to keep a user logged in across requests.
Single Sign-On (SSO) — SSO lets a user access multiple apps with one login via a central identity provider.
SLAAC (IPv6 Auto-Configuration) — SLAAC lets IPv6 hosts auto-configure addresses using router advertisements.
SNMP — SNMP monitors network devices by reading metrics and receiving traps/alerts.
SNMPv3 — SNMPv3 adds authentication and encryption for secure device monitoring.
Social Engineering — Social engineering manipulates people into revealing information or performing actions.
SPAN (Port Mirroring) — SPAN mirrors traffic from ports/VLANs to another port for analysis.
Spanning Tree Protocol (STP) — STP prevents Layer 2 loops by blocking redundant paths.
SQL Injection (SQLi) — SQLi injects malicious SQL to read or modify database data through vulnerable inputs.
SSH — SSH provides encrypted remote shell access and secure tunneling.
Static Route — A static route is a manually configured route in a router’s routing table.
Storm Control — Storm control limits broadcast/multicast/unknown-unicast traffic to prevent storms.
Subnetting — Subnetting splits a network into smaller networks using a subnet mask/CIDR.
SVI (Switched Virtual Interface) — An SVI is a virtual Layer 3 interface on a switch, often used as a VLAN gateway.
Symmetric Encryption — Symmetric encryption uses the same key to encrypt and decrypt data.
Syslog — Syslog is a standard for sending and storing log messages from devices to a central server.
TACACS+ — TACACS+ is a Cisco-friendly AAA protocol for device administration with granular authorization.
Telnet — Telnet is an unencrypted remote terminal protocol (insecure for modern use).
Time-based One-Time Password (TOTP) — TOTP generates short-lived codes that change every fixed time interval.
Tokenization — Tokenization replaces sensitive data with non-sensitive tokens that map back to the original.
Traceroute — Traceroute shows the hop-by-hop path packets take to reach a destination.
Transport Layer Security (TLS) — TLS encrypts data in transit and authenticates endpoints (commonly HTTPS).
Trunking (802.1Q) — Trunking carries traffic from multiple VLANs over one link using VLAN tags.
TTL (Time To Live) — TTL limits how many hops a packet can traverse to prevent infinite routing loops.
Two-Factor Authentication (2FA) — 2FA uses exactly two different authentication factors.
UDLD — UDLD detects unidirectional link failures on fiber/copper to prevent loops and blackholes.
VLAN — A VLAN logically segments a switch network into separate broadcast domains.
VLAN Hopping — VLAN hopping is an attack that attempts to access traffic on other VLANs via switch misconfigurations.
VLAN Pruning — VLAN pruning limits which VLANs are allowed on trunks to reduce unnecessary traffic and risk.
VNet (Virtual Network) — A VNet is Azure’s isolated virtual network where you define address space and subnets.
VoIP — VoIP carries voice calls over IP networks and is sensitive to latency and jitter.
VPC (Virtual Private Cloud) — A VPC is an isolated virtual network in the cloud for your resources.
VPN — A VPN creates an encrypted tunnel between networks or a client and a network.
VRF — VRF creates separate routing tables on the same router to isolate networks.
VRRP (First-Hop Redundancy) — VRRP provides a virtual default gateway so hosts keep connectivity if a router fails.
VTP — VTP distributes VLAN configuration across switches in the same domain (Cisco).
Vulnerability — A vulnerability is a weakness that can be exploited to compromise confidentiality, integrity, or availability.
WAF (Web Application Firewall) — A WAF protects web apps by filtering HTTP(S) requests based on rules and signatures.
Wi-Fi Roaming — Roaming is when a wireless client moves between access points while staying connected.
WLAN — A WLAN is a wireless LAN using Wi-Fi standards to connect devices without cables.
WPA2 vs WPA3 — WPA3 improves Wi-Fi security over WPA2 with stronger handshakes and protections.
XSS (Cross-Site Scripting) — XSS injects malicious scripts into web pages viewed by other users.
Zero Trust — Zero Trust assumes no implicit trust and verifies every request explicitly.