3DES: Triple Data Encryption Standard. This standard is an enhanced and considerably stronger version of the DES encryption algorithm.

AH: Authentication Header. See Packet security.

CET: Cisco Encryption Technology. Before IPSec became a popular standard, Cisco developed a proprietary encryption scheme for its hardware. CET is still available as a feature set, and you can create a configuration that mixes CET and IPSec encryption to support legacy configurations.

Cisco IOS: Cisco Internetwork Operating System. This OS runs on Cisco routing and switching hardware.

DES: Data Encryption Standard. This standard is a popular encryption algorithm. DES forms the foundation for the VPN that Figure 1 shows.

Diffie-Hellman: Using this process, two systems can create a shared secret key and the systems can decrypt information sent to them from the other system that shares that key. The systems create the key in such a way that the systems never send the key over the network. The systems must deduce the key through a formula that uses a user-provided value as its base. When the value is the same on each end of the Diffie-Hellman process, each system can arrive at the same key value independently.

ESP: Encapsulating Security Payload. See Packet security.

GRE: Generic routing encapsulation. This Cisco tunneling protocol lets non-IP protocols traverse an IP-only infrastructure such as the Internet. You can configure IPX, AppleTalk, DECnet, and other protocols to pass through a GRE tunnel.

Hash: This function takes a variable amount of source data and creates a short fixed-length output that represents the input data. Different types of hashes exist, but each hash uses a one-way algorithm. A strong one-way algorithm ensures that you can easily calculate the value of the hash given the data; however, providing a set of data that hashes to a predetermined value is virtually impossible. Servers often use hashes to ensure that intruders haven't tampered with data during transport. Two common hashes are SHA and MD5.

IETF: Internet Engineering Task Force. This loosely organized group of engineers and scientists contribute to and collaborate on the various standards that are necessary to let diverse systems communicate over the Internet. RFCs specify the proposed standards that pass the scrutiny of an IETF workgroup.

IKE: Internet Key Exchange. This hybrid protocol is a combination of the ISAKMP and the Oakley Key Exchange Protocol. You use IKE to set up the communications between peer routers. IKE doesn't secure the user data but creates the communication channels that peer routers use to securely pass user data. IKE primarily encompasses router key exchange and the negotiation of security policy.

IPSec: IP Security. The IETF formalized this protocol, which is a suite of security standards that provide IP data packet security. RFC 2401 specifies IPSec.

ISAKMP: Internet Security Association and Key Management Protocol. This suite of security protocols provides the basis for IKE. Cisco's documentation often uses ISAKMP and IKE interchangeably. When Cisco mentions ISAKMP, assume the company means IKE.

Key exchange: In this authentication process, a system verifies another systems' identity and trustworthiness. Most modern security protocols use this authentication method. Without secure key exchange, all other aspects of IPSec packet security are pointless.

MD5: Message Digest version 5. RFC 1321 specifies this popular hashing algorithm.

MIB: Management Information Base. A network management system can monitor this database of objects.

Packet security: Data security that the AH and ESP protocols provide. AH provides source authentication and replay detection. Replay detection prevents intruders from using captured data and resending the data to the host to disguise the data as legitimate traffic. ESP provides the data encryption service and duplicates some of AH's services such as authentication and replay detection. You can use AH, ESP, or a combination of AH and ESP to protect data streams.

RFC: Request for Comments. The IETF publishes these documents that define the various Internet standards that make network communication possible.

SA: Security association. Peer routers use this combination of keys and protocols to protect traffic flow. Each peer-to-peer router connection has an associated SA and might also have more than one SA if you configure different levels of security for different types of traffic. For example, Oracle traffic to and from a financial database server can have a stronger level of protection than intranet Web site traffic. The IKE protocol creates a bidirectional SA to each peer router that the router is communicating securely with. The IKE protocol also creates a separate unidirectional IPSec SA.

SHA: Secure Hash Algorithm. The National Institute of Standards and Technology (NIST) supports this popular hash algorithm, which NIST published in 1993.

SHA-1: Secure Hash Algorithm revision 1. This revision is an update from the National Institute of Standards and Technology (NIST) to the original SHA algorithm that NIST published in 1994. This update corrects an unpublished flaw.

Tunnel mode or transport mode: The VPN configuration that Figure 1 shows uses tunnel mode only. You use transport mode when two host stations converse. For example, to have a secure conversation, two Windows 2000 (Win2K) servers might use IPSec in transport mode. Microsoft implements IPSec in transport mode, in which the communicating hosts are responsible for encrypting the traffic they pass to one another, rather than relying on an intervening network device to encrypt the traffic after it leaves the host but before it leaves the network.

VPN: Virtual Private Network. This term describes network nodes on a public or semipublic network that send private information to one another in a secure manner.