9.7. Glossary
In the following table, you will find definitions for keywords that are essential for a clearer understanding of the OpenNAC Enterprise documentation.
You can also consult the Basic Concepts section for a more comprehensive overview of some terms listed in this glossary.
Term |
Definition |
|---|---|
2FA |
Two-factor authentication, sometimes referred to as two-step verification or dual-factor authentication, is a security process in which users provide two different authentication factors to verify themselves. |
802.1x |
Is an IEEE Standard for port-based Network Access Control (PNAC). It is part of the IEEE 802.1 group of networking protocols. It provides an authentication mechanism to devices wishing to connect to a LAN or WLAN. |
Active Directory |
Is the Microsoft commercial name provided to Directory services, Active directory contains all the domain assets such as user, printers, groups, etc. |
Administration Portal |
The main administration tool to be used by any Network or Security Engineer. You can carry out Administration, Operation, troubleshooting and monitoring for OpenNAC Technologies. |
Allin1 |
The Allin1 is based on Intel® NUC, a small form factor PC with a tiny footprint. In this server, we deploy the ON Sensor, played by the physical hardware, and the ON Analytics and ON Core Principal hosted by virtual machines. |
Apache HTTP Server |
Is a free and open-source cross-platform web server software, released under the terms of Apache License 2.0. |
API |
Is the acronym for Application Programming Interface, which is a software intermediary that allows two applications to talk to each other. |
Business Profiles |
OpenNAC has an event classification method, a business profile includes one or many policies. This type of groups can be used to filter and create specific reports and queries. |
BYOD |
Bring your own device, is a policy that allows employees in an organization to use their personally owned devices for work-related activities. |
CA |
Certification authority, is an entity that stores, signs, and issues digital certificates. A digital certificate certifies the ownership of a public key by the named subject of the certificate. This allows others to rely upon signatures or on assertions made about the private key that corresponds to the certified public key. A CA acts as a trusted third party—trusted. |
Captive Portal |
It is a user portal that allows user device registration, Guest access, and OpenNAC Agent download. |
Cluster |
A cluster is a collection of connected nodes identified by its cluster name. Each node in a cluster knows about the other nodes. Each node can accept a client request and forward that to the appropriate node. |
CMDB |
CMDB stands for Configuration Management Database and it contains all relevant information about all the different components used and managed by OpenNAC Enterprise. |
CoA |
RADIUS Change of Authorization is a method used to change authorization status in a realm time and during a current session. |
Configuration Vars |
OpenNAC module where you include default parameters to be used. |
Configuration Wizards |
OpenNAC Technologies includes configuration wizards that provide a key benefit regarding Network access control technologies, this allows to Generate certificates, create a initial configuration and also Join to Active Directory among others. |
DHCP Server |
Is a network server that automatically provides and assigns IP addresses, default gateways and other network parameters to client devices. It relies on the standard protocol known as Dynamic Host Configuration Protocol or DHCP to respond to broadcast queries by clients. |
Dictionary/Brute-Force Attacks |
Techniques where attackers systematically try all possible combinations of passwords or phrases to gain unauthorized access. |
Digital Certificates |
Is a file or electronic password that proves the authenticity of a device, server, or user through the use of cryptography and the public key infrastructure (PKI). |
DNS Server |
Domain Name System, is the hierarchical and decentralized naming system used to identify computers reachable through the Internet or other Internet Protocol (IP) networks. |
DoS |
Denial of Service (DoS) is an attack that aims to disrupt the normal functioning of a network or system, making it temporarily or indefinitely unavailable. |
EAP |
EAP (Extensible Authentication Protocol) is a framework for network communication that provides various methods for authentication, often used in wireless networks and Point-to-Point Protocol (PPP) connections. EAP allows for flexible and extensible authentication mechanisms, enhancing network security by supporting various authentication methods, including passwords, digital certificates, and token-based systems. |
EDR |
Endpoint Detection and Response (EDR) is a cybersecurity solution that focuses on detecting and responding to malicious activities on endpoints. |
Elasticsearch |
Is a search engine based on the Lucene library. It provides a distributed, multitenant-capable full-text search engine with an HTTP web interface and schema-free JSON documents. |
ELK stack |
ELK (Elasticsearch, Logstash, Kibana): A data analysis and visualization stack, where Elasticsearch stores and retrieves data, Logstash processes and forwards it, and Kibana provides a user-friendly interface for querying and visualizing data. |
Farm |
A “farm” refers to a group of interconnected servers that work together to provide High Availability. |
FreeRadius |
Is a modular, high performance free RADIUS suite developed and distributed under the GNU General Public License, version 2, and is free for download and use. The FreeRADIUS Suite includes a RADIUS server, a BSD-licensed RADIUS client library, a PAM library, an Apache module, and numerous additional RADIUS related utilities and development libraries. |
High Availability (HA) |
High Availability (HA) is a design approach for ensuring uninterrupted operation of vital systems and services. It utilizes technologies to prevent downtime caused by hardware or software failures. The goal is to maintain service reliability and minimize interruptions in critical operations. |
IoT |
The Internet of things describes physical objects (or groups of such objects) with sensors, processing ability, software, and other technologies that connect and exchange data with other devices and systems over the Internet or other communications networks. |
IP Address |
Internet Protocol Address is a numerical label assigned to each device in a computer network that uses the Internet Protocol for communication. It serves as an identifier for the device’s location and allows data to be routed to and from it on the internet or a local network. |
Kibana |
Is a source-available data visualization dashboard software for Elasticsearch. It provides visualization capabilities on top of the content indexed on an Elasticsearch cluster. Users can create bar, line and scatter plots, or pie charts and maps on top of large volumes of data. |
Lateral Movement |
Technique used by attackers to move from one compromised system to another within a network, aiming to explore and compromise additional targets. |
Layer2 |
Is referred to the Layer 2 of OSI Model. This layer is the protocol layer that transfers data between adjacent network nodes in a wide area network (WAN) or between nodes on the same local area network (LAN) segment. |
Layer3 |
Is referred to the Layer 3 of OSI Model. The network layer is responsible for packet forwarding including routing through intermediate routers, since it knows the address of neighboring network nodes, and it also manages quality of service (QoS), and recognizes and forwards local host domain messages to the Transport layer (layer 4). |
Layer4 |
Is referred to the Layer 4 of OSI Model. The transport layer is a conceptual division of methods in the layered architecture of protocols in the network stack in the Internet Protocol Suite and the Open Systems Interconnection (OSI). It provides services such as connection-oriented data stream support, reliability, flow control, and multiplexing. |
LDAP |
LDAP (Lightweight Directory Access Protocol) is a protocol used for accessing and managing directory information services, such as user data and resources, in a network. It provides a lightweight and efficient way to search, retrieve, and modify directory data. LDAP is commonly used for user authentication, authorization, and directory services in network environments. |
Load Balancer |
A Load Balancer is a software component that evenly distributes incoming network traffic across multiple servers or resources to optimize performance, enhance availability, and prevent overloading of any single server. |
Logstash |
Is a tool for managing events and logs. When used generically, the term encompasses a larger system of log collection, processing, storage and searching activities. |
MAB |
MAC Address Bypass (MAB) is an access control technique that allows port-based access control by using an endpoint’s MAC address. An interface with MAB authentication configured can be dynamically enabled or disabled based on the connected endpoint’s MAC address. |
MAC Address |
MAC Address (Media Access Control Address) is a unique identifier assigned to a network interface on a device, such as a computer or network card, to facilitate communication on a local network. |
Malware |
Is an intrusive software that is designed to damage and destroy computers and computer systems. Malware is a contraction for “malicious software.” Examples of common malware includes viruses, worms, Trojan viruses, spyware, adware, and ransomware. |
MemCache |
It is an open source, distributed memory object caching system that alleviates database load to speed up dynamic Web applications. |
MFA |
Multi-factor Authentication is an authentication method that requires the user to provide two or more verification factors to gain access to a resource such as an application, online account, or a VPN. Rather than just asking for a username and password, MFA requires one or more additional verification factors, which decreases the likelihood of a successful cyber attack. |
MySQL |
Is a relational database management system (RDBMS) developed by Oracle that is based on structured query language (SQL). |
NAC |
Network access control is an approach to computer security that attempts to unify endpoint security technology (such as antivirus, host intrusion prevention, and vulnerability assessment), user or system authentication and network security enforcement. |
NGFW |
Is a network security device that provides capabilities beyond a traditional, stateful firewall. While a traditional firewall typically provides stateful inspection of incoming and outgoing network traffic, a next-generation firewall includes additional features like application awareness and control, integrated intrusion prevention, and cloud-delivered threat intelligence. |
NIDS |
Network Intrusion Detection System (NIDS) is a security tool that monitors network traffic for suspicious activity or potential security threats. |
NMAP |
Is a free and open source tool used for vulnerability checking, port scanning and, of course, network mapping. |
Node |
A node refers to an individual computing device within a network or system. It can be a standalone server, computer, or device that is part of a larger network or infrastructure. |
ON Agent |
Is used to provide security analysis, Hardware and software inventory and VPN Client. |
ON Analytics |
Is one Role in openNAC technologies, this provides an Analysis Engine and reporting capabilities. Stores all the events in different index which are searchable and easily filtered. |
ON Captive |
It is used to configure the Captive Portal workflows and themes. |
ON Core |
Is the main role in openNAC technologies, this provides, for instance, AAA Services and many others. |
ON NAC |
OpenNAC module that includes Policy Engine and Business Profiles. |
ON Netconf/ON Backup |
OpenNAC module that includes Network management tools such as macros, cron, and devices backups. |
ON Sensor |
Is an OpenNAC technology role. This can be deployed in-bound or out-of-bound, this collects and decodes network protocols and sends it to ON Analytics. This is based on Zeek IDS/IPS technologies. |
ON VPNGW |
The OpenNAC VPNGW allows establishing the VPN from a remote location to a corporate network. It also allows applying segmentation access policies, depending on the user profile. |
OSI Model |
A conceptual framework that defines seven layers to standardize and understand network communication functions, from the physical transmission of data to the end-user application interfaces. |
OSQuery |
OSQuery is an operating system instrumentation framework for Windows, OS X (macOS), Linux, and FreeBSD. It uses basic SQL commands to leverage a relational data-model to describe a device. |
OTP |
One-time password systems provide a mechanism for logging on to a network or service using a unique password that can only be used once, as the name suggests. |
OVA |
Is an Open Source format to distribute and deploy Virtual Machines. |
P12 file |
A P12 file contains a digital certificate that uses PKCS#12 (Public Key Cryptography Standard #12) encryption. It is used as a portable format for transferring personal private keys and other sensitive information. |
Pass-the-Hash |
A hacking technique where an attacker captures the hashed credentials of a user and uses them to authenticate and gain unauthorized access. |
PEAP |
The Protected Extensible Authentication Protocol(PEAP), also known as Protected EAP, is a protocol that encapsulates the Extensible Authentication Protocol (EAP) within an encrypted and authenticated Transport Layer Security (TLS) tunnel. |
PEM file |
Privacy Enhanced Mail is a Base64 encoded DER certificate. PEM certificates are frequently used for web servers as they can easily be translated into readable data using a simple text editor. Generally when a PEM encoded file is opened in a text editor, it contains very distinct headers and footers. |
Plugins |
Is an application that, in a computer program, adds additional functionality or a new feature to the software. Plugins are designed to be easily integrated into the host application, allowing users to enhance or modify its capabilities without altering the core code. |
Policy Engine |
Is one of the main modules of the ON Core where authentication, authorization and accounting happens. Additional capabilities like tagging, registering and plugin calls are also included. |
Proxy |
Proxy is an intermediary server or device that acts as a go-between for user requests to access web content or services. It helps enhance security, privacy, and performance by masking the user’s IP address and handling requests on their behalf. |
PSK |
Phase Shift Keying (PSK) is a digital data modulation system in which binary data signals switch the phase of a radio frequency carrier. |
Quarantine VLAN |
Is a VLAN where the users are sent by Policy or by Administrator instructions, this is a secure environment where the User devices can be isolated and managed properly without risk. Normally any device that is not compliance in terms of security is sent to this. |
RADIUS |
Remote Authentication Dial-In User Service (RADIUS) is a networking protocol that provides centralized authentication, authorization, and accounting (AAA) management for users who connect and use a network service. RADIUS was developed by Livingston Enterprises in 1991 as an access server authentication and accounting protocol. |
RDP |
Remote Desktop Protocol (RDP) is a proprietary protocol developed by Microsoft, which provides a user with a graphical interface to connect to another computer over a network connection. |
Reconnaissance |
The phase of a cyber-attack where the attacker gathers information about a target, such as network topology, vulnerabilities, and security measures. |
Registry VLAN |
Is a VLAN where the users register their devices in ON Core CMDB. |
Service VLAN |
Is a VLAN where the users are sent when authentication happens properly or when Security policy decides, this provides access to the corporate network and only the set the resources defined by the policy. |
SIEM |
Security information and event management (SIEM) technology supports threat detection, compliance and security incident management through the collection and analysis (both near real time and historical) of security events, as well as a wide variety of other event and contextual data sources. |
Single Sign-On (SSO) |
A system that allows users to log in once and gain access to multiple resources or applications without the need for multiple logins. |
Smart Card |
Chip card, or integrated circuit card (ICC or IC card) is a physical electronic authorization device, used to control access to a resource. It is typically a plastic credit card-sized card with an embedded integrated circuit (IC) chip. |
SMB |
Server Message Block (SMB) is a network protocol that provides shared access to files, printers, and other communication between nodes on a network. |
SNMP |
SNMP (Simple Network Management Protocol) is a protocol used to monitor and manage network-connected devices, allowing administrators to collect information and control network components. |
SNMP Traps |
Asynchronous notifications sent by network devices such as Switches, AP, VPNs, or others to notify changes to OpenNAC. |
SSID |
A Service Set Identifier (SSID) is a sequence of characters that uniquely names a wireless local area network (WLAN). An SSID is sometimes referred to as a “network name”. This name allows stations to connect to the desired network when multiple independent networks operate in the same physical area. |
TCP |
Transmission Control Protocol (TCP), is a communication standard that enables application programs and computing devices to exchange messages over a network. It is designed to send packets across the internet and ensure the successful delivery of data and messages over networks. |
TTL |
TTL (Time to Live) is a value in network packets that determines how long the packet remains valid or how many hops it can traverse in a network before being discarded. |
UDP |
User Datagram Protocol (UDP) is a communication protocol that facilitates the exchange of messages between computing devices in a network. It’s an alternative to the transmission control protocol (TCP). In a network that uses the Internet Protocol (IP), it is sometimes referred to as UDP/IP. |
UDS |
User Data source (UDS) is the name used by OpenNAC to provide identity repositories. |
VLAN |
Virtual Local Area Network (VLAN) is a logical subgroup within a local area network that is created through software rather than by manually moving cables in the wiring closet. It combines user stations and network devices into a single unit regardless of the physical LAN segment they are attached to. It also lets traffic flow more efficiently within populations of mutual interest. |
VM |
Virtual Machine (VM) is a software-based emulation of a physical computer that allows multiple operating systems to run on a single physical machine, enabling efficient resource utilization and isolation. |
VPN |
Virtual Private Network (VPN) is a technology that extends a private network across a public network. It enables users to send and receive data across shared or public networks as if their computing devices were directly connected to the private network. |
Wired AutoConfig |
Wired AutoConfig Service is a system service that provisions local area network (LAN) Ethernet adapters with the security and connectivity settings that are required for Institute of Electrical and Electronics Engineers (IEEE) 802.1X authenticated IEEE 802.3 wired access. |
Wireguard |
WireGuard is an extremely simple yet fast and modern VPN that utilizes state-of-the-art cryptography. It aims to be faster, simpler, leaner, and more useful than IPsec, while avoiding the massive headache. WireGuard is designed as a general purpose VPN for running on embedded interfaces and super computers alike, fit for many different circumstances. |
WMI |
Windows Management Instrumentation (WMI) is the infrastructure for management data and operations on Windows-based operating systems. You can write WMI scripts or applications to automate administrative tasks on remote computers, but WMI also supplies management data to other parts of the operating system and products. |
XDR |
Extended Detection and Response (XDR) is an evolution of EDR that integrates and correlates data from multiple security components to provide a broader threat detection and response capability. |
Zeek |
Formerly BRO, is a free and open-source software network analysis framework. It can be used as a network intrusion detection system (NIDS) but with additional live analysis of network events. It is released under the BSD license. |
Zero Trust |
Zero Trust is a security model that assumes no trust and enforces strict access controls for all devices and users, even if they are inside the network. |