I assume you're asking to compare Cisco Access Control Lists (ACL) and Cisco Flexible Packet Matching (FPM).
Packets contain a number of fields, such as:
- IP source address
- IP destination address
- TCP Source Port
- TCP Destination Port
- UDP Source Port
- UDP Destination Port
ACLs
Traditional ACLs can only permit or deny based on a limited number of fields (some of most commonly used fields are listed above); these fields are well-known throughout the internet. However, traditional ACLs cannot filter inside the payload of an IP packet, for instance if someone wanted to block certain kinds of Tibco RV UDP Multicast payloads, it's impossible to do so with traditional ACLs. Traditional ACLs look like this...
! Note: this ACL is only granular to a TCP port
access-list 102 permit tcp any any eq 80
access-list 102 permit tcp any any eq 443
access-list 102 permit tcp any any eq 23
access-list 102 permit tcp any any eq 25
access-list 102 permit tcp any any eq 110
access-list 102 deny ip any any log
!
interface FastEthernet0/0
ip access-group 102 in
FPM
However, FPM can block / allow on any bit inside a single packet header or payload1, as long as there is a valid PHDL file loaded for the field that needs to be blocked or allowed. FPM can define a hierarchy of classes and policies to implement very granular control over the packets that are allowed or denied.
This is an example policy, taken from the FPM docs, which matches a UDP packets sent by the Slammer Worm. It would be impossible to block the hosts infected with the Slammer Worm using ACLs unless you block both good and bad SQL traffic by individual IP source addresses.
load protocol disk2:ip.phdf
load protocol disk2:udp.phdf
!
class-map type stack match-all ip-udp
description "match UDP over IP packets"
match field ip protocol eq 0x11 next udp
!
class-map type access-control match-all slammer
description "match on slammer packets"
match field udp dest-port eq 0x59A
match field ip length eq 0x194
match start l3-start offset 224 size 4 eq 0x4011010
!
policy-map type access-control fpm-udp-policy
description "policy for UDP based attacks"
class slammer
drop
!
policy-map type access-control fpm-policy
description "drop worms and malicious attacks"
class ip-udp
service-policy fpm-udp-policy
!
interface GigabitEthernet0/1
service-policy type access-control input fpm-policy
End Notes:
1 FPM's limitation of inspecting a single IP packet is non-trivial, since that means it's possible to circumvent FPM if an attack manages to split the attack signatures across multiple IP fragments, or TCP packets (since the TCP stream is reassembled at the receiver). That said, it's a still very powerful tool as long as you understand the limitations of the technology.
WPA and WPA2 in very simple terms are two different methods for and end device and AP to exchange encryption keys. Depending on your platform, you can support WPA and/or WPA2 with either TKIP or AES.
TKIP and AES are the two methods by which the data is encrypted.
What are the biggest differences between WPA and WPA2 and why is AES so much safer than TKIP?
If it helps, think of the difference as pressing a paper towel to a three inch gash on your arm versus getting stitches at the emergency room. One is an immediate solution that mitigates the problem at hand, the other is a better, longer term solution.
WEP was broken (badly) and needed to be fixed. However standards bodies sometimes move much slower than solutions are needed. So WPA/TKIP was provided as a better solution than WEP that could be implemented purely in code/software/drivers.
Basically, TKIP is WEP with a few extra features, provided to the community largely by a major network vendor they had previously developed as proprietary enhancements. While it provided fixes to many of the problems with WEP, it is still based on WEP.
WPA was derived from a draft of the 802.11i amendment from the IEEE. There were some changes from the draft to the finalized version of 802.11i, which is why the 802.11i standard version is called WPA2. Ultimately the differences are relatively trivial in the grand scheme of things.
For encryption, the IEEE selected AES for 802.11i. This was a much stronger encryption than WEP however many existing wireless devices were not capable of handling the demands of AES, often requiring new wireless adapters to be installed/used.
Because of this limitation to AES, it was allowed to run either WPA/WPA2 with TKIP instead of AES until the IEEE finalized 802.11n. 802.11n no longer allowed support for TKIP, so an access point was supposed to disable the HT (high throughput) data rates if it were used and operate like an 802.11a/g device.
Since that time, only WPA/AES or WPA2/AES are supported officially by the 802.11 standards.
Best Answer
A checksum is the general term used. A checksum can range from a check digit (parity bit) to a complex output string. Different checksums (examples below) can be chosen depending on the application.