Chapter 7 Exercises
1. A key feature of hybrid IDPS systems is event correlation. After researching event correlation online, define the following terms as they are used in this process: compression, suppression, and generalization.
a. Compression is the degree to which redundant or inconsequential data can be removed to compress the result dataset.
b. Suppression is the ability of a correlation engine to suppress false positive triggers from raising an unwarranted alarm.
c. Generalization is the ability to induce a known exploit signature into a general purpose alert.
2. Zone Alarm is a PC-based firewall and IDPS tool. Visit the product manufacturer at www.zonelabs.com and find the product specification for the IDPS features of Zone Alarm. Which Zone Alarm products offer these features?
a. After visiting the PC-based firewall and IDPS tool website located at www.zonelabs.com and doing some research, I found the product specification for the IDPS features. Two Zone Alarm products that offers these IDPS features are the Zone Alarm Pro Antivirus + Firewall and also the Zone Alarm Extreme Security 2013. These are very popular products and can be purchased directly from the site. I have never used this website before, so it was interesting to do this research.
3. Using the Internet, search for commercial IDPS systems. What classification systems and descriptions are used, and how can they be used to compare the features and components of each IDPS? Create a comparison spreadsheet to identify the classification systems you find.
a. IDPS technologies can be classified based on different parameters such as: the methodologies that they employ to detect intrusions which include 1. signature-based detection 2. anomaly-based detection and 3. stateful protocol analysis.
b. The functionalities they provide ultimately differentiate passive systems from reactive systems.
c. The type of events they monitor, which are closely related to the type of systems they guard: a wired network, a wireless network or a single host.
d. In addition to these, a fourth type of IDPS may be identified, which is known as Network Behavior Analysis (NBA) IDPS.
4. Use the Internet to search for “live DVD security toolkit.” Read a few Web sites to learn more about this class of tools and their capabilities. Write a brief description of a live DVD security toolkit.
a. Network Security Toolkit (NST) is a Linux-based Live DVD/USB Flash Drive that provides a set of free and open-source computer security and networking tools to perform routine security and networking diagnostic and monitoring tasks. The distribution can be used as a network security analysis, validation and monitoring tool on servers hosting virtual machines. The majority of tools published in the article "Top 125 security tools" by Insecure.org are available in the toolkit. NST has package management capabilities similar to Fedora and maintains its own repository of additional packages.
5. Several online passphrase generators are available. Locate at least two on the Internet and try them. What did you observe?
a. Automated Password Generator, Password Boy, Pass Creator, Random Password Generator, and Strong Password Generator are some of the online passphrase generators available. I noticed that with all of these passphrase generators, the length of the password can be changed. I also noticed an option to include symbols, numbers, lowercase and uppercase letters. Also, there is an algorithm to generate passphrase as pronounceable or completely random, which is hard to crack. I have never used these passphrase generators before, so it was interesting to try them out.