Date: Sat, 13 Jan 2001 15:37:56 -0800 From: "Crist J. Clark" <cjclark@reflexnet.net> To: Adam Lau <adamlau@yahoo.com> Cc: freebsd-questions@FreeBSD.ORG Subject: Re: IPFilter, Squid, Snort Config Message-ID: <20010113153756.F97980@rfx-64-6-211-149.users.reflexco> In-Reply-To: <5.0.2.1.2.20010113140507.00b009d0@pop.mail.yahoo.com>; from adamlau@yahoo.com on Sat, Jan 13, 2001 at 02:55:42PM -0800 References: <NEBBKCBJALGONAJFPFDJGEHICDAA.muratbsd@softhome.net> <NEBBKCBJALGONAJFPFDJGEHICDAA.muratbsd@softhome.net> <1006467990.20010113165708@gmx.net> <5.0.2.1.2.20010113140507.00b009d0@pop.mail.yahoo.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On Sat, Jan 13, 2001 at 02:55:42PM -0800, Adam Lau wrote:
> Hello,
>
> I plan to put up a 4.2-RELEASE box running IPFilter 3.4.x. and had a few
> questions. We have two boxes and three applications (IPFilter, Squid, Snort).
>
> 1. Should we go with IPFilter/Squid > Snort or IPFilter > Squid/Snort?
For security reasons, I'd prefer three different systems. However, if
you must use two, I would say that the firewall is the most security
critical application and should have a box to itself. Both Squid and
Snort carry a greater risk for remote exploit.
> 2. Since Snort has a win32 port, would it make sense to run Snort on a
> hardened NT box as opposed to a BSD box? I remember one of my professors as
> saying that a properly configured NT box is generally more secure that *NIX.
^^^^^^^^^^^^^^^^^^^
I will reserve any judgement on "NT is more secure than UNIX"
statements since it quickly devolves into a religious war. What I will
say with respect to the part I have emphasised, a "properly
configured" NT box is a notoriously rare beast. NT does have some cool
security features, but there is a price to pay in the _extreme_
complexity of the security model which makes mistakes very easy.
> 3. We need a second firewall between RADIUS server and SQL DB. Anybody have
> any good experiences with Zorp? I do not know any Python. Would I still be
> able to use Zorp? What is another recommended (free), application-level
> firewall?
Once you start talking about application layer, I think "proxy" not
"firewall." That said, I have no idea.
> 4. Would I be able to install Tripwire 2.2.1 for Linux (Intel) on the boxes
> with Linux Binary Emulation enabled? Are there any drawbacks?
I cannot think of what a program like Tripwire would do that would
cause Linux-compatibilty problems (it's not really "emulation").
It'd be easy enough to try it out. I doubt there would be much if any
performance penalty.
> 5. Trouble installing FreeBSD 4.2-RELEASE on a box with Adaptec 29160 SCSI
> controller. http://www.freebsd.org/handbook/install-hw.html does not
> indicate support for the 29160. Do I have to go out and purchase a
> supported 294X controller?
Can't help.
> 6. This may be off topic, but is there an ISO image of OpenBSD 2.8
> available for download? I looked all over the OpenBSD site with no luck.
Yes, it is off topic, but one sees this so much on the OpenBSD lists
it's a reflex,
http://www.openbsd.org/faq/faq3.html#3.1.2
--
Crist J. Clark cjclark@alum.mit.edu
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-questions" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20010113153756.F97980>