From owner-freebsd-questions Sat Jan 13 15:38:10 2001 Delivered-To: freebsd-questions@freebsd.org Received: from mailhost01.reflexnet.net (mailhost01.reflexnet.net [64.6.192.82]) by hub.freebsd.org (Postfix) with ESMTP id 6BCD737B400 for ; Sat, 13 Jan 2001 15:37:52 -0800 (PST) Received: from rfx-64-6-211-149.users.reflexcom.com ([64.6.211.149]) by mailhost01.reflexnet.net with Microsoft SMTPSVC(5.5.1877.197.19); Sat, 13 Jan 2001 15:36:08 -0800 Received: (from cjc@localhost) by rfx-64-6-211-149.users.reflexcom.com (8.11.1/8.11.0) id f0DNbv512156; Sat, 13 Jan 2001 15:37:57 -0800 (PST) (envelope-from cjc) Date: Sat, 13 Jan 2001 15:37:56 -0800 From: "Crist J. Clark" To: Adam Lau Cc: freebsd-questions@FreeBSD.ORG Subject: Re: IPFilter, Squid, Snort Config Message-ID: <20010113153756.F97980@rfx-64-6-211-149.users.reflexco> Reply-To: cjclark@alum.mit.edu References: <1006467990.20010113165708@gmx.net> <5.0.2.1.2.20010113140507.00b009d0@pop.mail.yahoo.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 1.0i In-Reply-To: <5.0.2.1.2.20010113140507.00b009d0@pop.mail.yahoo.com>; from adamlau@yahoo.com on Sat, Jan 13, 2001 at 02:55:42PM -0800 Sender: owner-freebsd-questions@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG On Sat, Jan 13, 2001 at 02:55:42PM -0800, Adam Lau wrote: > Hello, > > I plan to put up a 4.2-RELEASE box running IPFilter 3.4.x. and had a few > questions. We have two boxes and three applications (IPFilter, Squid, Snort). > > 1. Should we go with IPFilter/Squid > Snort or IPFilter > Squid/Snort? For security reasons, I'd prefer three different systems. However, if you must use two, I would say that the firewall is the most security critical application and should have a box to itself. Both Squid and Snort carry a greater risk for remote exploit. > 2. Since Snort has a win32 port, would it make sense to run Snort on a > hardened NT box as opposed to a BSD box? I remember one of my professors as > saying that a properly configured NT box is generally more secure that *NIX. ^^^^^^^^^^^^^^^^^^^ I will reserve any judgement on "NT is more secure than UNIX" statements since it quickly devolves into a religious war. What I will say with respect to the part I have emphasised, a "properly configured" NT box is a notoriously rare beast. NT does have some cool security features, but there is a price to pay in the _extreme_ complexity of the security model which makes mistakes very easy. > 3. We need a second firewall between RADIUS server and SQL DB. Anybody have > any good experiences with Zorp? I do not know any Python. Would I still be > able to use Zorp? What is another recommended (free), application-level > firewall? Once you start talking about application layer, I think "proxy" not "firewall." That said, I have no idea. > 4. Would I be able to install Tripwire 2.2.1 for Linux (Intel) on the boxes > with Linux Binary Emulation enabled? Are there any drawbacks? I cannot think of what a program like Tripwire would do that would cause Linux-compatibilty problems (it's not really "emulation"). It'd be easy enough to try it out. I doubt there would be much if any performance penalty. > 5. Trouble installing FreeBSD 4.2-RELEASE on a box with Adaptec 29160 SCSI > controller. http://www.freebsd.org/handbook/install-hw.html does not > indicate support for the 29160. Do I have to go out and purchase a > supported 294X controller? Can't help. > 6. This may be off topic, but is there an ISO image of OpenBSD 2.8 > available for download? I looked all over the OpenBSD site with no luck. Yes, it is off topic, but one sees this so much on the OpenBSD lists it's a reflex, http://www.openbsd.org/faq/faq3.html#3.1.2 -- Crist J. Clark cjclark@alum.mit.edu To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message