<HTML><HEAD><TITLE>Chapter  16 --  How Bastion Hosts Work</TITLE><META></HEAD><BODY TEXT="#000000" BGCOLOR="#FFFFFF" LINK="#0000EE" VLINK="#551A8B" ALINK="#CE2910"><H1><FONT SIZE=6 COLOR=#FF0000>Chapter&nbsp;16</FONT></H1><H1><FONT SIZE=6 COLOR=#FF0000>How Bastion Hosts Work</FONT></H1><HR><P><CENTER><B><FONT SIZE=5><A NAME="CONTENTS">CONTENTS</A></FONT></B></CENTER><UL><LI><A HREF="#HowBastionHostsWork">How Bastion Hosts Work</A></UL><HR><P>One of the best ways to protect an intranet from attack is toput a heavily fortified <I>bastion host</I> or <I>bastion server</I>in a firewall. Having a bastion host means that all access toan intranet from the Internet will be required to come throughthe bastion host. By concentrating all access in a single server,or a small group of servers, it's much easier to protect the entireintranet.<P>The bastion host does not provide intranet services itself. Whenit receives a request from the Internet for an intranet service,the host passes the request to the appropriate server. Subsequently,it takes the response and passes it back to the Internet.<P>Proxy server programs can also run on bastion hosts. That is,when someone on the intranet wants to get at an Internet resource,they first contact the proxy server on the bastion host, and thebastion host then relays the request to the Internet server. TheInternet server sends the information to the proxy server on thebastion host, which in turn passes the information back to theuser on the intranet.<P>Several means are taken to ensure that the bastion host is assecure as possible-and also to make sure that if the host is hackedinto, intranet security won't be compromised.<P>To make the bastion host secure, it is stripped of all but themost basic services. A typical network server provides login,file, print, and other services, including access to additionalservers. On a bastion host, those services have been prohibited.Since there are no user accounts, it's difficult for someone tobreak in using passwords. Since it has few services available,even if someone did break in, there wouldn't be much they coulddo with it.<P>For even more security, bastion hosts can be put on a privatesubnet (often referred to as a <I>perimeter network</I>), furtherisolating the host so that if someone breaks into it, they canonly get access to that subnet, not to the rest of the intranet.A filtering router reviews packets coming from the private subnet,making sure that only authorized incoming requests pass throughto the intranet.<P>Even more security measures can protect the server and intranet,sending alerts to intranet administrators if someone is tryingto break in. The bastion host can log all access to it, and keepa secure backup of that log on a physically separate machine connectedby the serial port so no one can gain access to the log remotely.System administrators can examine the log for signs of break-ins.Even more powerful are monitoring programs that watch the logand sound an alarm if it detects someone has been trying to breakinto the server. Auditing software can also constantly check theserver software to see if it has been altered in any way-a possiblesign that an intruder has successfully attacked it and taken controlof its resources.<H2><A NAME="HowBastionHostsWork"><FONT SIZE=5 COLOR=#FF0000>How Bastion Hosts Work</FONT></A></H2><P>A bastion host (also called a bastion server) is one of the maindefenses in an intranet firewall. It's a heavily fortified serverthat sits inside the firewall, and it is the main point of contactbetween the intranet and the Internet. By having an isolated,heavily defended server as the main point of contact, the restof the intranet resources can be shielded from attacks startingon the Internet.<UL><LI>Bastion hosts are built so that every network service possibleis disabled on them-the only thing the server does is allow forspecified Internet access. So, for example, there should be nouser accounts on a bastion server, so that no one can log intoit and take control of it and then gain access to the intranet.Even the Network File System (NFS), which allows a system to accessfiles across a network on a remote system, should be disabled,so that intruders can't gain access to the bastion server andthen get at files on the intranet. The safest way to use bastionhosts is to put them on their own subnet as part of an intranetfirewall. By putting them on their own network, if they are brokeninto, no other intranet resources are compromised.<LI>Bastion servers log all activity so that intranet administratorscan tell if the intranet has been attacked. They often keep twocopies of system logs for security reasons: In case one log isdestroyed or tampered with, the other log is always availableas a backup. One way to keep a secure copy of the log is to connectthe bastion server via a serial port to a dedicated computer,whose only purpose is to keep track of the secure backup log.<LI>Automated monitors are even more sophisticated programs thanauditing software. Automated monitors regularly check the bastionserver's system logs, and send an alarm if it finds a suspiciouspattern. For example, an alarm might be sent if someone attemptedmore than three unsuccessful logins.<LI>There can be more than one bastion host in a firewall. Eachbastion host can handle one or more Internet services for theintranet. Sometimes, a bastion host can be used as a victim machine.This is a server that is stripped bare of almost all servicesexcept one specific Internet service. Victim machines can be usedto provide Internet services that are hard to handle using proxyingor a filtering router, or whose security concerns are not yetknown. The services are put on the victim machine instead of abastion host with other services. That way, if the server is brokeninto, other bastion hosts won't be affected.<LI>Placing a filtering router between the bastion host and theintranet provides additional security. The filtering router checksall packets between the Internet and the intranet, dropping unauthorizedtraffic.<LI>When a bastion server receives a request for a service, suchas sending a Web page or delivering e-mail, the server doesn'thandle the request itself. Instead, it sends the request alongto the appropriate intranet server. The intranet server handlesthe request, and then sends the information back to the bastionserver. The bastion server now sends the requested informationto the requester on the Internet.<LI>Some bastion servers include auditing programs, which activelycheck to see whether an attack has been launched against them.There are a variety of ways to do auditing. One way to audit isto use a checksum program, which checks to see whether any softwareon the bastion server has been changed by an unauthorized person.A checksum program calculates a number based on the size of anexecutable program on the server. It then regularly calculatesthe checksum to see if it has changed. If it has changed, someonehas altered the software, which could signal an attack.</UL><HR><CENTER><P><A HREF="ch15.htm"><IMG SRC="PC.GIF" BORDER=0 HEIGHT=88 WIDTH=140></A><A HREF="#CONTENTS"><IMG SRC="CC.GIF" BORDER=0 HEIGHT=88 WIDTH=140></A><A HREF="contents.htm"><IMG SRC="HB.GIF" BORDER=0 HEIGHT=88 WIDTH=140></A><A HREF="ch17.htm"><IMG SRC="NC.GIF" BORDER=0 HEIGHT=88 WIDTH=140></A><HR WIDTH="100%"></P></CENTER></BODY></HTML>