Firewall Wizards mailing list archives
Re: newbie: Proxy as Bastion Host?
From: Carric Dooley <carric () com2usa com>
Date: Tue, 22 Jun 1999 15:46:31 -0400 (EDT)
Hmmm... I sort of had trouble following that. According to Capman and Zwicky (Building Internet Firewalls) Bastion Hosts (Marcus Ranum [pres. of NFR] coined this term) are: "Computer systems that must be highly secured because it is vulnerable to attack, usually because it is exposed to the Internet as a main point of contact for users of internal networks. It gets it's name from the highly fortified projections on the outer walls of medeival castles." A firewall is not really specifically one machine or component. A firewall is an electronic representation of your network security policy. It can come in many shapes and sizes, but for simplicity sake, lets say we have the standard screening router b/t the internet and your dual homed bastion host, the dual homed bastion host, and an internal "choke" router. Given the above definition, a bastion host can be a web server in your DMZ, a box running application proxies, or an external mail server. The key is that a bastion host should be a hardened, sacrificial hosts. Plan for it to be attacked, and plan to lose it. From what I can tell, since these books were written, a new technonlogy has emerged. In addition to application proxys and packet filtering we now have stateful inspection (IOW, sort of like packet filtering, but all state information is maintained which sigificantly increases the difficulty of establishing a connection to the internal network from the outside. This technology can "dynamically" punch holes for a return stream in a session initiated from the inside.. protocols like ftp become easier to secure when the firewall is aware of the traffic in both directions.. you used to have to do something like allow all inbound TCP/IP with the ack bit set). I would agree that proxying is safer than straight packet filters, but good practice dictates we use a combination of the two. Your screening router is relatively open, but should drop spoofed packets as well as allowing only services you want (inbound and outbound). The bastion host (using the dual homed bastion host model, but not necessarily a proxy.. they are mutually exclusive really.. pick the technology that fits your needs) handles evluating which packets can pass from inside to out and visa versa given your network security policy. The choke router is set up to allow only services you want internal users to access. If the bastion host is comprimised, a cracker can't sit on that host and sniff passwords or data on the internal network because he/she is not a part of that segment. I hope that was at least a little helpful. I am sure there will be additional refinements of what I have said. =) Carric Dooley COM2:Interactive Media http://www.com2usa.com On Tue, 22 Jun 1999, Andre Anneck wrote:
Hi there, I have been reading the security advisories of FreeBSD, Linux, read the book "SATAN" from O'Reillly, and browsed through a lot of web-information about Firewall concepts etc. I did all this because I am in need to present a Firewall concept to our managers... *sweat*. Now the Question. I read that as bastion host is usually used as a proxy, socks, auhtentification server that resides before the firewall. The idea behind this bastion host is to only allow certain connection types _from_ the bastion host to the firewall, and block off all other request of these connection types. [right/wrong?] Now, what I didnt find in the books is a good explanation WHY it would be better to have the "proxy" outside as a bastion host, instead of behind the firewall. The firewall could basically work as a proxy too... Now as I trust the books when they say its better to have proxy be a bastion host, I still have to explain the WHY to our managers.... Can someone explain the Why to me? TIA, Andre Anneck
Current thread:
- newbie: Proxy as Bastion Host? Andre Anneck (Jun 22)
- Re: newbie: Proxy as Bastion Host? Leonard Miyata (Jun 22)
- Re: newbie: Proxy as Bastion Host? Patrick M. Hausen (Jun 22)
- Re: newbie: Proxy as Bastion Host? Carric Dooley (Jun 23)