Re: newbie: Proxy as Bastion Host?

[Carric Dooley <carric () com2usa com>]

Hmmm...  I sort of had trouble following that.

According to Capman and Zwicky (Building Internet Firewalls) Bastion Hosts
(Marcus Ranum [pres. of NFR] coined this term) are:

"Computer systems that must be highly secured because it is vulnerable to
attack, usually because it is exposed to the Internet as a main point of
contact for users of internal networks.  It gets it's name from the highly
fortified projections on the outer walls of medeival castles."

A firewall is not really specifically one machine or component.  A
firewall is an electronic representation of your network security policy.
It can come in many shapes and sizes, but for simplicity sake, lets say we
have the standard screening router b/t the internet and your dual homed
bastion host, the dual homed bastion host, and an internal "choke"
router.  Given the above definition, a bastion host can be a web server in
your DMZ, a box running application proxies, or an external mail server.
The key is that a bastion host should be a hardened, sacrificial hosts.
Plan for it to be attacked, and plan to lose it.  From what I can tell,
since these books were written, a new technonlogy has emerged.  In
addition to application proxys and packet filtering we now have stateful
inspection (IOW, sort of like packet filtering, but all state information
is maintained which sigificantly increases the difficulty of establishing
a connection to the internal network from the outside.  This technology
can "dynamically" punch holes for a return stream in a session initiated
from the inside.. protocols like ftp become easier to secure when the
firewall is aware of the traffic in both directions.. you used to have to
do something like allow all inbound TCP/IP with the ack bit set). I would
agree that proxying is safer than straight packet filters, but good
practice dictates we use a combination of the two.

Your screening router is relatively open, but should drop spoofed packets
as well as allowing only services you want (inbound and
outbound).  The bastion host (using the dual homed bastion host model, but
not necessarily a proxy.. they are mutually exclusive really.. pick the
technology that fits your needs) handles evluating which packets can pass
from inside to out and visa versa given your network security policy.  The
choke router is set up to allow only services you want internal users to
access.  If the bastion host is comprimised, a cracker can't sit on that
host and sniff passwords or data on the internal network because he/she is
not a part of that segment.

I hope that was at least a little helpful.  I am sure there will be
additional refinements of what I have said.  =)


Carric Dooley
COM2:Interactive Media
http://www.com2usa.com

On Tue, 22 Jun 1999, Andre Anneck wrote:

> Hi there,
>
> I have been reading the security advisories of FreeBSD, Linux,  read the
> book "SATAN" from O'Reillly,
>  and browsed through a lot of web-information about Firewall concepts etc.
>
> I did all this because I am in need to present a Firewall concept to our
> managers... *sweat*.
> Now the Question.
> I read that as bastion host is usually used as a proxy, socks,
> auhtentification server that resides before the firewall. The idea behind
> this bastion host is to only allow certain connection types _from_ the
> bastion host to the firewall, and block off all other request of these
> connection types. [right/wrong?]
>
> Now, what I didnt find in the books is a good explanation WHY it would be
> better to have the "proxy" outside as a bastion host, instead of behind the
> firewall. The firewall could basically work as a proxy too...
> Now as I trust the books when they say its better to have proxy be a bastion
> host, I still have to explain the WHY to our managers....
> Can someone explain the Why to me? 
>
> TIA,
>  Andre Anneck