Re: newbie: Proxy as Bastion Host?

[Leonard Miyata <leonard () geminisecure com>]

Hi There Too...

Your only paritially correct on the use of the bastion host. The
other purpose of the bastion host is that being exposed to the
outside, the bastion host would receive special configuration to
make it resistent to outside attack. With the proxy outside in
front of the firewall, it serves as a 'filter' to only allow
authorized services into and out of the firewall.

Proxy can and do exist on the firewall as well, but there are
many issues (bottlenecks, KISS principal) involved where you
might want the proxy servies on a seperate bastion host... 

Check out 'Building Internet Firewalls' by Chapman and Zwicky
O'Rielly & Associates Inc. The book explains the concept in
detail....

Personal Opinion Provided by
Leonard Miyata
aka leonard () geminisecure com
Gemini Computers Inc.

On Tue, 22 Jun 1999, Andre Anneck wrote:

> Hi there,
>
> I have been reading the security advisories of FreeBSD, Linux,  read the
> book "SATAN" from O'Reillly,
>  and browsed through a lot of web-information about Firewall concepts etc.
>
> I did all this because I am in need to present a Firewall concept to our
> managers... *sweat*.
> Now the Question.
> I read that as bastion host is usually used as a proxy, socks,
> auhtentification server that resides before the firewall. The idea behind
> this bastion host is to only allow certain connection types _from_ the
> bastion host to the firewall, and block off all other request of these
> connection types. [right/wrong?]
>
> Now, what I didnt find in the books is a good explanation WHY it would be
> better to have the "proxy" outside as a bastion host, instead of behind the
> firewall. The firewall could basically work as a proxy too...
> Now as I trust the books when they say its better to have proxy be a bastion
> host, I still have to explain the WHY to our managers....
> Can someone explain the Why to me? 
>
> TIA,
>  Andre Anneck