Hardening Bastion Hosts

Date July 24, 2005

By: Todd Jenkins

Introduction
You’ve just been asked by your manager to install a hardened bastion host. The company needs
to strengthen the security between the Internet and the company’s internal network. You
unsuspectingly accept the challenge and tell your manager you need to do some research. How
hard could it be?
Management often likes to use technical jargon even when they might not know what it means.
Your manager and a peer from another company were discussing how the other company had
just installed a hardened bastion host. They had gotten a dedicated circuit to the Internet
installed just a few weeks before your company did. The peer says how well it’s working for
them when your manager suddenly decided your company needs one since it’s working so well
at the other company. That’s where you come in.
What is a bastion host?
Now you’re probably asking yourself, “What is a bastion?� I’d never heard of a “hardened
bastion host� before I researched this paper. In fact, several of my peers hadn’t either. You
probably know what it is but didn’t know it by that terminology.
“Bastions are the highly fortified parts of a medieval castle; points that overlook critical
areas of defense, usually having stronger walls, room for extra troops, and the occasional
useful tub of boiling hot oil for discouraging attackers. A bastion host is a system
identified by the firewall administrator as a critical strong point in the network’s security.
Generally, bastion hosts will have some degree of extra attention paid to their security,
may undergo regular audits, and may have modified software.� (Steves, Kevin)
Bastion hosts are typically designed with one function in mind: to allow information to flow
securely between the Internet and the internal network without directly exchanging packets. It
can be a single system or there can be multiple systems in the firewall. It is wise to remember
the more systems the firewall is made with, the greater the risk of compromise. You can have a
bastion host in the firewall configuration, but without hardening it, the probability of a successful
attack increases. The process called “hardening� will allow these hosts to resist attacks from
external sources thus protecting the internal network.
There are numerous considerations when it comes to bastion hosts: roles, design, documentation,
installation, and verification. I will briefly describe each of these in general detail since it is
impossible to cover every facet of each section.
Roles
The most common roles of bastion hosts to be used as: router, DNS, FTP, SMTP, News, and/or
Web servers. A bastion host can be as simple as a router or as complex as a SMTP and DNS
server. Bastion hosts are typically a gateway, on the perimeter network, between the Internet and
the internal network. Whatever the use, its main function is to protect the network behind it.
The more roles the host has to play, the greater the likelihood of overlooking a security hole.

“Much of what the bastion host does is act as a proxy server for various services, either by
running specialized proxy server software for particular protocols (such as HTTP or FTP), or by
running standard servers for self-proxying protocols (such as SMTP).� (Zwicky, Elizabeth D.,
Simon Cooper and Brent D. Chapman. Page 131.)
What role will this host play in the overall network? Is there a genuine need for this function or
is it merely pressure from users? Pressure from the users can result in a way around security
because of the inconvenience the security policy causes.
Now you need to identify what the host will be used for and verify whether or not it meets your
network security policy specifications.
“A network security policy identifies the resources that need protection and the threats against
them. It then defines how they can be used and who can use them, and stipulates the actions to be
taken when the policies are violated.� (Firewalls and Virtual Private Networks. Page 2.)
If you don’t have a network security policy, you can find a guide to writing Security Policy and
other documentation at: http://www.sans.org/infosecFAQ/policy/shelfware.htm. You can also
find a Security Policy checklist at: http://queeg.com/~brion/security/secpolicy.html.
Design
You must ultimately decide which services need to be on a bastion host. Ideally you would have
one service per host but this does not usually work since the cost alone is typically prohibitive. It
is easier to secure a single service on a single host. If your company can afford the costs of
multiple bastion hosts, you must decide if you are willing to maintain multiple points of attack.
“Only the services that the network administrator considers essential are installed on the bastion
host. The reasoning is that if a service is not installed, it can’t be attacked.â€? (Semeria, Chuck.
Internet Firewalls and Security.)
The Department of Defense defines Defense in Depth as “The sitting on mutually supporting
defense positions designed to absorb and progressively weaken attack, prevent initial
observations of the whole position by the enemy, and to allow the commander to maneuver his
reserve.� (U.S. Military with Rod Powers.) A way to use the Department of Defense’s Defense
in Depth strategy is to design a Screened Subnet Architecture. In a Screened Subnet
Architecture, the bastion host sits between an exterior router and an interior router.

Full Article: http://www.sans.org/rr/whitepapers/basics/420.php

Category Posted in Network Security

Leave a Reply

XHTML: You can use these tags: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>