Chapter 10. Bastion Hosts
A bastion host is your public presence on the Internet. Think of it as the lobby of a building. Outsiders may not be able to go up the stairs and may not be able to get into the elevators, but they can walk freely into the lobby and ask for what they want. (Whether or not they will get what they ask for depends upon the building's security policy.) Like the lobby in your building, a bastion host is exposed to potentially hostile elements. The bastion host is the system that any outsiders -- friends or possible foes -- must ordinarily connect with to access your systems or services.
Special Kinds of Bastion Hosts
Choosing a Machine
Choosing a Physical Location
Locating Bastion Hosts on the Network
Selecting Services Provided by a Bastion Host
Disabling User Accounts on Bastion Hosts
Building a Bastion Host
Securing the Machine
Disabling Nonrequired Services
Operating the Bastion Host
Protecting the Machine and Backups
By design, a bastion host is highly exposed because its existence is known to the Internet. For this reason, firewall builders and managers need to concentrate security efforts on the bastion host. You should pay special attention to the host's security during initial construction and ongoing operation. Because the bastion host is the most exposed host, it also needs to be the most fortified host.
Although we sometimes talk about a single bastion host in this chapter and elsewhere in this book, remember that there may be multiple bastion hosts in a firewall configuration. The number depends on a site's particular requirements and resources, as discussed in Chapter 7, "Firewall Design". Each is set up according to the same general principles, using the same general techniques.
Bastion hosts are used with many different firewall approaches and architectures; most of the information in this chapter should be relevant regardless of whether you're building a bastion host to use with a firewall based on packet filtering, proxying, or a hybrid approach. The principles and procedures for building a bastion host are extensions of those for securing any host. You want to use them, or variations of them, for any other host that's security critical, and possibly for hosts that are critical in other ways (e.g., major servers on your internal network).
This chapter discusses bastion hosts in general; the two following chapters give more specific advice for Unix and Windows NT bastion hosts. When you are building a bastion host, you should be sure to read both this chapter and the specific chapter for the operating system you are using.
10.1. General PrinciplesThere are two basic principles for designing and building a bastion host:
Copyright © 2002 O'Reilly & Associates. All rights reserved.