Chapter 16

How Bastion Hosts Work


One of the best ways to protect an intranet from attack is to put a heavily fortified bastion host or bastion server in a firewall. Having a bastion host means that all access to an intranet from the Internet will be required to come through the bastion host. By concentrating all access in a single server, or a small group of servers, it's much easier to protect the entire intranet.

The bastion host does not provide intranet services itself. When it receives a request from the Internet for an intranet service, the host passes the request to the appropriate server. Subsequently, it takes the response and passes it back to the Internet.

Proxy server programs can also run on bastion hosts. That is, when someone on the intranet wants to get at an Internet resource, they first contact the proxy server on the bastion host, and the bastion host then relays the request to the Internet server. The Internet server sends the information to the proxy server on the bastion host, which in turn passes the information back to the user on the intranet.

Several means are taken to ensure that the bastion host is as secure as possible-and also to make sure that if the host is hacked into, intranet security won't be compromised.

To make the bastion host secure, it is stripped of all but the most basic services. A typical network server provides login, file, print, and other services, including access to additional servers. On a bastion host, those services have been prohibited. Since there are no user accounts, it's difficult for someone to break in using passwords. Since it has few services available, even if someone did break in, there wouldn't be much they could do with it.

For even more security, bastion hosts can be put on a private subnet (often referred to as a perimeter network), further isolating the host so that if someone breaks into it, they can only get access to that subnet, not to the rest of the intranet. A filtering router reviews packets coming from the private subnet, making sure that only authorized incoming requests pass through to the intranet.

Even more security measures can protect the server and intranet, sending alerts to intranet administrators if someone is trying to break in. The bastion host can log all access to it, and keep a secure backup of that log on a physically separate machine connected by the serial port so no one can gain access to the log remotely. System administrators can examine the log for signs of break-ins. Even more powerful are monitoring programs that watch the log and sound an alarm if it detects someone has been trying to break into the server. Auditing software can also constantly check the server software to see if it has been altered in any way-a possible sign that an intruder has successfully attacked it and taken control of its resources.

How Bastion Hosts Work

A bastion host (also called a bastion server) is one of the main defenses in an intranet firewall. It's a heavily fortified server that sits inside the firewall, and it is the main point of contact between the intranet and the Internet. By having an isolated, heavily defended server as the main point of contact, the rest of the intranet resources can be shielded from attacks starting on the Internet.