Choosing a Bastion Host

Chapter 8
Learning Objectives
Understand the general requirements for
installing a bastion host
Select the attributes—memory, processor
speed, and operating system—of the bastion
host
Evaluate different options for positioning
the bastion host, both physically and within
the network

continued
Learning Objectives

Configure the bastion host

Provide for backups of the bastion host
operating system and data
Establish a baseline performance level and
audit procedures
Connect the bastion host to the network
Bastion Host

An application server that has been

specially hardened and configured to
function on a network perimeter with an
interface on the Internet
A particularly secure point in the network
Typically provides only one service
Installing a Bastion Host: General
Requirements

Your own level of comfort with the system

Its security
Its reliability
Steps for Securing a Bastion
Host

 Obtain a machine with sufficient memory

and processor speed
 Choose and install the operating system
 Determine where the host will fit in the
network configuration; put it in a safe and
controlled physical environment
 Enable the host to defend itself

continued
Steps for Securing a Bastion
Host
1. Install the services you want to provide, or
modify existing services
2. Remove services and accounts that aren’t
needed
3. Back up the system and all data on it,
including log files
4. Run a security audit
5. Connect the machine to the network
Selecting the Host Machine

Number of machines
Memory considerations
Processor speed
Choosing the operating system
How Many Machines?

Ideal to have only one service on each

bastion host
Conduct a threat assessment that identifies
your most valuable information
Get as many bastion hosts as you can afford
to maximize security; combine services on
one host if you need to save money
Memory Considerations

Should have multi-gigabytes of hard disk

storage space
 Vast quantities of log files
 Create a page file
Not likely to need multi-gigabytes worth of
RAM
Processor Speed

Get the fastest processor you can afford

Choosing the Operating System

Most important consideration is your

familiarity with the system:
 UNIX and Linux hosts
 Windows 2000/XP hosts
Keep the operating system updated
Positioning the Bastion Host

Sits on the perimeter of the network;

provides a buffer between the Internet and
the internal network
Physical options
Logical options
Physical Location

Separate room (or locked server cabinet)

with proper ventilation, adequate cooling,
and a backup power system
Co-locate Web servers and other bastion
hosts off-site
Use a hosting service
Co-Locating a Server
Network Location
Securing the Machine Itself

Aspects of a disaster recovery plan

 Availability of spare equipment
 Frequency of backup
 Secure off-site data storage
 Temporary office space
 Hardware/software insurance
 Frequency of testing the disaster program
Securing the Machine Itself

Select a secure location

Install the operating system securely
Document your work
Select a Secure Location

Limited access
Protection with an alarm system with
battery backup
Physical computer lock and cable
Password-protected screen saver and short
time delay
Install the Operating System
Securely
Reinstall OS with minimum configuration
Create two partitions on Windows 2000/XP
bastion host
 One for the OS (C: drive)
 One for other software that will run on the host (eg,
Web server or DNS server)
Use only NTFS file system for file storage
Include virus protection software
Configure DNS server located on a bastion host in
DMZ to prohibit unauthorized zone transfers
Document Your Work
Name and location of bastion host
Bastion host’s IP address and domain name
Bastion host’s operating system
Location of backup files
What to do in case the system crashes
Levels of patches that have been made to bastion
host’s operating system
Customized scripts that have been developed to
support the host
Configuring Your Bastion Host

Make the host defend itself

Select services to be provided
Disable accounts
Disable unnecessary services
Limit ports
Making the Host Defend Itself

Set up a honey pot server

Set up an Intrusion Detection System (IDS)
on the bastion host
 Place a host-based IDS system directly on the
host itself, or
 Place a network-based IDS on the firewall or
router that protects bastion hosts in the DMZ
Selecting Services to Be
Provided

Use latest version of server software

Install available security patches or updates
Install a system patch to guard against an
application that can be subject to buffer
overflow
URLs for Latest Versions
Special Considerations for UNIX
Systems

Security_patch_check utility
 Automates process of analyzing security
patches already on the system and reporting on
patches that should be added
Trusted Computing Base (TCB) Check
 Makes sure that software you run is trusted
System logging
Special Considerations for
Windows Systems

Run Microsoft Baseline Security Analyzer

Use IIS Lockdown Tool
Delete unneeded files in
%SystemRoot%\system32 folder
Special Considerations for
Windows Systems
Disabling Accounts
Delete all user accounts from the bastion host
Rename Administrator account to deter hackers
Keep a “dummy” account called Administrator to
serve as a honey pot account
Use passwords that are 6-8 alphanumeric
characters
Disabling Unnecessary Services

Disable services that enable the host to do

routing or IP forwarding
Take out hardware features you won’t use
Do not disable any dependency services
Each time a service is stopped, test the
system
Document every single change you make
Limiting Ports

Stop traffic on all but the ports you actually

need to provide services on the network
Scan the system for active ports and close
any that are being used by “unknown” or
unneeded services
Limiting Ports
Handling Backups

Binary drive image backup

 Best kind of backup
 Includes all information, including OS,
applications, and individual files
Copy all relevant files to disk
Use system’s built-in back-up utility
Auditing the Bastion Host

Test for vulnerabilities and evaluate

performance
 How well does bastion host protect itself from
attack?
 How well does it protect internal LAN behind it
from attack?
Establish a baseline for system performance
(benchmarking)
Connecting the Bastion Host

Test system and check it against baseline

level of performance to make sure it still
functions correctly
IPSentry can be used to monitor network
performance and send alerts in case of
trouble
Audit the host periodically
Monitoring the System with
IPSentry
Chapter Summary
Proper configuration of a bastion host
General requirements that apply to most
bastion hosts
Factors to consider when selecting a host
machine
Possible locations for a bastion host
Deciding what functions the host should
perform