ch08 implementing the bastion host

Guide to Firewalls and VPNs, 3rdEditionChapter EightImplementing the Bastion Host

Guide to Firewalls and VPNs, 3rdEdition


OverviewDescribe the general requirements for installing a bastion hostSelect the optimal attributesmemory, processor speed, and operating systemfor the bastion hostEvaluate different options for positioning the bastion host, both physically and within the networkDiscuss critical components of the bastion host configuration*



Overview (contd.)Explain how to provide for backups of the bastion host operating system and dataEstablish a baseline performance level and audit procedures*



From dmna.state.ny.us*



IntroductionBastion host System specifically designed and implemented to withstand attacksUsually placed in the demilitarized zone (DMZ) or outside the firewallMust withstand direct assault from external attackersOrganizations public face on the InternetNeeds to be highly secured*



Installing a Bastion Host: General RequirementsCan be any server Hosts a Web server, e-mail server, FTP server, or other network serviceTypically provides only one servicePresent intruders with only a minimal set of resources and open portsAdministrators level of comfort with the system, its security, and its reliabilityMost important criterion*



Installing a Bastion Host: General Requirements (contd.)Steps to secure a bastion hostObtain a machine with sufficient memory and processor speedChoose and install the operating systemDetermine where the host will fit in the network configuration and put it in a safe and controlled physical environmentEnable the host to defend itselfInstall the services to provide or modify existing services*



Installing a Bastion Host: General Requirements (contd.)Remove any and all services and accounts that arent neededBack up the system and all data on it, including log filesRun a security auditConnect the machine to the network*



Selecting the Host MachineChoose a combination of machine type and software with which you are familiar One that you can easily work on*



Do You Need More Than One Machine?Ideal to have one service on each bastion hostConduct comprehensive risk analysis of all the resources in your organization Get as many bastion hosts as you can affordIn order to maximize security*



Memory ConsiderationsDo not need multiterabytes worth of RAMOperate program that maintains, rotates and clears outdated log filesHard disk storage space Multiterabyte Accumulate vast quantities of log fileCreate a page file on hard diskMake use of additional memory, if needed*



Processor SpeedProcessor speed Rate at which logic circuitry or microprocessor within a computing device processes basic instructionsClock speed Expressed in GHz (gigahertz) Includes cache speed descriptor, in MHz (megahertz)Three independent caches: Instruction cache Data cache Translation lookaside buffer (link Ch 8a)*



Processor Speed (contd.)Obtain machine with the fastest processor you can affordWhen using Secure Sockets Layer (SSL) encryptionProcessor speed becomes even more critical so that the firewall doesnt add latency to the network *



Choosing the Operating SystemMost important consideration: familiarity with the systemGet machine up and runningMaintain it smoothly*



UNIX and Linux HostsUNIX Most popular operating system used to provide services on the Internetsyslog daemon Enable loggingStandard for logging program messagesSecurity patches Must correspond to the operating system chkconfigUtility which reports on the services currently runningLink Ch 8b*



Windows HostsWindows Server 2003 and 2008 Excellent choices for bastion host operating systemsReliability and widespread use as serversSecurity Compliance Manager (link Ch 8c)DisableNetBIOS interface, Server service, and Workstation service Set up logging for: Account logon and logoff, object access, policy changes, privilege use, and system events*



Keep Your Operating System UpdatedPick version of system that is stable and secureObserve extreme caution when using automatic updatingMake sure your system of choice can reliably provide the services you want to make available on the public DMZTable 8-1 Configuration of a standard high-end and a standard mid-range corporate server*



*Table 8-1 Corporate Server Configurations



Positioning the Bastion HostBastion hosts sit on the perimeter of the networkProvide a buffer between the Internet and the internal network that is being protectedOptions for locating the hostPhysically and logically*



Physical LocationExact building and room in which the device is locatedRoom Properly ventilatedAdequate cooling Backup power systemMay co-locate Web servers and other bastion hosts off-siteMany hosting services are available*



Physical Location (contd.)Research and ask questionsPin the hosting service down on all feesGet a Service-Level Agreement (SLA)Do a risk-benefit analysisAsk for referencesShop aroundContracts typically range from 12 to 36 monthsCo-locating makes it more complicated for the administrator*



Network LocationDMZ Network of publicly accessible servers connected to the firewall, but that is isolated from the internal networkProtect internal users from intrusions and attacksLogical location for a bastion hostShown in Figure 8-1*



*Figure 8-1 The Application Layer of an IP Packet@ Cengage Learning 2012



Network Location (contd.)Bastion host can be located at any point in a network that is considered vulnerableOr where an extra level of security is neededDefense in DepthSingle hardened bastion host should not be relied on as the sole source of security for a network*



Securing the Machine ItselfConsider keeping a spare server Connect to the network in case of disaster Maintain off-site backupsDisaster recovery planStrategies have to weigh budgetary demands against the techniques that can help a company get back online*



Hardening a Windows or Linux ServerOnline references:Microsoft hosts podcasts and TechNet discussion boardsVendors support sitesExample: IBM*



Selecting a Secure LocationShould not leave bastion host out in middle of an office or in a high-traffic areaProtect by an alarm system Battery backupConnected to a central alarm service that can notify the police in case of troubleSet up a password-protected screen saverShort time to displayBlank screen saver*



Installing the Operating System SecurelyMay want to reinstall an operating system you consider to be more secure With a minimum configurationWindows bastion hostCreate two partitions: one for the operating system and one for the Web server, DNS server, or other software Use only the NTFS file system*



Installing the Operating System Securely (contd.)Virus protection softwareDNS server should be configured to prohibit unauthorized zone transfersZone transfer Also known as AXFRAllows DNS database duplication and replication*



Documenting Your WorkDocument steps to secure the machineMake it easy for other personnel to do the repairMake sure instructions include:Name and location of the bastion hostThe bastion hosts IP address and domain nameBastion host operating systemLocation of backup files What to do in case the system crashes*



Documenting Your Work (contd.)The levels of the patches (if any) that have been made to the bastion hosts operating systemAny customized scripts that have been developed to support the host*



Configuring Your Bastion HostLook to security policy to determine:Resources to be protected Threats need to be addressed*



Making the Host Defend ItselfHoneypot serverMachine that is placed in the DMZ to attract hackers and direct them away from other serversConfigured the same as a normal bastion hostAppears to be a real network server containing Web, FTP, or DNS servicesNot connected to any other machines on the networkDoes not contain valuable files*



Making the Host Defend Itself (contd.)Some security professionals advise against using honeypotsMay attract as many attackers as they deflectIntrusion detection and prevention systemsNotify IT staff of possible intrusion attempts*



Selecting Services to Be ProvidedDetermine primary service to run on the bastion hostMake sure the server software is the latest versionTable 8-2Provides the URLs for various operating systemsObserve extreme caution when installing software on the bastion host*



Selecting Services to Be Provided (contd.)*Table 8-2 URLs for Various Operating Systems



Special Considerations for UNIX Systemssecurity_patch_checkUNIX utilityAutomates the process of analyzing security patches that are already on the system Reports patches that should be addedTrusted Computing Base (TCB) checkSet of software programs that makes sure any software youre running on your system is a trusted program (link Ch 8d)Enable system loggingProvide sufficient room for log files to grow*



Special Considerations for Windows SystemsMicrosoft Baseline Security Analyzer Analysis of the current Windows configuration patches Isolates vulnerabilities such as open Guest accounts and anonymous connections being enabledMicrosoft Security Assessment Tool (MSAT)Tap into a large knowledge base of details about vulnerabilities Get advice from vendor and security experts on how to make specific Microsoft products more secure*



Disabling AccountsDelete all user accounts from the bastion hostRename the administrator accountUse passwords that contain: At least eight alphanumeric charactersAt least one numeric or special characterUnicode characters, entered with the Alt keyLink Ch 8g

*



Disabling Unnecessary ServicesServices listen on open ports Can provide hackers with entry pointsDisable services that enable the host to do routing or IP forwardingTable 8-3 Services and features that a network administrator should typically disable for UNIX and WindowsDo not disable any dependency servicesThose system needs to function correctly Stop services one at a time*



*Table 8-3 Services and Features to Disable on a Bastion Host



Limiting PortsLimit traffic on all ports Except ones needed to provide services on the networkNmap or SuperScan Scan your system for active portsClose any ports that are being used by unknown or unneeded services*



Handling BackupsBack up the data on the machine So you can restore it if neededBinary drive imageBest kind of backupMirror image of all the data on a hard disk or partitionIncludes files, applications, and system dataMicrosoft Image BackupSymantecs Norton Ghost Acronis TrueImageClonezilla*



Auditing the Bastion HostAudit systemBy testing it for vulnerabilities and evaluating its performanceEstablish a baseline for system performanceLevel of performance that you consider acceptable and against which the system can be comparedCheck system logs, event logs, and performance information Record the information you uncover*



Auditing the Bastion Host (contd.)Do not use production servers for testing Apply hardening actions to a server in a test environmentThen move new functionality to a quality assurance server Finally, perform the same steps on a production server*



Connecting the Bastion HostTest the system and check it against your baseline level of performancePerformance Monitor Wizard (for Windows Server 2003) and the System Center Operations Manager (for Windows Server 2003 or 2008) Assist in keeping an eye on systems performanceContinue to audit the host on a periodic basisSecurity Space Security AuditsTest system and provide a detailed security report*


*********************************************

ch08 implementing the bastion host

Documents

bastion host configuration

bastion hostselect

bastion hostobtain

bastion hostguide

host machinechoose

general requirements

ftp server

web server