Well, its really a semantic discussion. A bastion host is PART of a
firewall, but not necessarily the only part. Quoting Zwicky, et. al.:
Bastion Host: A computer system that must be highly secured because it
is vulnerable to attack, usually because it is exposed to the internet
and is a main point of contact for users of internal networks.
Firewall: a component or set of components that restricts access
between a protected network and the Internet, or between other sets of
networks
(BIF 2nd ed. pg 103).
Consider the following config:
INTERNET=====Screening router================================Internal
Net
|<=====maybe a reverse proxy here
|
BASTION (HTTP, SMTP, DNS, etc)
Other DMZ servers
The "firewall" is made up of the screening router, the reverse proxy,
and whatever else aids in limiting access. The bastion is simply a
server hardened, which is usually set up to do one or two things ONLY.
Eg. I use a stripped down SOCKS Proxy (Dante) to proxy ICQ for my
execs who demanded it. Instead of exposing the execs' computers, the
connections go to the proxy, which then talks to the 'net.
But, its all semantics. The problem is that "firewall" vendors sell
their products as "firewalls" when really they are simply one
potential component of a firewall. Placing IDS's at various points in
your infrastructure can be very instructive in demonstrating this, as
you can see the differences in the sort of alerts you see :).
My $.02, adjusted for inflation
Henry
-----Original Message-----
> From: Mark Watts [mailto:[EMAIL PROTECTED]]
> Sent: Tuesday, April 10, 2001 11:40 AM
> To: 'Marcio Henrique Leiner'; Firewalls-Digest (E-mail)
> Subject: RE: What is a bastion host
>
>
> No. As I say, a classic bastion host *is* the firewall. Period.
> If you need to have various forms of communication going across it
> (SMTP, HTTP etc...) you have to install the relevant services on
that
> single machine. (E.g. sendmail for mail and squid for web)
>
> Any servers that sit in a DMZ are just servers that need to be
> accessible from the internet (web and mail for example).
> Typically, you would not let any communication to initiate
> from the DMZ
> into your internal network.
>
> For example, you have a machine on which you install Firewall-1 and
> enable (say) an SMTP proxy on it.
> This is a classic example of a bastion host. Any mail *has* to
travel
> through that machine since that is the only means of communicating
to
> the outside world.
>
> An extension of this design is to add a third network interface (the
> DMZ) into which you place a mail server.
> Any mail communication that comes to the firewall will be directed
to
> the mail server in the DMZ.
>
> This has the advantage that if someone were to take down your mail
> system, having it on a separate server means that you haven't
> had your
> firewall trashed (and hence your network is still protected even if
> your mail system is shot).
> Also, since you are blocking any communication initiating from
within
> the DMZ, your attacker can't get into the rest of your network.
>
> I haven't mentioned hardening the firewall (and DMZ) machines
> but that
> goes without saying.
>
> A nice example (with pictures) of various firewall configurations
can
> be found here:
> http://www.securityfocus.com/frames/?focus=microsoft&content=/focus/
> microsoft/nt/crux3.html
> (the final part mentioned is here:
> http://www.securityfocus.com/frames/?focus=microsoft&content=/focus/
> microsoft/nt/crux4.html)
>
> Network A is the 'Classic' bastion host and B is the most common
form.
>
> Mark.
>
> NB: The term 'bastion' is analagous to a castle gate - the
> gate is all
> that is protecting the inside of the castle from attack, so
> that is the
> most heavily defended part of the castle.
>
> -----Original Message-----
> From: Marcio Henrique Leiner [SMTP:[EMAIL PROTECTED]]
> Sent: Tuesday, April 10, 2001 5:05 PM
> To: Mark Watts
> Cc: 'ks Quah'; Firewalls-Digest (E-mail)
> Subject: Re: What is a bastion host
>
> Well, by myself, bastion host is something different, but I am not
an
> firewall/bastion expert. As I can see, bastion is one machine, that
> stay
> in front of the firewall, or in the DMZ, that have some important
> service
> running within and is accessible from the internet ( a probably goal
> for
> an attacker ) and due that need to be "more secure" than a
> normal host.
> In
> that bastion you will put your ftp. web and/or mail server and close
> all
> the other doors for prevent any unauthorized access for this
peculiar
> server. Note that a firewall is transparent for one attacker, and
> he/she
> should not see that a firewall is present. That is my understand
about
> what a bastion is, but I am not shure if my understand is correct or
> not.
> By the way, I am thinking to use a web gateway between the
> internet and
> one web server, that came with or without one SQL bank. Can
> you know if
> I
> can do that with apache or may I need to find and work with another
> program? Ifyou know another program that can do that, I will
> be pleased
> with yours directions about my thinking.
>
> Waiting for your responses,
> Marcio Henrique Leiner.
>
> Mark Watts wrote:
>
> > A Bastion Host is one particular implementation of a firewall
system
> > where you put all of your defences into a single 'bastion
> of defence'
> > machine.
> >
> > On a bastion host, any and all communication from inside to
outside
> > (internal network to internet) is passed through this
> single machine.
> >
> > If you want to provide a means of communication through the
firewall
> > (web access, mail, ftp...) you can do one of two things:
> >
> > 1) Simply open the required port on the firewall and allow
> traffic to
> > pass through it (usually transparently)
> > or
> > 2) Configure a proxy service on the firewall which will handle
> > connection requests on behalf of a client machine.
> >
> > A bastion host firewall may have a single network interface
> (bad) but
> > will most likely have two - one for the internal side and
> one for the
> > external side.
> >
> > An extension to the bastion host design is to have a third
> interface
> -
> > the DMZ (de-militarised zone) which will contain servers to handle
> any
> > communications services required (web, mail etc...). In this
method,
> > any communication requests are directed at the firewall machine
but
> it
> > will then forward these requests on to the relavent DMZ server.
> >
> > The DMZ architecture is probably the most popular around at the
> moment,
> > although there are extensions to this to have a layered approach
> > involving more than one, different, bastion host.
> >
> > Hope this helps,
> >
> > Mark.
> >
> > For further reading, grab a copy of 'Building Internet
> Firewalls', by
> > Chapman and Zwicky - published by O'Riley.
> >
> > -----Original Message-----
> > From: ks Quah [SMTP:[EMAIL PROTECTED]]
> > Sent: Tuesday, April 10, 2001 12:29 PM
> > To: [EMAIL PROTECTED]
> > Subject: What is a bastion host
> >
> > HI,
> > How does a bastion host work?
> > Does all the traffic goes through it before going to the internet
> > network???
> > what happened if some1 from the internel network wanna to surf the
> > net...
> >
> > he have to pass the bastion host before going into the net?
> >
> > Thanks
> > Quah
> >
> > -
> > [To unsubscribe, send mail to [EMAIL PROTECTED] with
> > "unsubscribe firewalls" in the body of the message.]
> > -
> > [To unsubscribe, send mail to [EMAIL PROTECTED] with
> > "unsubscribe firewalls" in the body of the message.]
>
> -
> [To unsubscribe, send mail to [EMAIL PROTECTED] with
> "unsubscribe firewalls" in the body of the message.]
>
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
