1 / 38

Choosing a Bastion Host

Choosing a Bastion Host. Chapter 8. Learning Objectives. Understand the general requirements for installing a bastion host Select the attributes—memory, processor speed, and operating system—of the bastion host

kirra
Download Presentation

Choosing a Bastion Host

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. Choosing a Bastion Host Chapter 8

  2. Learning Objectives • Understand the general requirements for installing a bastion host • Select the attributes—memory, processor speed, and operating system—of the bastion host • Evaluate different options for positioning the bastion host, both physically and within the network continued

  3. Learning Objectives • Configure the bastion host • Provide for backups of the bastion host operating system and data • Establish a baseline performance level and audit procedures • Connect the bastion host to the network

  4. Bastion Host • An application server that has been specially hardened and configured to function on a network perimeter with an interface on the Internet • A particularly secure point in the network • Typically provides only one service

  5. Installing a Bastion Host: General Requirements • Your own level of comfort with the system • Its security • Its reliability

  6. Steps for Securing a Bastion Host • Obtain a machine with sufficient memory and processor speed • Choose and install the operating system • Determine where the host will fit in the network configuration; put it in a safe and controlled physical environment • Enable the host to defend itself continued

  7. Steps for Securing a Bastion Host • Install the services you want to provide, or modify existing services • Remove services and accounts that aren’t needed • Back up the system and all data on it, including log files • Run a security audit • Connect the machine to the network

  8. Selecting the Host Machine • Number of machines • Memory considerations • Processor speed • Choosing the operating system

  9. How Many Machines? • Ideal to have only one service on each bastion host • Conduct a threat assessment that identifies your most valuable information • Get as many bastion hosts as you can afford to maximize security; combine services on one host if you need to save money

  10. Memory Considerations • Should have multi-gigabytes of hard disk storage space • Vast quantities of log files • Create a page file • Not likely to need multi-gigabytes worth of RAM

  11. Processor Speed • Get the fastest processor you can afford

  12. Choosing the Operating System • Most important consideration is your familiarity with the system: • UNIX and Linux hosts • Windows 2000/XP hosts • Keep the operating system updated

  13. Positioning the Bastion Host • Sits on the perimeter of the network; provides a buffer between the Internet and the internal network • Physical options • Logical options

  14. Physical Location • Separate room (or locked server cabinet) with proper ventilation, adequate cooling, and a backup power system • Co-locate Web servers and other bastion hosts off-site • Use a hosting service

  15. Co-Locating a Server

  16. Network Location

  17. Securing the Machine Itself • Aspects of a disaster recovery plan • Availability of spare equipment • Frequency of backup • Secure off-site data storage • Temporary office space • Hardware/software insurance • Frequency of testing the disaster program

  18. Securing the Machine Itself • Select a secure location • Install the operating system securely • Document your work

  19. Select a Secure Location • Limited access • Protection with an alarm system with battery backup • Physical computer lock and cable • Password-protected screen saver and short time delay

  20. Install the Operating System Securely • Reinstall OS with minimum configuration • Create two partitions on Windows 2000/XP bastion host • One for the OS (C: drive) • One for other software that will run on the host (eg, Web server or DNS server) • Use only NTFS file system for file storage • Include virus protection software • Configure DNS server located on a bastion host in DMZ to prohibit unauthorized zone transfers

  21. Document Your Work • Name and location of bastion host • Bastion host’s IP address and domain name • Bastion host’s operating system • Location of backup files • What to do in case the system crashes • Levels of patches that have been made to bastion host’s operating system • Customized scripts that have been developed to support the host

  22. Configuring Your Bastion Host • Make the host defend itself • Select services to be provided • Disable accounts • Disable unnecessary services • Limit ports

  23. Making the Host Defend Itself • Set up a honey pot server • Set up an Intrusion Detection System (IDS) on the bastion host • Place a host-based IDS system directly on the host itself, or • Place a network-based IDS on the firewall or router that protects bastion hosts in the DMZ

  24. Selecting Services to Be Provided • Use latest version of server software • Install available security patches or updates • Install a system patch to guard against an application that can be subject to buffer overflow

  25. URLs for Latest Versions

  26. Special Considerations for UNIX Systems • Security_patch_check utility • Automates process of analyzing security patches already on the system and reporting on patches that should be added • Trusted Computing Base (TCB) Check • Makes sure that software you run is trusted • System logging

  27. Special Considerations for Windows Systems • Run Microsoft Baseline Security Analyzer • Use IIS Lockdown Tool • Delete unneeded files in %SystemRoot%\system32 folder

  28. Special Considerations for Windows Systems

  29. Disabling Accounts • Delete all user accounts from the bastion host • Rename Administrator account to deter hackers • Keep a “dummy” account called Administrator to serve as a honey pot account • Use passwords that are 6-8 alphanumeric characters

  30. Disabling Unnecessary Services • Disable services that enable the host to do routing or IP forwarding • Take out hardware features you won’t use • Do not disable any dependency services • Each time a service is stopped, test the system • Document every single change you make

  31. Limiting Ports • Stop traffic on all but the ports you actually need to provide services on the network • Scan the system for active ports and close any that are being used by “unknown” or unneeded services

  32. Limiting Ports

  33. Handling Backups • Binary drive image backup • Best kind of backup • Includes all information, including OS, applications, and individual files • Copy all relevant files to disk • Use system’s built-in back-up utility

  34. Auditing the Bastion Host • Test for vulnerabilities and evaluate performance • How well does bastion host protect itself from attack? • How well does it protect internal LAN behind it from attack? • Establish a baseline for system performance (benchmarking)

  35. Connecting the Bastion Host • Test system and check it against baseline level of performance to make sure it still functions correctly • IPSentry can be used to monitor network performance and send alerts in case of trouble • Audit the host periodically

  36. Monitoring the System with IPSentry

  37. Chapter Summary • Proper configuration of a bastion host • General requirements that apply to most bastion hosts • Factors to consider when selecting a host machine • Possible locations for a bastion host • Deciding what functions the host should perform

More Related