DistributedNetworks DistributedNetworks


Network Firewalls   «Prev  Next»
Lesson 6Building a firewall (bastion host)
ObjectiveBuild a firewall using a bastion host.

Building Firewall (bastion host)

A bastion host can refer to any one of the three types of firewalls;
  1. packet filter,
  2. circuit-level gateway, or
  3. application-level gateway,
or any device with a direct connection to a public network. When Internet users attempt to access resources on your network, the first machine they will encounter is the bastion host.
  1. Packet filter: A type of firewall devices that process network traffic on a packet-by-packet basis. Packet filter devices allow or block packets, and are typically implemented through standard routers.
  2. Circuit-level gateway: Circuit-level gateways are similar to packet filters. The main advantage of circuit-level gateways is their ability to provide network address translation.
  3. Application-level gateway: Application gateways function at all four layers of the TCP/IP suite. They are typically implemented through software installed on a specialized server. Application gateways are sometimes known as proxy servers.

Firewall components

Build your bastion host with the fewest possible components, both hardware and software, and do not install application services, such as Web servers. To prevent access to your internal network, design several levels of firewall devices. Do not rely on a single firewall device to protect your network. If your security is compromised, your security policy should state what to do.

Singled-homed bastion host

Single-home bastion host
Single-home bastion host

A singled-homed bastion host has only one network interface and is normally used for application-level gateway firewalls. The external router is configured to send all incoming data to the bastion host, and all internal clients are configured to send all outgoing data to the host. Unfortunately, the router can be reconfigured to completely bypass the bastion host.

Dual-homed bastion host

Dual-homed bastion host
Dual-homed bastion host

Dual-homed bastion hosts serve as application gateways, packet filters, and circuit gateways creating a complete break between the external network and internal network.

Securing the bastion host

Secure your bastion hosts by:
  1. Removing any unnecessary service, daemon, or application
  2. Removing IP routing to route the incoming and outgoing traffic to the firewall component
  3. Securing each bastion host individually and at every level
  4. Removing services rather than simply disabling them
All bastion hosts will benefit from a sizable amount of RAM. Although a fast processor is not needed to analyze incoming and outgoing traffic, tracking the number of simultaneous connections can be memory-intensive. A bastion host must be backed up; it should be configured with its own tape backup device.
Read the paragraph below to learn about single-purpose and internal bastion hosts.

Bastion hosts

A separate bastion host dedicated to a single application is called a single-purpose bastion host. By using this type of bastion host, you do not jeopardize your security configuration and can implement strict security mechanisms such as authentication.
Internal bastion hosts reside inside the internal network and are normally used as application gateways that receive all incoming traffic from external bastion hosts. These provide an additional level of security in case the external firewall devices are compromised. All the internal network devices are configured to communicate only with the internal bastion host, and should not be affected by the compromised external bastion hosts.