Building Internet Firewalls

Building Internet FirewallsSearch this book
Previous: 5.4 Choosing a Physical LocationChapter 5
Bastion Hosts
Next: 5.6 Selecting Services Provided by the Bastion Host
 

5.5 Locating the Bastion Host on the Network

The bastion host should be located on a network that does not carry confidential traffic, preferably a special network of its own.

Most Ethernet and token ring interfaces can operate in "promiscuous mode" In this mode, they are able to capture all packets on the network the interfaces are connected to, rather than just those packets addressed to the particular machine the interface is a part of. Other types of network interfaces, such as FDDI, may not be able to capture all packets, but depending on the network architecture, they can usually capture at least some packets not specifically addressed to them.

This capability has a useful purpose: for network analysis, testing, and debugging, e.g., by programs like etherfind and tcpdump. Unfortunately, it can also be used by an intruder to snoop on all traffic on a network segment. This traffic might include Telnet, FTP, or rlogin sessions (from which logins and passwords can be captured), confidential email, NFS accesses of sensitive files, and so on. You need to assume the worst: the bastion host can be compromised. If it is compromised, you don't want the bastion host to snoop on this traffic.

One way to approach the problem is to not put the bastion host on an internal network; instead, put it on a perimeter network. As we've discussed in earlier chapters, a perimeter network is an additional layer of security between your internal network and the Internet. The perimeter network is separated from the internal network by a router or bridge. Internal traffic stays on the internal net and is not visible on the perimeter net. All the bastion host on a perimeter network can see are packets that are either to or from itself, or to or from the Internet. Although this traffic might still be somewhat sensitive, it's likely to be a lot less sensitive than your typical internal network traffic, and there are other places (for instance, your Internet service provider) that can already see much of it.

Using a perimeter net with a packet filtering router between it and the internal network gives you some additional advantages. It further limits your exposure, if the bastion host is compromised, by reducing the number of hosts and services the bastion host can access.

If you can't put the bastion host on a perimeter network, you might consider putting it on a network that's not susceptible to snooping. For example, you might put it on an intelligent 10baseT hub, an Ethernet switch, or an ATM network. If you do only this, you need to take additional care to make sure that nothing trusts the bastion host, because there's no further layer of protection between it and the internal network. Using such a network technology for your perimeter network is the best of both worlds: the bastion host is isolated from internal systems (as with a traditional perimeter network) but can't snoop on traffic on the perimeter network.


Previous: 5.4 Choosing a Physical LocationBuilding Internet FirewallsNext: 5.6 Selecting Services Provided by the Bastion Host
5.4 Choosing a Physical LocationBook Index5.6 Selecting Services Provided by the Bastion Host