Peeps,
What I don't understand is everyone is talking about putting secured hosts
on
networks that are connected to the internet (DMZ host or being used as a
firewall).
I would like to mention that hosts on the internal network must be hardend
too.
I quote:
over the last decade had revealed
that 70% of fraud was committed by employees
If you read something about network security you notice that everyone says
that
most attacks reside from the internal network and most security breaches
occur
by internal users.
I, as a very security dedicated admin, try to secure my internal servers, NT
or *nix,
as tightly as possible and use all kind of tools to overlook attacks from
the outside
and from the inside. Mostly by Intrusion Detection and all other tools.
This is also clearly a security policy issue which every company should
have.
That illegal behaviour of internal use of the network should be controlled
and punishment
should be applied (your own choice how you want to do that).
Anyway... this was not really an issue but I just wanted to say something
to let
you know I am still alive and breathing :o)
Have a nice day
Brenno
> -----Original Message-----
> From: Noonan, Wesley [SMTP:[EMAIL PROTECTED]]
> Sent: dinsdag 10 april 2001 20:56
> To: 'ks Quah'
> Cc: [EMAIL PROTECTED]
> Subject: RE: What is a bastion host
>
> The classic definition of a bastion is a tower which protrudes from the
> wall
> of a castle. Bastions were typically placed at the ends of outer curtain
> walls and provided the initial defense of the castle proper. If the
> bastion
> or the wall were breached an attacker would generally have access to an
> outer courtyard (DMZ anyone?) but one would still need to breach the inner
> walls to actually be in a position to take the castle proper. Positioning
> of
> bastions also tended to provide the defenders a significant killing field
> that the attackers were in while attempting to breach the walls/bastions,
> but that isn't really too germaine...
>
> Taking that definition, a bastion host is any system which is subject to
> direct attack/access (the bastion wall if you will)but which is phyically
> seperate from the internal network (the castle proper if you will). Some
> generic examples of bastion hosts are perimeter routers, firewalls, and
> devices residing on DMZs. In practice, a bastion host can be simply
> defined
> as any device through which internal<->external communication must occur.
> For example, the router connecting to an ISP can be considered a bastion
> host between the outside world and the network beyond the router. A
> firewall
> can be considered a bastion host between the outer world and the DMZ(s)
> and
> internal network(s).
>
> More involved definitions of bastion hosts extend the definition to
> requiring that bastion hosts prevent direct communications from occuring,
> that the communications be proxied instead. An application level gateway
> (ALG), for example an SMTP proxy, can be a considered a bastion host by
> both
> definitions. If the ALG is built into the firewall, then the above example
> of a firewall holds true, though more secure. If the ALG resides on the
> DMZ
> though, it could be considered a bastion host between the outside world
> and
> the internal network. For firewalls with multiple interfaces, if the
> outside, inside and DMZ are on seperate interfaces, the firewall could be
> considered a bastion host yet again between the DMZ (and thus the ALG's
> residing there) and the internal network potentially requiring
> communications to potentially traverse 3 bastion hosts (firewall, ALG then
> firewall again) before being permitted to the inside network. An item of
> note is that one may have multiple bastion hosts (an SMTP proxy, an HTTP
> proxy, etc.) and that bastion hosts may reside at multiple levels of the
> security perimeter design (i.e. the firewall acting as a bastion between
> the
> world and the DMZ then an ALG again acting as a bastion between the world
> and the inside).
>
> In a well designed network, yes someone attempting to surf the net
> *should*
> pass through a bastion host. Now whether that should be a proxy of some
> sort
> or not is subject to some debate, but I would recommend that a proxy be
> used
> if for no reason other than the caching benefits it can provide to large
> environments. As for how this works, it tends to be through a process of
> NAT/PAT and application proxying.
>
> Anyway, there is one more definition to add to the list :-)
>
> HTH
>
> Wes Noonan, MCSE/MCT/CCNA/CCDA/NNCSS
> Senior QA Rep.
> BMC Software, Inc.
> (713) 918-2412
> [EMAIL PROTECTED]
> http://www.bmc.com
>
>
>
> > -----Original Message-----
> > From: ks Quah [mailto:[EMAIL PROTECTED]]
> > Sent: Tuesday, April 10, 2001 06:29
> > To: [EMAIL PROTECTED]
> > Subject: What is a bastion host
> >
> >
> > HI,
> > How does a bastion host work?
> > Does all the traffic goes through it before going to the
> > internet network???
> > what happened if some1 from the internel network wanna to
> > surf the net...
> >
> > he have to pass the bastion host before going into the net?
> >
> > Thanks
> > Quah
> >
> >
> > -
> > [To unsubscribe, send mail to [EMAIL PROTECTED] with
> > "unsubscribe firewalls" in the body of the message.]
> >
> -
> [To unsubscribe, send mail to [EMAIL PROTECTED] with
> "unsubscribe firewalls" in the body of the message.]
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
