One of the best ways to protect an intranet from attack is to put a heavily fortified bastion host or bastion server in a firewall. Having a bastion host means that all access to an intranet from the Internet will be required to come through the bastion host. By concentrating all access in a single server, or a small group of servers, it's much easier to protect the entire intranet.

The bastion host does not provide intranet services itself. When it receives a request from the Internet for an intranet service, the host passes the request to the appropriate server. Subsequently, it takes the response and passes it back to the Internet.

Proxy server programs can also run on bastion hosts. That is, when someone on the intranet wants to get at an Internet resource, they first contact the proxy server on the bastion host, and the bastion host then relays the request to the Internet server. The Internet server sends the information to the proxy server on the bastion host, which in turn passes the information back to the user on the intranet.

Several means are taken to ensure that the bastion host is as secure as possible-and also to make sure that if the host is hacked into, intranet security won't be compromised.

To make the bastion host secure, it is stripped of all but the most basic services. A typical network server provides login, file, print, and other services, including access to additional servers. On a bastion host, those services have been prohibited. Since there are no user accounts, it's difficult for someone to break in using passwords. Since it has few services available, even if someone did break in, there wouldn't be much they could do with it.

For even more security, bastion hosts can be put on a private subnet (often referred to as a perimeter network), further isolating the host so that if someone breaks into it, they can only get access to that subnet, not to the rest of the intranet. A filtering router reviews packets coming from the private subnet, making sure that only authorized incoming requests pass through to the intranet.

Even more security measures can protect the server and intranet, sending alerts to intranet administrators if someone is trying to break in. The bastion host can log all access to it, and keep a secure backup of that log on a physically separate machine connected by the serial port so no one can gain access to the log remotely. System administrators can examine the log for signs of break-ins. Even more powerful are monitoring programs that watch the log and sound an alarm if it detects someone has been trying to break into the server. Auditing software can also constantly check the server software to see if it has been altered in any way-a possible sign that an intruder has successfully attacked it and taken control of its resources.

How Bastion Hosts Work

A bastion host (also called a bastion server) is one of the main defenses in an intranet firewall. It's a heavily fortified server that sits inside the firewall, and it is the main point of contact between the intranet and the Internet. By having an isolated, heavily defended server as the main point of contact, the rest of the intranet resources can be shielded from attacks starting on the Internet.

• Bastion hosts are built so that every network service possible is disabled on them-the only thing the server does is allow for specified Internet access. So, for example, there should be no user accounts on a bastion server, so that no one can log into it and take control of it and then gain access to the intranet. Even the Network File System (NFS), which allows a system to access files across a network on a remote system, should be disabled, so that intruders can't gain access to the bastion server and then get at files on the intranet. The safest way to use bastion hosts is to put them on their own subnet as part of an intranet firewall. By putting them on their own network, if they are broken into, no other intranet resources are compromised.
• Bastion servers log all activity so that intranet administrators can tell if the intranet has been attacked. They often keep two copies of system logs for security reasons: In case one log is destroyed or tampered with, the other log is always available as a backup. One way to keep a secure copy of the log is to connect the bastion server via a serial port to a dedicated computer, whose only purpose is to keep track of the secure backup log.
• Automated monitors are even more sophisticated programs than auditing software. Automated monitors regularly check the bastion server's system logs, and send an alarm if it finds a suspicious pattern. For example, an alarm might be sent if someone attempted more than three unsuccessful logins.
• There can be more than one bastion host in a firewall. Each bastion host can handle one or more Internet services for the intranet. Sometimes, a bastion host can be used as a victim machine. This is a server that is stripped bare of almost all services except one specific Internet service. Victim machines can be used to provide Internet services that are hard to handle using proxying or a filtering router, or whose security concerns are not yet known. The services are put on the victim machine instead of a bastion host with other services. That way, if the server is broken into, other bastion hosts won't be affected.
• Placing a filtering router between the bastion host and the intranet provides additional security. The filtering router checks all packets between the Internet and the intranet, dropping unauthorized traffic.
• When a bastion server receives a request for a service, such as sending a Web page or delivering e-mail, the server doesn't handle the request itself. Instead, it sends the request along to the appropriate intranet server. The intranet server handles the request, and then sends the information back to the bastion server. The bastion server now sends the requested information to the requester on the Internet.
• Some bastion servers include auditing programs, which actively check to see whether an attack has been launched against them. There are a variety of ways to do auditing. One way to audit is to use a checksum program, which checks to see whether any software on the bastion server has been changed by an unauthorized person. A checksum program calculates a number based on the size of an executable program on the server. It then regularly calculates the checksum to see if it has changed. If it has changed, someone has altered the software, which could signal an attack.