Locating Bastion Hosts on the Network

Bastion hosts should be located on a network that does not carry confidential traffic, preferably a special network of their own.

Most Ethernet and token ring interfaces can operate in "promiscuous mode". In this mode, they are able to capture all packets on the network the interfaces are connected to, rather than just those packets addressed to the particular machine the interface is a part of. Other types of network interfaces, such as FDDI, may not be able to capture all packets, but depending on the network architecture, they can usually capture at least some packets not specifically addressed to them.

This capability has a useful purpose: for network analysis, testing, and debugging, for example, by programs like Network Manager, etherfind, and tcpdump. Unfortunately, it can also be used by an intruder to snoop on all traffic on a network segment. This traffic might include Telnet, FTP, or rlogin sessions (from which logins and passwords can be captured), confidential email, NFS accesses of sensitive files, and so on. You need to assume the worst: bastion hosts can be compromised. If a bastion host is compromised, you don't want it to snoop on this traffic.

One way to approach the problem is to not put bastion hosts on internal networks; instead, put them on a perimeter network. As we've discussed in earlier chapters, a perimeter network is an additional layer of security between your internal network and the Internet. The perimeter network is separated from the internal network by a router or bridge. Internal traffic stays on the internal net and is not visible on the perimeter net. All a bastion host on a perimeter network can see are packets that are either to or from itself, or to or from the Internet. Although this traffic might still be somewhat sensitive, it's likely to be a lot less sensitive than your typical internal network traffic, and there are other places (for instance, your Internet service provider) that can already see much of it.

Using a perimeter net with a packet filtering router between it and the internal network gives you some additional advantages. It further limits your exposure, if a bastion host is compromised, by reducing the number of hosts and services the compromised bastion host can access.

If you can't put bastion hosts on a perimeter network, you might consider putting them on a network that's not susceptible to snooping. For example, you might put them on an intelligent 10-base T hub, an Ethernet switch, or an ATM network. If this is all you do, then you need to take additional care to make sure that nothing trusts those bastion hosts, because no further layer of protection is between it and the internal network. Using such a network technology for your perimeter network is the best of both worlds: bastion hosts are isolated from internal systems (as with a traditional perimeter network) but can't snoop on traffic on the perimeter network.

Be careful about how much trust you place in the ability to prevent hosts from snooping the network. Even with an intelligent or switched hub, broadcast traffic will be visible to all nodes, and this traffic may include data that is useful to an attacker. For instance, networks that use Microsoft directory services will include a lot of useful information about machine and filesystem names and types in broadcast traffic. There may also be information that is sensitive in multicast traffic, which any node can ask to receive. Finally, hubs of this type frequently offer an administrative capability that can control the reception of all traffic. That may be limited to a specific port or available to all ports. You should be sure that this is appropriately secured on any hub that bastion hosts are attached to; otherwise, an attacker may be able to simply ask for all traffic and get it, removing the theoretical advantages of using a hub.

Whatever networking devices you use, you should be careful to protect the networking devices to the same degree that you protect the computers. Many network devices support remote administration, often with a wide variety of interfaces (for instance, a switch may provide a Telnet server, SNMP management, and a web management interface). An intruder who can reconfigure networking devices can certainly keep your network from working and may also be able to compromise other machines. Consider disabling all remote management features (with the possible exception of remote logging of errors) and configuring network devices the old-fashioned way, with a terminal and a serial cable.