Once you put the bastion host into production, your job has only just begun. You'll need to keep a close watch on the operations of the bastion host. Chapter 26, provides more information on how to do this; this section discusses specific concerns for bastion hosts.
If you're going to monitor the bastion host, looking for abnormalities that might indicate break-ins or other types of system compromise, you will need to first develop an understanding of what the "normal" usage profile of the bastion host is. Ask these questions and others like them:
How many jobs tend to be running at any one time?
How much CPU time do these jobs consume relative to each other?
What is the typical load at different times throughout the day?
Your goal is to develop an almost intuitive grasp of what your system normally runs like, so you'll be able to recognize — and investigate — anomalous activity very quickly.
Doing a thorough job of system monitoring is tough. Although the logs produced by your system provide lots of useful information, it's easy to get overwhelmed by the sheer volume of logging data. The important information may often be buried. Too often, the logs end up being used only after a break-in, when, in fact, they could be used to detect — and thus perhaps stop — a break-in while it is occurring.
Because each operating system and site is different, each bastion host is configured differently, and each site has different ideas about what the response of a monitoring system should be. For example, some want electronic mail; some want the output fed to an existing SNMP-based management system, some want the systems to trip the pagers of the system administrators, and so on. Monitoring tends to be very site- and host-specific in the details.
A large and growing number of monitoring packages is available for Unix, including both freely available and commercial options. Among the freely available options, NOCOL and NetSaint are both popular, extensible systems that provide the ability to watch logs, to test to make certain machines are still running and providing services, and to alert people when things go wrong (see Appendix B, for information about how to get them).
MRTG is a special sort of monitoring package, which provides graphing services but not alerting services. It is extremely useful for watching trends. Furthermore, MRTG makes very impressive web pages with very little effort, so you not only find out what's going on, you also get an important public relations tool for convincing people that you know what's going on. Information about MRTG is also available in Appendix B.
Normally, monitoring of Windows NT systems is done with the Performance Monitor. Unfortunately, Performance Monitor is yet another tool based on SMB transactions, which cannot be used without enabling all of SMB. Furthermore, Performance Monitor is fairly limited as a monitoring solution for critical systems; it doesn't provide all of the alarm and process-monitoring features you may want.
You will probably want to use an SNMP-based monitoring tool. Windows NT provides an SNMP server, so all you will need to add is the monitoring tool. Some public domain monitoring tools are now available for Windows NT, although fewer than there are for Unix. Some tools that were originally available only under Unix have now been ported to Windows NT (for instance, MRTG). Unix-based monitoring tools will monitor Windows NT systems without problems. In addition, there are a large number of commercial SNMP-based tools you can use.