Bastion hosts
Download
1 / 14

Bastion Hosts - PowerPoint PPT Presentation


  • 491 Views
  • Updated On :

Bastion Hosts. What is it?. An interface on the network and located in the DMZ. Comes from medieval times to describe fort or castle that couldn't be penetrated. It can be any network device that hosts a web service and typically provides only one service. Specially hardened. Requirements.

loader
I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
capcha
Download Presentation

PowerPoint Slideshow about 'Bastion Hosts' - lot


An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript

What is it l.jpg
What is it?

  • An interface on the network and located in the DMZ. Comes from medieval times to describe fort or castle that couldn't be penetrated.

  • It can be any network device that hosts a web service and typically provides only one service.

  • Specially hardened.


Requirements l.jpg
Requirements

  • Ram - Just enough to provide the services the bastion host is offering.

  • Hard Disk Space - multi-gigabyte for the log files. In addition, should include a program to rotate and clear outdated logs.

  • Processor Speed – Web servers required fast speed. But some security administrators believe a slower machine is better, leaving fewer services available to intruders.


Choosing the right os l.jpg
Choosing the right OS

  • The most important consideration is your familiarity with the system

  • UNIX/Linux – contains an extensive set of tools for development and auditing

  • Windows – If the only function is to provide bastion host services:

    • disable NetBIOS, Server service and Workstation service.

    • Set up logging for account logon and logoff, object access, policy changes, privilege use and system events (restart and shutdown)

  • Check www.sans.org/top20.htm for most critical internet security vulnerabilities.


Positioning l.jpg
Positioning

  • Secure locations with electrical backup systems.

  • Hosting services are available

    • do research

    • Get a SLA

    • Do a risk-benefit analysis

    • Shop around

    • Startup fees

    • Get bios of senior staff for expertise and experience


Positioning6 l.jpg
Positioning

  • DMZ is the logical location

  • Anywhere in the network that is considered vulnerable or where an extra level of security is needed

  • Bastion is part of DiD (defense in depth)


Configuring l.jpg
Configuring

  • Look to security policy to see what resources need to be protected.

  • Consider a “deny-all” strategy.

  • Configure a honey pot bastion – it is configured the same as a normal host, but it requires users to log on.

  • Install IDS to notify of possible intrusion attempts


Windows services l.jpg
Windows Services

  • After installation, run Microsoft Baseline Security Analyzer

  • Run IIS Lockdown Tool which will turn off the Windows 2000 or XP built-in Web server and any service that depends on it

  • Disable unnecessary services in %SystemRoot%\system32


Windows unnecessary services l.jpg

Guest access account

All accounts except Administrator

IIS, or if bastion host is a web server, delete sample scripts in iissamples folder

%SystemRoot%\system32/os2 folder

Routing services to hosts on internal network

In the system32 folder

ntvdm.exe

krnl386.exe

psxdll.dll

psxss.exe

posix.exe

os2.exe

Any network services except those you rill be running on the bastion host

Close all ports except what is necessary

Windows Unnecessary Services


Auditing l.jpg
Auditing

  • Test it with hacker tools (port scanners)

  • Establish a baseline for system performance (benchmarking). Check system logs, event logs, and performance information and record the results daily or weekly. Analysis it after a couple of months.


Netbios l.jpg
NetBIOS

  • NetBIOS (Network Basic Input/Output System) is a program that allows applications to communicate within a (LAN).

  • It was created by IBM for its early PC Network, was adopted by Microsoft, and has since become a de facto industry standard.

  • NetBIOS is used in Ethernet and Token Ring networks and, included as part of NetBIOS Extended User Interface (NetBEUI)

  • It does not in itself support a routing mechanism so applications must use TCP/IP.


Netbios12 l.jpg
NetBIOS

  • NetBIOS is a real security risk if and only if all of the following conditions exist:

    • File and Printer Sharing for Microsoft Networks is installed as a network component

    • File and Printer Sharing for Microsoft Networks is bound to TCP/IP on an adapter used for the Internet.

    • Options for files and printers are checked (enabled) under File and Print Sharing.

    • "Share(s)" have actually been configured for file(s) and printer(s).

    • Strong passwords have not been used on file and printer "share(s)."


Secedit command line tool l.jpg
secedit command line tool

  • Automatically create and apply templates and analyze system security

  • Allows admin to:

    • analyze system security,

    • configure system security,

    • refresh security settings,

    • export security settings and

    • validate the syntax of a security template

  • Use to create bastion security settings (bastion.inf)


Syskey l.jpg
syskey

  • The Security Accounts Management Database (SAM) stores hashed copies of user passwords. This database is encrypted with a locally stored system key. To keep the SAM database secure, Windows requires that the password hashes are encrypted.

  • You can use the SysKey utility to additionally secure the SAM database by moving the SAM database encryption key off the Windows-based computer. The SysKey utility can also be used to configure a start-up password that must be entered to decrypt the system key so that Windows can access the SAM database.


ad