What is it? • An interface on the network and located in the DMZ. Comes from medieval times to describe fort or castle that couldn't be penetrated. • It can be any network device that hosts a web service and typically provides only one service. • Specially hardened.
Requirements • Ram - Just enough to provide the services the bastion host is offering. • Hard Disk Space - multi-gigabyte for the log files. In addition, should include a program to rotate and clear outdated logs. • Processor Speed – Web servers required fast speed. But some security administrators believe a slower machine is better, leaving fewer services available to intruders.
Choosing the right OS • The most important consideration is your familiarity with the system • UNIX/Linux – contains an extensive set of tools for development and auditing • Windows – If the only function is to provide bastion host services: • disable NetBIOS, Server service and Workstation service. • Set up logging for account logon and logoff, object access, policy changes, privilege use and system events (restart and shutdown) • Check www.sans.org/top20.htm for most critical internet security vulnerabilities.
Positioning • Secure locations with electrical backup systems. • Hosting services are available • do research • Get a SLA • Do a risk-benefit analysis • Shop around • Startup fees • Get bios of senior staff for expertise and experience
Positioning • DMZ is the logical location • Anywhere in the network that is considered vulnerable or where an extra level of security is needed • Bastion is part of DiD (defense in depth)
Configuring • Look to security policy to see what resources need to be protected. • Consider a “deny-all” strategy. • Configure a honey pot bastion – it is configured the same as a normal host, but it requires users to log on. • Install IDS to notify of possible intrusion attempts
Windows Services • After installation, run Microsoft Baseline Security Analyzer • Run IIS Lockdown Tool which will turn off the Windows 2000 or XP built-in Web server and any service that depends on it • Disable unnecessary services in %SystemRoot%\system32
Guest access account All accounts except Administrator IIS, or if bastion host is a web server, delete sample scripts in iissamples folder %SystemRoot%\system32/os2 folder Routing services to hosts on internal network In the system32 folder ntvdm.exe krnl386.exe psxdll.dll psxss.exe posix.exe os2.exe Any network services except those you rill be running on the bastion host Close all ports except what is necessary Windows Unnecessary Services
Auditing • Test it with hacker tools (port scanners) • Establish a baseline for system performance (benchmarking). Check system logs, event logs, and performance information and record the results daily or weekly. Analysis it after a couple of months.
NetBIOS • NetBIOS (Network Basic Input/Output System) is a program that allows applications to communicate within a (LAN). • It was created by IBM for its early PC Network, was adopted by Microsoft, and has since become a de facto industry standard. • NetBIOS is used in Ethernet and Token Ring networks and, included as part of NetBIOS Extended User Interface (NetBEUI) • It does not in itself support a routing mechanism so applications must use TCP/IP.
NetBIOS • NetBIOS is a real security risk if and only if all of the following conditions exist: • File and Printer Sharing for Microsoft Networks is installed as a network component • File and Printer Sharing for Microsoft Networks is bound to TCP/IP on an adapter used for the Internet. • Options for files and printers are checked (enabled) under File and Print Sharing. • "Share(s)" have actually been configured for file(s) and printer(s). • Strong passwords have not been used on file and printer "share(s)."
secedit command line tool • Automatically create and apply templates and analyze system security • Allows admin to: • analyze system security, • configure system security, • refresh security settings, • export security settings and • validate the syntax of a security template • Use to create bastion security settings (bastion.inf)
syskey • The Security Accounts Management Database (SAM) stores hashed copies of user passwords. This database is encrypted with a locally stored system key. To keep the SAM database secure, Windows requires that the password hashes are encrypted. • You can use the SysKey utility to additionally secure the SAM database by moving the SAM database encryption key off the Windows-based computer. The SysKey utility can also be used to configure a start-up password that must be entered to decrypt the system key so that Windows can access the SAM database.