Professional Documents
Culture Documents
14 ICETCSE 2016 Special Issue International Journal of Computer Science and Information Security (IJCSIS)
ISSN 1947-5500 [https://sites.google.com/site/ijcsis/] 81
Proceedings of 3rd International Conference on Emerging Technologies in Computer Science & Engineering (ICETCSE 2016)
V. R. Siddhartha Engineering College, Vijayawada, India, October 17-18, 2016
Vol. 14 ICETCSE 2016 Special Issue International Journal of Computer Science and Information Security (IJCSIS)
ISSN 1947-5500 [https://sites.google.com/site/ijcsis/] 82
audit information is maintained by each proxy by logging all A successful exploitation of the fault is also likely to result in
traffic, each connection, and the duration of each connection. an unauthorized entry into the inside network, since it is only
It is an essential tool for identifying and terminating intruder the functionality of the proxy that offers any defense.
attacks. Consistency, completeness, and compactness need to be
considered while designing the rules of the Firewall [7].
As each proxy module is a tiny software package which is
specifically designed for the security of network, it is easier to Section 2 describes different standard Bastion host
check for security flaws. Each proxy is independent of other configurations. Section 3 discusses some common variations,
proxies on the bastion host. Any proxy module can be easily and their benefits and drawbacks. In Section 4 Bastion host
uninstalled without affecting the other proxy modules in case generic architecture is given. Bastion host hardening
of any problem, or if a future vulnerability is discovered. procedure is discussed in Section 5 with conclusions in
Similarly a new proxy service can be easily installed on the Section 6.
bastion host.
A proxy do not access disk except to read its initial 2. BASTION HOST FIREWALL CONFIGURATIONS
configuration file. By making the portions of the file system
containing executable code as read only, makes difficult for an There are two types of screened host-one is single homed
intruder to install Trojan horse sniffers or other dangerous files bastion host and the other one is dual homed bastion host. In
on the bastion host. Each proxy runs as a non privileged user case of single homed bastion host the firewall system consists
in a private and secured directory on the bastion host. Bastion of a packet filtering router and a bastion host. A bastion host is
hosts only permit logins at the system console and does not basically a single computer with high security configuration,
permit network logins. which has the following characteristics:
Proceedings of 3rd International Conference on Emerging Technologies in Computer Science & Engineering (ICETCSE 2016)
V. R. Siddhartha Engineering College, Vijayawada, India, October 17-18, 2016
Vol. 14 ICETCSE 2016 Special Issue International Journal of Computer Science and Information Security (IJCSIS)
ISSN 1947-5500 [https://sites.google.com/site/ijcsis/] 83
router. In this case, even if, the router got compromised, the router processes each data packet. Since a router cannot check
internal network will remain unaffected since it is in the packet in the application layer, this type of firewall cannot
separate network zone. defend attacks that use application layers vulnerabilities.
Proceedings of 3rd International Conference on Emerging Technologies in Computer Science & Engineering (ICETCSE 2016)
V. R. Siddhartha Engineering College, Vijayawada, India, October 17-18, 2016
Vol. 14 ICETCSE 2016 Special Issue International Journal of Computer Science and Information Security (IJCSIS)
ISSN 1947-5500 [https://sites.google.com/site/ijcsis/] 84
Multiple bastion hosts might be used to keep the data sets of example: suppose there is only a dial-up SLIP or PPP
services from interfering with each other. Security is another connection to the Internet. In this case, something like the
factor for this separation in addition to the performance. For Morning Star PPP package can be run on the bastion host, and
example, it might be decided to provide one HTTP server for allowed to act as both bastion host and exterior router. It is
use by a particular group of customers over the Internet and equivalent to have the three-machine configurations bastion
another for use by all others. By providing two servers, host, interior router and exterior router.
different data can be offered to customers with possibly better
performance, by a powerful machine or a machine with less Using a dual-homed host to route traffic won't give the
load. performance or the flexibility of a dedicated router. Depending
on the operating system and software that is being used, there
HTTP server and anonymous FTP server can be run on may or may not be the ability to do packet filtering. Many
separate machines, to eliminate the possibility that one server interface software packages like Morning Star PPP package
could be used to compromise the other. have quite good packet filtering capabilities. However, the
exterior routers doesn't have to do much packet filtering, using
3.2 Merging the Interior Router and the Exterior an interface package with average packet filtering capabilities
Router is not a big problem.
The interior and exterior routers can be merged into a single Merging the bastion host with the exterior router as shown in
router, provided there is a router sufficiently capable and Figure 3.3 does not cause significant new vulnerabilities
flexible. In general, a router that allows specifying both unlike the merging of internal and external routers. In this
inbound and outbound filters on each interface is needed. architecture, the bastion host is more exposed to the Internet,
protected only by its own filtering capabilities and thus extra
care is needed to protect it.
If the interior and exterior routers are merged, as shown in
Figure 3.2 , still a perimeter net (on one interface of the router)
and a connection to internal net (on another interface of the
router)might be there. Some traffic handled by proxies flow
between internal net and perimeter net, some traffic flow
between perimeter net and internet and the traffic that is
permitted by the packet filtering rules set for the router flow
directly between internal net and internet.
Figure 3.2: Architecture using a merged interior and Unlike merging the bastion host and the exterior router, it's not
exterior router a good idea to merge the bastion host and the interior router,
as shown in Figure 3.4. Doing so compromises the overall
security. The bastion host and the exterior router perform
distinct protective tasks but the interior router functions in part
This architecture, like the screened host architecture, makes sas a backup to the two of them. If the bastion host and the
the site vulnerable to the compromise of a single router. In interior router are merged, then the firewall configuration is
general, routers are easier to protect than hosts, but they are changed in a fundamental way. With a separate bastion host
not impenetrable. and interior router, screened subnet firewall architecture is
available. The perimeter net for the bastion host doesn't carry
3.3 Merging the Bastion Host and the Exterior Router any internal traffic. Even if the bastion host is successfully
penetrated the traffic is protected from snooping. To get the
There might be cases in which a single dual-homed machine is internal network and internal traffic, the attacker must
used as both bastion host and exterior router. Here's an penetrate the interior router. With a merged bastion host and
Proceedings of 3rd International Conference on Emerging Technologies in Computer Science & Engineering (ICETCSE 2016)
V. R. Siddhartha Engineering College, Vijayawada, India, October 17-18, 2016
Vol. 14 ICETCSE 2016 Special Issue International Journal of Computer Science and Information Security (IJCSIS)
ISSN 1947-5500 [https://sites.google.com/site/ijcsis/] 85
interior router, screened host firewall architecture is present If there exists any performance problems one may be
and hence if the bastion host is penetrated, there is no way of motivated to look at multiple interior routers, then it’s difficult
security between the bastion host and the internal network. to justify the separate perimeter networks and exterior routers.
In the following cases the interior router is the performance
bottleneck. One is, a lot of traffic going to the perimeter net
that is not then going to the external network. Another is
exterior gateway is much faster than the interior gateway. In
the first case, because of misconfiguration the perimeter net
may take the occasional traffic (that is not significant)that
is’nt destined for the external world in some configurations
for example, DNS queries about external hosts when the
information is cached. In the other case ,instead of adding a
second one upgrading the interior router should be considered
seriously to match the exterior router. Figure 3.5 shows the
basic architecture using multiple interior routers.
Proceedings of 3rd International Conference on Emerging Technologies in Computer Science & Engineering (ICETCSE 2016)
V. R. Siddhartha Engineering College, Vijayawada, India, October 17-18, 2016
Vol. 14 ICETCSE 2016 Special Issue International Journal of Computer Science and Information Security (IJCSIS)
ISSN 1947-5500 [https://sites.google.com/site/ijcsis/] 86
Figure 3.6: Multiple internal networks (separate Another one is having a connection to the Internet and
interfaces in a single router) additional other connections to other sites. In such cases, there
might be one exterior router with multiple exterior network
interfaces. It doesn’t pose a significant security problem by
attaching multiple exterior routers which go to the same
external network (e.g., two different Internet providers).
Though they may have different filter sets, yet that's not
critical in exterior routers. Though there is an increased risk of
compromise, yet such a compromise of an exterior router is
not threatening.
Proceedings of 3rd International Conference on Emerging Technologies in Computer Science & Engineering (ICETCSE 2016)
V. R. Siddhartha Engineering College, Vijayawada, India, October 17-18, 2016
Vol. 14 ICETCSE 2016 Special Issue International Journal of Computer Science and Information Security (IJCSIS)
ISSN 1947-5500 [https://sites.google.com/site/ijcsis/] 87
may present multiple possible points of compromise. Those message passes from the LEFT system to the RIGHT system
routers must be watched very carefully to keep them enforce is shown in the fig 4.1. The top most proxy in the LEFT
appropriate security policies; if they both connect to the section handles the initial connection request.This proxy is
Internet, they need to enforce the same policy. unprivileged and is constrained by the CMW access controls
to write data only into the queue directory shown.
3.8 Usage of Dual-Homed Hosts and Screened
Subnets A trusted (i.e. security critical and evaluated), privileged
process, marked as T in the figure, moves the contents of the
queue across the CMW labelling boundary into the upper left
Significant increase in security can be obtained by combining queue in the CENTRE section of the CMW[2].Within the
a dual-homed host architecture with a screened subnet CENTRE section of the CMW, an audit process operates. This
architecture. To construct this, the perimeter network has to be process, which must be evaluated to assure that it correctly
split and dual-homed host is to be inserted. The routers
records the necessary accounting information regardless of
provide protection from forgery, and protect from failures
any input it receives (i.e. it is not possible to overrun the
where as the dual-homed host begins to route the traffic. The
process). The audit process makes a copy of the message, and
dual-homed host provides finer controls on the connections
moves the message to the upper right queue in the CENTRE
than packet filtering. This is a belt-and-suspenders firewall,
providing excellent multilayered protection, although it
requires careful configuration on the dual-homed host to 5. BASTION HOST HARDENING
ensure taking full advantage of the possibilities.
Hardening is the process of configuring a machine to be
especially secure and resistant to attack .
4. BASTION HOST GENERIC ARCHITECTURE
The basic hardening process is as follows:
Fig 4.1 The internal Architecture of Bastion host Caution should be taken to ensure that the machine is not
accessible from the Internet until the last step. If the intended
The Compartmented Mode Workstation (CMW) in Figure is site isn't yet connected to the Internet, turning on the Internet
divided into three sections LEFT,CENTRE and RIGHT. connection can be avoided until the bastion host is fully
Processes serving the LEFT half of the CMW are labelled configured. If a firewall is to be added to a site that's already
with a Sensitivity Label (SL) including a category of LEFT, connected to the Internet, the bastion host need to be
where as processes serving the RIGHT half of the CMW are configured as a standalone machine, unconnected to the
labelled with an SL including a category of RIGHT. network.
The CMW is a dual-ported machine and it is configured so
that all data coming from the LEFT system is labelled with an If the bastion host is vulnerable to the Internet while it is being
SL including the category LEFT and all data coming from the built, it may become an attack mechanism instead of a defense
RIGHT system is labelled with an SL including the category mechanism. An intruder who gets in before the baseline audit
RIGHT. The networking of the CMW must be evaluated for is run, will be difficult to detect and will be well positioned to
the sake of assurance, so that confidence can be placed in the read all the traffic to and from the Internet. Cases have been
data arriving at the network interfaces being labelled reported where machines have been broken into within
correctly. minutes of first being connected to the Internet; while rare, it
can happen.
It is to be noted that the protocols used between the connected
systems and the CMW bastion host is unlabelled Internet Copious notes need to be taken on every stage of building the
Protocol (IP) and not Trusted Systems Information exchange system. Assume that sometime in the future, a compromise
(TSIX).LEFT, RIGHT and CENTRE are arbitrarily chosen may cause the machine to burst into flames and be destroyed.
disjoint categories and are not related in any way to labels In order to rebuild the system, all the steps that were taken
that may exist in either end system. The advantage of the previously need to be followed.As all of the software that was
disjoint SLs is that unprivileged processes (i.e. the proxies) in used is required, it is to be ensured to securely store all the
one section of the CMW cannot read, move or write data to things needed to do the installation, including:
the other half. the operation of the bastion host and how a
Proceedings of 3rd International Conference on Emerging Technologies in Computer Science & Engineering (ICETCSE 2016)
V. R. Siddhartha Engineering College, Vijayawada, India, October 17-18, 2016
Vol. 14 ICETCSE 2016 Special Issue International Journal of Computer Science and Information Security (IJCSIS)
ISSN 1947-5500 [https://sites.google.com/site/ijcsis/] 88
Due to the level of required access with the outside [5] Lodin, S., and Schuba, C.,Firewalls Fend Off Invasions
world, bastion hosts are particularly vulnerable to from the Net. IEEE Spectrum, February 1998
attack. To make the bastion host hardened, the
following precautions need to be followed. [6] Oppliger, R., Internet Security: Firewalls and Beyond
Communications of the ACM, May 1997.
Disable or remove any unnecessary services or
daemons on the host. Disable or remove any [7] Mohammed G.Gouda;Alex X.Liu.,Structured firewall
unnecessary user accounts. Disable or remove any design ,Computer Networks: The International Journal of
unnecessary network protocols. Use encryption and Computer and Telecommunications Networking archive
multi-factor authentication for logging into the Volume 51 Issue 4, March, 2007 pp.1106-1120
server. Configure logging and check the logs for any
possible attacks. Run an intrusion detection system
on the host. Patching the operating system with the
latest security updates. Lock down user accounts as
much as possible, especially root or administrator
accounts. Close all ports that are not needed or not
used.
References
[ 11 Chapman, D. Brentand Elizabeth D. Zwicky., Building
Internet Firewalls, Sebastopol CA OReilly & Associates 2000
Proceedings of 3rd International Conference on Emerging Technologies in Computer Science & Engineering (ICETCSE 2016)
V. R. Siddhartha Engineering College, Vijayawada, India, October 17-18, 2016