HostedDB - Dedicated UNIX Servers

hpntbast101_2 - 2 - Abstract This paper presents a checklist for converting a default Windows NT installation to a bastion host. This document makes no or little attempt to explain or discuss the features it implements. Therefore I suggest that you read all the Knowledge Base articles in Appendix A and the referenced documents in Appendix C. If there is something you don’t understand after having read these articles, DO NOT CONTINUE. Read them again or look for additional assistance. What is a Bastion Host? A bastion host is a computer system that is exposed to attack, and may be a critical component in a network security system. Special attention must be paid to these highly fortified hosts, both during initial construction and ongoing operation. Bastion hosts can include: · Firewall gateways · Web servers · FTP servers · Name servers (DNS) · Mail hubs · Victim hosts (sacrificial lambs) The American Heritage Dictionary defines a bastion as: 1. A projecting part of a rampart or other fortification. 2. A well-fortified position or area. 3. Something regarded as a defensive stronghold. Marcus Ranum is generally credited with applying the term bastion to hosts that are exposed to attack, and its common use in the firewall community. In [1] he says: Bastions are the highly fortified parts of a medieval castle; points that overlook critical areas of defense, usually having stronger walls, room for extra troops, and the occasional useful tub of boiling hot oil for discouraging attackers. A bastion host is a system identified by the firewall administrator as a critical strong point in the network's security. Generally, bastion hosts will have some degree of extra attention paid to their security, may undergo regular audits, and may have modified software. Bastion hosts are not general purpose computing resources. They differ in both their purpose and their specific configuration. A victim host may permit network logins so users can run untrusted services, while a firewall gateway may only permit logins at the system console. The process of configuring or constructing a bastion host is often referred to as hardening. The effectiveness of a specific bastion host configuration can usually be judged by answering the following questions: · How does the bastion host protect itself from attack? · How does the bastion host protect the network behind it from attack? Extreme caution should be exercised when installing new software on bastion hosts. Very few software products have been designed and tested to run on these exposed systems. See [2] for a thorough treatment of bastion hosts. Install NT Start with a clean system. The machine should not be attached to a public network while doing the installation/configuration. If you have to have a network connection, make sure it’s an isolated trusted network segment. Do not have any other operating systems installed on your bastion host. Install Windows NT 4.00 US- ENGLISH. Use only NTFS. If installing NT Server, make it a ”stand-alone” member server. This server will not be able to participate in a domain environment. Do not install IIS 2.0. If you want to run IIS, install it from the NT option pack. As for network protocols and services, install only TCP/IP and do not install additional network services.