17 overall network security policies put in place by the network administrator or security coordinator. A peek into the operation of a packet filter shows us that the router never even looks at any of the packets payload, but only at the TCPIP header information, to make its screening decisions. Thus, as shown in Figure 2-2 , if a router were asked to allow all traffic from network 1.34.21.024, it would check all packets for a matching source address and pass them across. Should a packet be received from another network, the filter would disallow the transit, and the packet would be thrown away. So, in essence, this is how the entire operation of this firewall affords security to the site. Figure 2-2. A packet filtration router filter Packet filtering can take on two basic forms. First is an open network with selective filtering of unwanted traffic. For each type of network attack, an appropriate filter must be put in place on the router. Second is the closed network with selective filtering of desired traffic. Although affording greater security, even for those attacks that havent been thought of yet, the drawback for the network administrator is having to update the firewall as new computers or services are added or changed. As you can guess, a packet filter suffers from several inadequacies. First off, theres no way to do user authentication; either a peer pair is allowed, or its not. For example, either machine 1.34.21.44 can pass mail traffic ports 25 and 110 to our mail server on our large network 2.48.29.4, or it cant. Theres no provision for who is trying to send the mail. Shouldnt it be possible for Bob, one of our employees who is visiting the ZZZ Cyber Coffee Shop the owners of network 1.34.21.44, to be able to check his email and have a coffee? 18 Further, be glad for performance reasons that the router doesnt actually open all the packets it gets. Routers these days are asked to perform miracles, especially with the race for more and more bandwidth. The routers job is to decide where to send the traffic, not really to catch and throw away packets that are security risks. What were suggesting, of course, is that there will be a marked change in what gateway networks will look like in the future. We believe that there will be a decoupling of routing equipment and packet filtration or even security equipment, for that matter in the very near term. Actually, this may already be the case. New products are already coming out that support dynamic authentication through a packet filtering router directly to the user level, even across an encrypted link. A last impediment is that frequent changes to the network may require wholesale reconfiguration of the gateway router and the packet filtration firewall that lives on it. This can be time-consuming and disaster-prone if either an uncaught mistake leaves most of the network wide open, or a subtle change leaves the router crippled and unable to perform its first duty as a network traffic director.

2.1.2.2 Bastion host

A bastion host or screening host, as it is sometimes called, uses both a packet filtering mechanism provided by the router plus a secured host. A secured host is one that has had its operating system and major services combed over by a security expert. The primary security is provided by a packet filtering router, and the secured host is used to stage information flow in either direction. The bastion host is a security-checked machine that is connected to the Internet with the same method as other machines. The gateway allows traffic to pass to it in a less restricted fashion. Bastion hosts are typically used in combination with filtering routers because simple packet filtration systems cant filter on the protocol or the application layer. See Figure 2-3 for a sample configuration. 19 Figure 2-3. A bastion host firewall A bastion host is much easier to configure than a distributed server and tons easier to maintain, because the bulk of the traffic is being sent to one system. Since the bastion host is situated on the internal wire, it needs no special exemptions from other locally connected equipment. The sites security policy will dictate what needs to be configured on the packet filtering router, which will be as restrictive as necessary. Its not uncommon at all for an administrator to use a combination of strategies, employing both the packet filtering router and a bastion host.One of the great things about the configuration of a bastion host for security measures is that configuration of the packet filter becomes a generic deny everything statement, preceded by some very specific allow statements that pertain only to the bastion host. For large and quickly changing networks, you can see that this reduces the load of the security personnel. Adding new machines or having users install poorly secured equipment does not affect the firewall or the protection afforded by the bastion host. Of course, having a centralized point of control does have its disadvantages. For one, a large, busy network would need several machines acting as bastion hosts making the administration of them more time-consuming, or even better, a perimeter network of bastion hosts might be required see the next section. Each machine needs its own section in the packet filtration firewall, piling on complexity, and with each machine comes the headache of having to test and double test it for purity. Along with the need for multiple hosts to prevent network congestion, the centralization of information at the bastion will tend to draw attack attention there, making it ever more important to secure and monitor it around the clock. It should go