19 Figure 2-3. A bastion host firewall A bastion host is much easier to configure than a distributed server and tons easier to maintain, because the bulk of the traffic is being sent to one system. Since the bastion host is situated on the internal wire, it needs no special exemptions from other locally connected equipment. The sites security policy will dictate what needs to be configured on the packet filtering router, which will be as restrictive as necessary. Its not uncommon at all for an administrator to use a combination of strategies, employing both the packet filtering router and a bastion host.One of the great things about the configuration of a bastion host for security measures is that configuration of the packet filter becomes a generic deny everything statement, preceded by some very specific allow statements that pertain only to the bastion host. For large and quickly changing networks, you can see that this reduces the load of the security personnel. Adding new machines or having users install poorly secured equipment does not affect the firewall or the protection afforded by the bastion host. Of course, having a centralized point of control does have its disadvantages. For one, a large, busy network would need several machines acting as bastion hosts making the administration of them more time-consuming, or even better, a perimeter network of bastion hosts might be required see the next section. Each machine needs its own section in the packet filtration firewall, piling on complexity, and with each machine comes the headache of having to test and double test it for purity. Along with the need for multiple hosts to prevent network congestion, the centralization of information at the bastion will tend to draw attack attention there, making it ever more important to secure and monitor it around the clock. It should go 20 without saying that a major drawback to this type of firewall configuration is that it can lead to a tragic security hazard should an assailant get system operator privileges on the bastion host. Thus, a single point of control equals a single point of failure.

2.1.2.3 DMZ or perimeter zone network

A popular ploy to separate large corporate internal networks from the hostile environment of the Net is to erect a routing network on which all inbound and outbound traffic must travel. Huge installations normally have such networks already set up so that they can effectively separate the local traffic from the metropolitan traffic from the wide-area or worldwide traffic. As you might have guessed, a routing network consists of only routers, including those both internally and externally connected, and usually goes by the term backbone. A sample configuration is shown in Figure 2-4 . Figure 2-4. A perimeter zone firewall example 21 You might be wondering why the term DMZ is sometimes used interchangeably for a perimeter zone network. DMZ stands for demilitarized zone and serves the same purpose as