I'm considering a new network layout for our web facing infrastructure and I'm interested in your thoughts of whether or not to use a bastion host. Is it necessary with today's technology? Right now we have the following configuration:
Internet ---> Firewall ---> Cisco ASA ---> Firewall ---> Web Site (Linux based with SSL).
Would a bastion host just complicate the configuration or would it really provide us something that we don't have already?
Thanks!
The triple firewall/IPS layer doesn't make too much sense to me, unless the various devices have disjoint sets of functionality. If there's no opportunity for code or malicious activty "between" two of the devices, and they really are just plugged in back-to-back, it seems like a giant waste of money.
A more traditional architecture would be something like:
Internet->Firewall/IDS->Web server tier->App server Tier->(optional firewall/IPS)->database
That optional firewall between the app server tier and database isn't really that useful, but is required by PCI and potentially other regulations. Simple access controls or a software firewall on the database server makes more sense to me for most environments rather than a dedicated separate firewall.
A more complicated, but potentially useful setup would be to use a web/proxy "bastion host" tier:
Internet->Firewall/IDS->web/proxy server->Firewall/IDS->application servers->(optional firewall/IPS)->database.
In my opinion, the above setup only makes sense if the firewall/IDS between your bastion host is able to do more than simple stateful packet filtering. If the IDS functionality inside that Firewall/IDS can look inside HTTP packets and only allow a set of defined behaviors between the web/proxy tier and the application server tier, then it might be worthwhile.
Note that any of the firewall/IDS tiers can be be implemented as software firewall running on the destination host. This simplifies networking greatly and scales better than hardware security solutions. You do give up the centralized "choke point" for monitoring all traffic, but that is often a requirement to scale up. I doubt Facebook or Google passes all their traffic through any firewall tier - the security functionality simply has to be distributed at that scale.
In medium/larger networks it's pretty common to see a perimeter network where the servers have been hardened (the new term for bastion host). In smaller networks it's not very common anymore (if it ever was). The idea of assigning a single task to a server and hardening it against everything else is regaining popularity in medium sized networks, as virtualization allows you to easily setup specialized VMs.
I find these setups to be the most common:
Small Networks:
Internet ---> Firewall/Router ---> Internal Network (Servers & Clients included)
Medium Networks
Internet ---> Perimeter Firewall ---> Perimeter Network (Internet accessible servers) ---> Internal Firewall ---> Internal Network (Server & Clients included)
High Security Networks:
Internet ---> Perimeter Firewall(s) ---> Perimeter Network (Internet accessible servers)
Perimeter Network ---> Server Firewall ---> Server Network
Perimeter Network ---> Client Firewall ---> Client Network
Of course every network is a little different here and there; but those are the themes I see most commonly. Firewalls typical incorporate IDS/IDP along with typical filtering and such.
I think the function of bastion hosts are kinda diluted on the firewalls today. If something in your network is 'withstanding constant attack', it's probably the firewall on the internet front.
Also, I agree with Chris S views of how to organize security in different sized networks.
And if you are going to have 3 firewalls it is better to use different vendors because if you use the same firewall and someone exploits a vulnerability on the mentioned hardware/fw system, you lose all your firewalls.
I haven't seen bastion hosts in common usage in several years. I haven't kept up on all the reasoning, but you'd be in good company if you decided not to do it. However, the reasons people don't do it anymore could simply be economic and not anything at all to do with real or perceived security...
