Section 8

Bastion host is a part or a device inside of the network that is exposed to the public. It connects
both internal and external network but still keep both in a distance. The bastion host is the first
thing that is being accessed by the outsiders or even insiders when they are trying to get inside
the network. It acts as the gateway between internal and external network.

Normally bastion host existence is already known because it is highly exposed to the internet. It
is used to improve the security level of a network. By using bastion host, all attackers or hackers
have to bypass it first before they get into the internal network. Because of that, all network
administrator which responsible of network security must concentrate on building a firewall or
policies configuration into this bastion host.

In choosing a machine that will be used as a bastion host, there will be some consideration has to
be made which is reliability, supportability and configurability. In this bastion host, we will use
UNIX as our operating system since UNIX has the largest and wide range of tools that could be
used to build a bastion host.

The logic when it comes to choosing hardware for a bastion host is it doesnt need to be a super
machine. It just needs to be as powerful as it needed to be. In this case which the bastion host
will be installed with proxy, it may need more power to perform the proxy-ing jobs with a lot of
users. The reason why bastion host doesnt need to be powerful is because it could help prevent
attacks. Because of slower machine, it becomes less attractive for the external users because
everything will become slow. Even the process of attacking itself becomes slow.

Caching proxies consumes a lot of disk space. So, because of that the machine has to equip with
a large amount of free disk space in order to log all the proxies. There are some suggestions for
the space management in the machine.

1. It must has a space that is suitable for back-up it self

2. CD-ROM drive to do the installation of the operating system
3. Slot for installing another disk for maintenance purpose
These are steps in building a bastion host.

1. Secure the machine

Action that can be done is install a clean operating system, fix all bugs in the system, and
safeguard the system logs
2. Disable non required services
In this step, all the non-required services are being disabled.
3. Install services you want to provide
Some services are not being provided by the native platform of the operating system. So
in this condition, there is needed installation proxy service.
4. Reconfigure the machine
This step is to reconfigure the machine until it is suitable for development into its final
state or normally called as running state
5. Run security audit
The reason of doing this is to ensure there are no misconfigurations that have been done
and to establish a baseline for future audits.
6. Connecting the Machine
After finishes do all the steps above, it is time to run this machine into the network.

The bastion host in this context required to have proxy software. Because UNIX native platform
doesnt have any software that supports proxy, there is needed to install software called Squid.
Squid is proxy software that works in Unix-like operating system. It is popular open source
software which enables high performance proxy caching.
Proxy is a way to safely go through the internet. Below is the explanation of how proxy works.

1. Client / user establish connection to the proxy server

2. Client sent a request packet from certain server to the proxy server
3. The proxy server acts as the client establish connection with the destination server
4. The proxy server request for packet which previously requested by the client without
giving any real address of the clients
5. The proxy server received the return packet
6. The packet is replied to the user / client
Below are the ways to install Squid into UNIX operating system.

(Vivek Gite, 2007)

Squid Basic Configuration

1. Open squid configuration located at /etc/squid/squid.conf. using text editor

2. To work with Squid at least there must be a Definition of ACL occurs.

3. Save and close the file and start squid proxy server

4. Verify port 3128 is open

(Vivek Gite, 2007)

Section 9

There are many choices of connection that can be used in connecting company A which is
located in Kuala Lumpur and company B which is located in Singapore. In choosing connection
there are several things that must be considered which is price, security, maintenance,
configuration, speed and many else. To choose type of connection, in this part there will be some
comparison between one of the best types of connection in the market which is leased lined and
VPN. Table below are the comparison between Leased Line and VPN.

Component Leased Line VPN (Virtual Private Network)

Price Leased line is very expensive to VPN can be said is free because it is an
implement because in order to technology that given by a router which
have this service it install a only need a configuration by the
dedicated line from the branch to network admin.
central office.
Configuration All the configuration of the All the configuration of the network or
network is done by the Internet VPN is done by the network admin.
Service Provider.
Security Very secure because it is a Very secure because all the data that
dedicated line so no one can has been exchange inside the VPN has
access the data that has been been encrypted and encapsulate so no
exchange inside the network. hacker can access the data.
Maintenance It is very hard to do maintenance It is easier than leased line when it
and it is also very expensive when comes to maintenance. By using VPN,
there are some parts are broken. the cost of maintaining servers is
cheaper.
Speed Very fast because it is a dedicated Depends on the line which is used in
line between both company the network.
From the comparison table above which shows the comparison between leased line and VPN, it
would be better to use VPN in order to connect both companies together. The reason why VPN is
better because it is much cheaper than leased line, more flexible in configuring the network
because it can be configured by the internal network admin, same security level with leased line,
it is easier and cheaper when it comes to maintenance. VPN only has one disadvantage compare
to leased line which is speed. The speed of VPN is depends on the internet that has been
subscribed. So when it comes to speed, VPN lose to lease line.

A VPN - Virtual Private Network - is one solution to establishing long-distance and/or secured
network connections.

(Bradley Mitchell, 2012)

These are the basic steps how to configure VPN

1. Set up/configure the ISAKMP policy between company A and Company B (IKE phase 1)
2. Configure the IPSEC policy (IKE phase 2)
3. Interesting traffic which related to configuring access list (ACL)
4. Build tunnel which includes mapping
5. Termination of the tunnel
Section 10

In order to analyze type of protocol and packets that has been exchange inside a network,
Wireshark software is needed. Below is the example how does Wireshark looks like.

Inside the screenshot of Wireshark, there are 5 different protocols that are used by the packet to
send through the internet which is TCP, SSL, ARP, DHCP, and NBNS. Below are the
explanations of each of this protocol.

Transmission Control Protocol (TCP)

TCP is a set of rules or as normally we called it as a protocol that is used to send data between
computers over the internet in a form of message. But in order to do that, TCP works along with
IP (internet protocol). TCP and IP have its own job. IPs job is to handle the delivery of data and
TCPs is to keeping track of message which is already split into numbers of packets for more
efficient routing through the network. Because the message already split into several packets,
TCP has another job which is to reassemble all the packets into a message again when it reaches
its destination.

Secure Socket Layer (SSL)

As said in the IBM website which explains about SSL, this protocol was originally developed by
Netscape for Web browsers. SSL basically is a set of rules which control the authentication and
encrypted communication between clients and server. Normally SSL is used for exchanging
confidential data through the network such as credit card numbers, bank account and many else.
The good thing about this protocol is it provides privacy, integrity and authentication in
exchanging data. It provides privacy because every message is encrypted so if there is any
middle man in the network accessing the data, they get the encrypted message instead of real
message. SSL used Message Digest checking after the data already arrived at the destination
which provides integrity. They use digital certificates to improve the authentication between the
users and the servers.

Address Resolution Protocol (ARP)

ARP is a protocol which is used to map IP network addresses into the physical hardware address
or normally called as MAC addresses. In order to perform all this mapping, ARP must be work
with the IP especially IPv4. This ARP is used when information that has been sent out to the
network is arrived at the gateway which can be called as an entrance point to the network. ARP
uses a table of information called ARP cache to locate the correct MAC address. If the address
was found, the packet is now being sent to the correct machine.

If the address is not found inside the ARP cache, the ARP will broadcast to all machines in the
network to see any machine will reply that it was its network address. If the address is located,
the ARP cache will be updated.
Dynamic Host Configuration Protocol (DHCP)

DHPC is a communication protocol that allows network administrators do his/her jobs more
effective and efficient. It allows centralized management and automatized the assignment of IP
addresses. The advantage of implementing DHCP is there is no need to manually configure the
IP address of each computer whenever the computer is newly installed in the network or moved
to other location because DHCP allows the network administrator to manage the IP addresses
from a central workstation and automatically configure new IP address whenever a computer
moved or newly installed inside the network.

NetBIOS Name Service (NBNS)

NBNS is a protocol that maintains a central register of all users on a network which enable fast
name checking whenever a name is requested. When it comes to registering a new node into the
network, NBNS a job is to simplifies and speed up that process. It collects information about
NetBIOS names, compile it, and save it into a database that can be cross referenced by
workstations.
Reference

John Kristoff (2000), The Transmission Protocol [Online], Available from

http://condor.depaul.edu/jkristof/technotes/tcp.html, [Accessed on 20th April 2012]

IBM (2012), Introduction to SSL [Online], Available from

http://publib.boulder.ibm.com/infocenter/tpfhelp/current/index.jsp?topic=%2Fcom.ibm.ztpf-
ztpfdf.doc_put.cur%2Fgtps5%2Fs5why.html, [Accessed on 20th April 2012]

Gorry Fairhurst (2005), Address Resolution Protocol (ARP) [Online], Available from
http://www.erg.abdn.ac.uk/~gorry/eg3561/inet-pages/arp.html, [Accessed on 23rd April 2012]

Dean Wilson (2006), An Introduction to DHCP | Linux Journal [Online], Available from
http://www.linuxjournal.com/article/8820, [Accessed on 20rd April 2012]

Stephen Byron Cooper (2012), Definition of NBNS Protocol [Online], Available from
http://www.ehow.com/facts_7285843_definition-_nbns-protocol_.html, [Accessed on 20th April
2012]

Search Netowrking (1999), What is TCP (Tranmission Control Protocol) [Online], Available
from http://searchnetworking.techtarget.com/definition/TCP, [Accessed on 20th April 2012]

Tech Terms (2008), ARP (Address Resolution Protocol) Definition [Online], Available from
http://www.techterms.com/definition/arp, [Accessed on 20th April 2012]
Laura Biasci and S. Wayne Carrel (2000), What is DHCP (Dynamic Host Configuration
Protocol) [Online], Available from
http://searchunifiedcommunications.techtarget.com/definition/DHCP, [Accessed on 20th April
2012]

James Woudon (2012), NBNS Protocol [Online], Available from

http://www.ehow.com/list_7655707_nbns-protocols.html, [Accessed on 20th April 2012]

Bradly Mitchell (2012), VPN Benefits- Advantages of Virtual Private Network [Online],
Available from http://compnetworking.about.com/od/vpn/f/vpn_benefits.htm, [Accessed on 20th
April 2012]

UC Davis (2007), Bastion Host Security Service [Online], Available from

http://security.ucdavis.edu/bastion.cfm, [Accessed on 25th April 2012]

Jaec (2009), Application Proxy Gateways [Online], Available from

http://www.jaec.info/Automation-Computer-Security/computer-gadgets/computer-
security/firewalls-vpn/firewalls-proxy-gateways/, [Accessed on 25th April 2012]

Diablotin (2012), Bastion Host [Online], Available from

http://www.diablotin.com/librairie/networking/firewall/ch05_01.htm, [Accessed on 25th April
2012]
Diablotin (2012), Proxy System [Online], Available from
http://www.diablotin.com/librairie/networking/firewall/ch07_01.htm, [Accessed on 26th April
2012]

Vivek Gite (2007), Install Squid Proxy Server on CentOS / Redhat enterprise Linux 5 [Online],
Available from http://www.cyberciti.biz/tips/howto-rhel-centos-fedora-squid-installation-
configuration.html, [Accessed on 2nd May 2012]