Quick question re: Firewall arch. concepts (Please dont be scared by the title!)

silverh20

Can anyone explain to me briefly why it's a good idea to place DMZ inhabiting systems like DNS servers and Webmail on a Basestation Host?

I'm studying for the CISSP , and it says in the AIO by Shon Harris that the Basestation Host is frontline to the internet, therefore it has to be hardened, and is subject to all the wild nastiness of the internet.

So why would it be good to put something like webmail on a machine that's potentially subject to threats?

swild

I think you mean "Bastion" Host. Take a look at the Wikipedia entry, it may help. It's a server that has to be exposed to the internet in order to be of use, therefore it has to be hardened. You would put this in a DMZ because it has to be on your network to reach your Exchange (or whatever mail) server, but you don't want something that is open to the internet to be inside your secured network.

quinnyfly

Any internet-facing server needs to be hardend, by placing them in a (screened subnet) or DMZ, offers them that extra level of protection. Many DMZ arrangements use a triple-bastion host, if web-mail servers, etc are positioned behind a screening router and inside the DMZ, if they are subject to an attack, all the attacker sees is the bastion host and not the servers.

Typically, you would not put webmail services on the same server that runs your firewall software, part of system hardening is about placing webmail, DNS, FTP services and so forth on either separate partitions on different servers, or having them reside on their own dedicated server.

The main idea is to reduce the attack surface by only allowing web-facing servers to be accessed via either a screening router or firewall. The DMZ is perhaps the strongest method of protection, but it comes at a cost.

silverh20

great, thanks for the concise replies.

i had tried looking this info up earlier but was getting these massive technical articles that i didnt want to burrow down into just for this concept.