Page 812 - (ISC)² CISSP Certified Information Systems Security Professional Official Study Guide
P. 812

to another interface, disabled. This will force the filtering rules to
               control all traffic rather than allowing a software-supported shortcut

               between one interface and another. A bastion host is a computer or
               appliance that is exposed on the internet and has been hardened by
               removing all unnecessary elements, such as services, programs,
               protocols, and ports. A screened host is a firewall-protected system
               logically positioned just inside a private network. All inbound traffic is
               routed to the screened host, which in turn acts as a proxy for all the
               trusted systems within the private network. It is responsible for

               filtering traffic coming into the private network as well as for
               protecting the identity of the internal client.



                             The word bastion comes from medieval castle


                  architecture. A bastion guardhouse was positioned in front of the
                  main entrance to serve as a first layer of protection. Using this
                  term to describe a host indicates that the system is acting as a
                  sacrificial host that will receive all inbound attacks.



               A screened subnet is similar to the screened host in concept, except a
               subnet is placed between two routers or firewalls and the bastion

               host(s) is located within that subnet. All inbound traffic is directed to
               the bastion host, and only authorized traffic can pass through the
               second router/firewall into the private network. This creates a subnet
               where some external visitors are allowed to communicate with
               resources offered by the network. This is the concept of a DMZ, which
               is a network area (usually a subnet) that is designed to be accessed by
               outside visitors but that is still isolated from the private network of the

               organization. The DMZ is often the host of public web, email, file, and
               other resource servers.


               Firewall Deployment Architectures

               There are three commonly recognized firewall deployment
               architectures: single tier, two tier, and three tier (also known as
               multitier).

               As you can see in Figure 11.8, a single-tier deployment places the
   807   808   809   810   811   812   813   814   815   816   817