First page Back Continue Last page Summary Graphics

Hardware Planning

A bastion host is a machine which serves a single purpose. It can be dangerous to have one machine serving web, DNS, firewall, ftp, NFS and so forth. If the host is compromised through, say, DNS or portmap exploit, it would be trivial to compromise all of the network services on this host, and expose your other hosts to compromise. The more you can separate critical services, the harder it is to compromise them all. And if you do not use cleartext passwords or network traffic, it becomes more difficult still because encrypted traffic is useless to an attacker unless it is decrypted.

Hardware Planning

Notes: