How Does Traffic Flow Through A Bastion Host?

Abstract

A bastion host is a form of web application firewall. The goal of a bastion host is to provide access controls and protect your internal network hosts from direct exposure on the Internet. The bastion host may be exposed directly on the Internet, or more likely, behind some sort of perimeter network. 

How the bastion host is exposed to the Internet and its configuration as a network firewall (if any) is important as it may affect how we want to configure access controls. Regardless of how we configure access controls, we must first understand how traffic flows through a bastion host before we can determine what our access control rules should be.

Traffic Flow Through A Bastion Host

A bastion host can be as simple as two hosts on a network. The first host is the Internet-facing host (or “front-end”), and the other is an internal private host which is typically hidden from direct exposure to the Internet:

Within this environment, there are typically three forms of traffic that may traverse across these hosts:

1) Traffic originating from an external untrusted source and destined for a service residing on the internal private host.

2) Traffic originating from an internal trusted source destined for an external resource such as an HTTP or FTP site. …and lastly..

3) Traffic originated by the internal private host destined for some other internal trusted destination also residing on an internal network segment.  

Traffic originating from an external untrusted source and destined for a service residing on the internal private host will firstly be routed to the front-end host. There it will be inspected, filtered or processed as required by your security policy, before being forwarded onto the back-end network segment. 

The traffic flow here may look as follows:

From External Untrusted –> To Front-End Host –>To Internal Private Network Segment In this case, the traffic was destined for a web server that resides on TCP port 80 of the private network interface. As such, it will have been permitted through any access controls applied to the front end host and allowed to flow through to the Internet facing network interface/NIC of the bastion host. At this point it is typically routed to the internal network segment to the appropriate destination host.

Traffic originating from an internal trusted source destined for an external resource such as an HTTP or FTP site will first go through the same process of being routed through the front-end host for inspection, filtering or additional processing if required by your security policy before being forwarded onto its final destination on the external untrusted network segment. 

The traffic flow here may look as follows:

From Internal Trusted –>To Front-End Host –>To External Untrusted In this case, the traffic was destined for a web server that resides on TCP port 80 of some other Internet host which could be either internal/external to our environment. As such, it will have been inspected and allowed through any access controls or filtering rules you may have applied to the front end host. This will typically be routed directly out onto the external untrusted network segment (or more commonly an upstream router).

Traffic originated by the internal private host destined for some other internal trusted destination also residing on an internal network segment will first be routed through the same process of passing through the front-end host for inspection, filtering and additional processing if required by your security policy before being forwarded onto its final destination. 

The traffic flow here may look as follows:

From Internal Trusted –>To Front-End Host –>To Internal Private Network Segment In this case, the traffic was destined for a web server that resides on TCP port 80 of some other internal host which could also be either internal/external to our environment. As such, it will have been inspected and allowed through any access controls or filtering rules you may have applied to the front end host before being routed directly out onto its final destination on the private network segment.

Conclusion

This is how traffic flows through the bastion host and you can use both Layer 2 and Layer 3 switches with this setup. If your external network is a vlan and you want to make sure that all traffic lands on the front-end host.

You must understand the different types of traffic flow that may traverse your private network before you begin building out the architecture. The above example demonstrates how easy it is for an internal trusted source to get routed directly onto our untrusted external network segment if not configured correctly. Another thing to remember when setting up this model is that any servers residing on the back-end network segments should be properly secured by disabling all physical access ports/interfaces to them and removing any unnecessary services running on them (such as file sharing protocols) which will only provide another avenue into your environment if compromised along with access to your private hosts.