How Is A Bastion Host Configured?
A bastion host is a single, highly-visible SSH or RDP proxy which is configured to allow external connections into internal servers.
The main purpose of this setup is to reduce the risk of an attacker gaining access to internal machines by compromising just one server. Additionally, it can also be used to provide additional security for applications that are not directly exposed to the Internet, but instead must communicate with other internal servers via SSH or RDP. An example would be Microsoft Exchange Server.
A common method used in securing an environment against direct exposure from the Internet is through the use of NAT (Network Address Translation) and firewalls. Although NAT works quite well for this scenario, an added layer of protection can be obtained through multiple layers of security. The bastion host can be configured to allow access for external firewall rules only, but not the internal machines themselves. This will ensure that even if an attacker is able to bypass or compromise the bastion host, they are still unable to gain access to internal servers.
Although NAT provides excellent protection against direct exposure from the Internet, it is NOT a replacement for RDP or SSH proxies when it comes to providing remote console access within restricted network environments with no Internet connectivity. If you do wish to replace your current in-house SSH/RDP proxy architecture with NAT firewalls in order to save on operational expense, please consult the documentation provided with the equipment in use beforehand so as not to lose any functionality you may require.
Advantage of using the bastion host
is that it also circumvents issues which can occur with certain types of NAT firewalls. For example, some NAT environments can experience latency issues when trying to establish multiple sessions on the same machine quickly (for example: multi server application testing or hacking). The bastion host acts as a single entity which connects directly into your environment (a secure proxy) without having to go through an additional set of security devices (firewall). This gives you increased flexibility and the ability to work around these compression problems in your organization. It should be mentioned however, that you will not see any performance gains by using this method over software-based RDP proxies – but will see additional benefits in regards to system security.
Configure a Bastion host:
1) Install Windows OS on the bastion host.
2) Configure TCP/IP of the bastion host to use a static IP address outside of your NAT firewall range (where an external DNS record exists).
3) Open port 3389 of your NAT firewall for inbound connections to the static IP address of your bastion host. Ensure that this rule only applies to your specific box.
4) Create rules within Windows Firewall on all other internal hosts which are allowed to connect out to port 3389 on the bastion host. This will vary between different versions of Windows, but should not be too difficult to implement by following instructions provided in this documentation or via online resources.
5) Configure Windows Firewall with Advanced Policy to allow RDP from any source to the bastion host. This is done by editing your public profiles (in normal mode).
6) Ensure that all other internal hosts are ONLY ALLOWED TO CONNECT TO THE BASTION HOST (ALL OTHER PORTS ARE BLOCKED).
7) Login to the bastion host and install the software required for an SSH or RDP proxy (for example, mRemoteNG). Ensure that you configure each service to authenticate against either Active Directory or application-specific database authentication databases. Additionally, ensure that you do not enable any form of “guest” login feature within these packages as this will defeat the purpose of creating a bastion host and will increase the overall security risk of your environment.
8) Configure your proxy software to limit access to specific users or groups that require remote desktop access (for example, use mRemoteNG to enable RDP guest accounts for a predefined list of usernames).
9) Use iptables firewall rules on your bastion host to ensure that all ports are closed except port 3389 which must be open for inbound connections from any source.
10) Test and confirm that you can establish an RDP session with the bastion host successfully.
11) If at any stage you need to change the configuration settings, disconnect ALL internal hosts from using the proxy and then reconfigure it as described above. Do not make any changes to your iptables rules unless you have confirmed that all internal hosts can connect successfully to the proxy services before and after changing these settings. Changing firewall rules on a bastion host without validating this first will either cause clients to lose connectivity or, worse yet, put them at increased risk of attack.
The bastion host provides a mechanism for isolating your RDP sessions between different security domains. It allows you to create an additional layer of protection against malicious attacks and ensures that only the required users have remote access into your environment.
One drawback is that you will need to dedicate one system to be permanently configured as a bastion host (with both firewall rules and proxy-settings applied) thus increasing administrative costs. Additionally, performance gains over software-based proxies are negligible, but the added reliability in protecting data between subnets can justify this approach if it fits within your organization’s requirements.