Front cover - IBM Redbooks

term has been used less frequently of late. The application protocols typically
supported are HTTP, FTP, and telnet, but can include virtually any TCP/IP
protocol. Proxy systems are usually transparent to the end-user. We delve into
the characteristics of firewalls and proxies and the specific functions performed
by proxies in later chapters. The key point you should understand at this stage is
that proxies are an essential component of security best practices.
Not too long ago, security experts regularly used the term “bastion host.” This
term has fallen out of common use in security jargon, probably due to the original
concept of a bastion host serving the role of a “sacrificial host” between the
Internet and the internal network. In the past few years, the functions performed
by the defense layers between the Internet and the internal network have
become more sophisticated. Rather than put a host in an area vulnerable to
attack (and in the worst case, “sacrificed”), the mind set today is to minimize
vulnerability of all infrastructure components as well as avoid storing any data
directly in externally accessible networks. So rather than be willing to sacrifice a
server and potentially the data on it, we employ an architecture that uses
technology and separation methods to remove data from the networks adjacent
to the Internet.
Proxy systems are a valuable tool to provide a high degree of separation of
resources, and provide a bridge to get selected packets from one network to
another. Proxy systems disguise or hide what is on the side opposite from the
end-user’s point of view, which makes reconnaissance by would-be attackers
difficult if not impossible. Unlike a TCP/IP router performing simple network
address translation (NATS), a proxy usually re-writes portions of the application
data headers in addition to network packet header information. If proxy systems
have one general weakness, it is related to performance limitations caused by
the amount of overhead incurred filtering, inspecting, and rewriting data packets
from one network port to another.
Utilize intrusion detection
An intrusion is when a party (or parties) accesses, attempts to access, or
attempts to disrupt a computer resource that they are not authorized to use. The
party involved may be a person or a program, or a combination. The target
computer resource could be a server, an application, database, network link, and
so forth. Intrusion detection systems (IDS) are important security measures
because they can alert you when an attack is in progress (successful or not).
Early detection is an important security consideration because attempted
breaches or attacks commonly begin with a “probing” of the target to look for
possible weaknesses or access opportunities. This probing is usually done by
scanning TCP/IP ports for responsive services in order to identify opportunities
for attacks. Ideally, our intrusion detection methods will detect suspicious activity
during the earliest phases of an attacker’s efforts.
Chapter 3. Secure infrastructure requirements 105