What are your thoughts on whether or not to use a bastion host

security firewall ids

Solution 1:

The triple firewall/IPS layer doesn't make too much sense to me, unless the various devices have disjoint sets of functionality. If there's no opportunity for code or malicious activty "between" two of the devices, and they really are just plugged in back-to-back, it seems like a giant waste of money.

A more traditional architecture would be something like:

Internet->Firewall/IDS->Web server tier->App server Tier->(optional firewall/IPS)->database

That optional firewall between the app server tier and database isn't really that useful, but is required by PCI and potentially other regulations. Simple access controls or a software firewall on the database server makes more sense to me for most environments rather than a dedicated separate firewall.

A more complicated, but potentially useful setup would be to use a web/proxy "bastion host" tier:

Internet->Firewall/IDS->web/proxy server->Firewall/IDS->application servers->(optional firewall/IPS)->database.

In my opinion, the above setup only makes sense if the firewall/IDS between your bastion host is able to do more than simple stateful packet filtering. If the IDS functionality inside that Firewall/IDS can look inside HTTP packets and only allow a set of defined behaviors between the web/proxy tier and the application server tier, then it might be worthwhile.

Note that any of the firewall/IDS tiers can be be implemented as software firewall running on the destination host. This simplifies networking greatly and scales better than hardware security solutions. You do give up the centralized "choke point" for monitoring all traffic, but that is often a requirement to scale up. I doubt Facebook or Google passes all their traffic through any firewall tier - the security functionality simply has to be distributed at that scale.

Solution 2:

In medium/larger networks it's pretty common to see a perimeter network where the servers have been hardened (the new term for bastion host). In smaller networks it's not very common anymore (if it ever was). The idea of assigning a single task to a server and hardening it against everything else is regaining popularity in medium sized networks, as virtualization allows you to easily setup specialized VMs.

I find these setups to be the most common:
Small Networks:
Internet ---> Firewall/Router ---> Internal Network (Servers & Clients included)

Medium Networks
Internet ---> Perimeter Firewall ---> Perimeter Network (Internet accessible servers) ---> Internal Firewall ---> Internal Network (Server & Clients included)

High Security Networks:
Internet ---> Perimeter Firewall(s) ---> Perimeter Network (Internet accessible servers)
Perimeter Network ---> Server Firewall ---> Server Network
Perimeter Network ---> Client Firewall ---> Client Network

Of course every network is a little different here and there; but those are the themes I see most commonly. Firewalls typical incorporate IDS/IDP along with typical filtering and such.

Related

ossec features vs snort / tripwire for pci compliance
Exchange 2010 Public Folders High Availability or Load Balancing
Use wakeonlan by hostname rather than MAC/IP
Windows 2003 Domain. Best way to assign permisions to technical support
Artificially burden the CPU
Wildcard records with Nginx to handle custom domains
Is chmod 700 on a directory sufficient to prevent arbitrary access to subdirectories?
How can I find my Oracle 10g server version?
Is it possible to run OS X headless? [closed]
The state of XEN vs KVM for inhouse virtual server farm like live farm
Office 2010 Deployment
How to trust my own self-signed SSL cert?