In this simulation, you will explore perimeter network architecture. Understanding the components of a Demilitarized Zone (DMZ) and how to securely bridge public and private networks is a core skill for any Network Defender.

CND (312-38) Network Defense Simulation

Network Scenario

A new public-facing web application has been deployed for your organization. To comply with security policies, direct connections from the internet to internal database servers are strictly prohibited. You are reviewing the architecture of the newly configured perimeter. A hardened server has been placed in the DMZ. It terminates incoming internet connections, deeply inspects the HTTP payloads, and initiates a brand-new connection to the internal application tier on behalf of the user.

Traffic & Logs

[2023-11-02 09:14:22] EXT_FW_ALLOW: SRC=203.0.113.45 DST=198.51.100.10 (Gateway) PROTO=TCP DPT=443
[2023-11-02 09:14:23] PROXY_DAEMON: Terminating SSL, inspecting payload from 203.0.113.45... OK.
[2023-11-02 09:14:23] INT_FW_ALLOW: SRC=198.51.100.10 (Gateway) DST=10.0.1.50 PROTO=TCP DPT=8080
[2023-11-02 09:18:11] INT_FW_DENY: SRC=198.51.100.10 (Gateway) DST=10.0.1.50 PROTO=TCP DPT=22 (SSH Blocked by Policy)
[2023-11-02 09:19:44] WAF_ALERT: Gateway dropped malformed HTTP GET request containing SQLi signature from 192.0.2.100.

Question

Paul is a network security technician working on a contract for a laptop manufacturing company in Chicago. He has focused primarily on securing network devices, firewalls, and traffic traversing in and out of the network. He just finished setting up a server a gateway between the internal private network and the outside public network. This server will act as a proxy, limited amount of services, and will filter packets. What is this type of server called?

A. Session layer firewall.
B. SOCKS host.
C. Bastion host.
D. Edge transport server.

Think about medieval castles. What is the highly fortified, forward-facing structure designed to withstand attacks and protect the inner courtyard?

Expert Analysis

What is happening: Internet traffic is being routed to a single, specifically configured server situated in the DMZ. This server breaks the direct connection, inspects the traffic, and proxies only legitimate requests to the internal network.

Behavior Identification: This represents a classic Defense-in-Depth architectural pattern using an application-level proxy on a hardened perimeter device.

Correct Answer Reasoning: Bastion host (C). A bastion host is a specially designed server configured to withstand attacks. Because it sits on the public-facing edge of the network (or DMZ), it is heavily hardened, runs a very limited number of services, acts as a proxy/gateway, and filters packets. It is the primary point of contact for external entities.

Why others are wrong:

  • Session layer firewall: Operates at Layer 5 of the OSI model but does not describe the physical/architectural hardening of a server acting as a gateway.
  • SOCKS host: SOCKS is a circuit-level proxy protocol. While a bastion host *could* run SOCKS, the term "SOCKS host" does not define the overarching hardened gateway server concept.
  • Edge transport server: This is a specific Microsoft Exchange Server role designed for routing email, not a general-purpose proxy or filtering gateway.

Defensive Action: Ensure the Bastion Host is hardened using benchmarks like CIS. Remove all unnecessary software, compilers, and user accounts. Implement strict firewall rules (both in front of and behind the bastion host) so that if the bastion is compromised, the attacker still cannot freely pivot into the internal network.

Mini Lesson: Bastion Hosts vs. Traditional Firewalls

A traditional packet-filtering firewall allows or denies traffic based on headers (IP, Port). If allowed, the connection goes straight from the attacker to the internal server.

A Bastion Host acting as a proxy physically separates the connection. The attacker connects to the Bastion. The Bastion inspects the data. If safe, the Bastion creates a new, separate connection to the internal server. The internal server never directly speaks to the internet.

Explore more CND simulations

Practice More Tests