- Bastion host
A bastion host is a special purpose computer on a network specifically designed and configured to withstand attack. The computer hosts a single application, for example a proxy server, and all other services are removed or limited to reduce the threat to the computer. It is hardened in this manner primarily due to its location and purpose, which is either on the outside of the firewall or in the DMZ and usually involves access from untrusted networks or computers.
Background
The term is generally attributed to
Marcus J. Ranum in an article discussing firewalls. In it he defines bastion hosts as Quote|...a system identified by the firewall administrator as a critical strong point in the network's security. Generally, bastion hosts will have some degree of extra attention paid to their security, may undergo regular audits, and may have modified software.|Ranum, Marcus J.|" [http://www.vtcif.telstra.com.au/pub/docs/security/ThinkingFirewalls/ThinkingFirewalls.html Thinking About Firewalls] "Bastion hosts are related to
dual-homed hosts andscreened hosts . While a dual-homed host often contains a firewall it is also used to host other services as well. A screened host is a dual-homed host that is dedicated to running the firewall.ee also
*
demilitarized zone (computing)
*hardening Notes
References
* [http://secinf.net/unix_security/Building_a_Bastion_Host_Using_HPUX_11.html How to build a Bastion host]
* [http://www.clearswift.com/products/specialist/default.aspx Clearswift Bastion, a product example]
* [http://www.sans.org/resources/idfaq/bastion.php Sans Institute, Intrusion Detection FAQ: What is a bastion host?]----
Wikimedia Foundation. 2010.
