Bastion host
   HOME

TheInfoList



Click Here for Items Related To - Bastion host
OR:
Bastion host on:   [Wikipedia]   [Google]   [Amazon]

A bastion host is a special-purpose computer on a network specifically designed and configured to withstand attacks, so named by analogy to the
military fortification A fortification is a military construction or building designed for the defense of territories in warfare, and is also used to establish rule in a region during peacetime. The term is derived from Latin ''fortis'' ("strong") and ''facere'' ...
. The computer generally hosts a single application or process, for example, a
proxy server In computer networking, a proxy server is a server application that acts as an intermediary between a client requesting a resource and the server providing that resource. Instead of connecting directly to a server that can fulfill a reques ...
or
load balancer In computing, load balancing is the process of distributing a set of tasks over a set of resources (computing units), with the aim of making their overall processing more efficient. Load balancing can optimize the response time and avoid unevenl ...
, and all other services are removed or limited to reduce the threat to the computer. It is hardened in this manner primarily due to its location and purpose, which is either on the outside of a
firewall Firewall may refer to: * Firewall (computing), a technological barrier designed to prevent unauthorized or unwanted communications between computer networks or hosts * Firewall (construction), a barrier inside a building, designed to limit the spr ...
or inside of a demilitarized zone (
DMZ A demilitarized zone (DMZ or DZ) is an area in which treaties or agreements between nations, military powers or contending groups forbid military installations, activities, or personnel. A DZ often lies along an established frontier or bounda ...
) and usually involves access from untrusted networks or computers. These computers are also equipped with special networking interfaces to withstand high-bandwidth attacks through the
internet The Internet (or internet) is the global system of interconnected computer networks that uses the Internet protocol suite (TCP/IP) to communicate between networks and devices. It is a '' network of networks'' that consists of private, pub ...
.


Definitions

The term is generally attributed to a 1990 article discussing firewalls by
Marcus J. Ranum Marcus J. Ranum (born November 5, 1962, in New York City, New York, United States) is a computer and network security researcher. He is credited with a number of innovations in firewalls, including building the first Internet email server for t ...
, who defined a bastion host as "a system identified by the firewall administrator as a critical strong point in the
network security Network security consists of the policies, processes and practices adopted to prevent, detect and monitor unauthorized access, misuse, modification, or denial of a computer network and network-accessible resources. Network security involves th ...
. Generally, bastion hosts will have some degree of extra attention paid to their security, may undergo regular audits, and may have modified software". It has also been described as "any computer that is fully exposed to attack by being on the public side of the
DMZ A demilitarized zone (DMZ or DZ) is an area in which treaties or agreements between nations, military powers or contending groups forbid military installations, activities, or personnel. A DZ often lies along an established frontier or bounda ...
, unprotected by a firewall or filtering router. Firewalls and routers, anything that provides perimeter access control security can be considered bastion hosts. Other types of bastion hosts can include web, mail, DNS, and FTP servers. Due to their exposure, a great deal of effort must be put into designing and configuring bastion hosts to minimize the chances of penetration."


Placement

There are two common network configurations that include bastion hosts and their placement. The first requires two firewalls, with bastion hosts sitting between the first "outside world" firewall, and an inside firewall, in a
DMZ A demilitarized zone (DMZ or DZ) is an area in which treaties or agreements between nations, military powers or contending groups forbid military installations, activities, or personnel. A DZ often lies along an established frontier or bounda ...
. Often, smaller networks do not have multiple firewalls, so if only one firewall exists in a network, bastion hosts are commonly placed outside the firewall.


Examples

These are several examples of bastion host systems/services: * DNS (Domain Name System) server *
Email Electronic mail (email or e-mail) is a method of exchanging messages ("mail") between people using electronic devices. Email was thus conceived as the electronic ( digital) version of, or counterpart to, mail, at a time when "mail" mean ...
server * FTP (File Transfer Protocol) server * Honeypot *
Proxy server In computer networking, a proxy server is a server application that acts as an intermediary between a client requesting a resource and the server providing that resource. Instead of connecting directly to a server that can fulfill a reques ...
* VPN (Virtual Private Network) server * Web server


See also

*
Jump server A jump server, jump host or jump box is a system on a network used to access and manage devices in a separate security zone. A jump server is a hardened and monitored device that spans two dissimilar security zones and provides a controlled mean ...


References

{{Reflist Internet Protocol based network software Computer network security