Bastion host

From Wikipedia, the free encyclopedia

A bastion host is a special purpose computer on a network specifically designed and configured to withstand attack. The computer hosts a single application, for example a proxy server, and all other services are removed or limited to reduce the threat to the computer. It is hardened in this manner primarily due to its location and purpose, which is either on the outside of the firewall or in the DMZ and usually involves access from untrusted networks or computers.

Contents 1 Background 2 See also 3 Notes 4 References

[edit] Background

The term is generally attributed to Marcus J. Ranum in an article discussing firewalls. In it he defines bastion hosts as

...a system identified by the firewall administrator as a critical strong point in the network's security. Generally, bastion hosts will have some degree of extra attention paid to their security, may undergo regular audits, and may have modified software.

—Ranum, Marcus J., Thinking About Firewalls

Bastion hosts are related to dual-homed hosts and screened hosts. While a dual-homed host often contains a firewall it is also used to host other services as well. A screened host is a dual-homed host that is dedicated to running the firewall.

[edit] See also

• demilitarized zone (computing)
• hardening

[edit] Notes

[edit] References

• How to build a Bastion host
• Clearswift Bastion, a product example
• Sans Institute, Intrusion Detection FAQ: What is a bastion host?

---