A bastion host is a special purpose computer on a network specifically designed and configured to withstand attacks. The computer generally hosts a single application, for example a proxy server

Proxy server

In computer networks, a proxy server is a server that acts as an intermediary for requests from clients seeking resources from other servers. A client connects to the proxy server, requesting some service, such as a file, connection, web page, or other resource available from a different server...

, and all other services are removed or limited to reduce the threat to the computer. It is hardened in this manner primarily due to its location and purpose, which is either on the outside of the firewall or in the DMZ

Demilitarized zone (computing)

In computer security, a DMZ is a physical or logical subnetwork that contains and exposes an organization's external services to a larger untrusted network, usually the Internet...

 and usually involves access from untrusted networks or computers.

Background

The term is generally attributed to Marcus J. Ranum

Marcus J. Ranum

Marcus J. Ranum is a computer and network security researcher and industry leader. He is credited with a number of innovations in firewalls, including building the first Internet email server for the whitehouse.gov domain, and intrusion detection systems...

 in an article discussing firewalls. In it he defines bastion hosts as

Definition

A bastion host is a computer that is fully exposed to attack. The system is on the public side of the demilitarized zone (DMZ), unprotected by a firewall or filtering router. Frequently the roles of these systems are critical to the network security system. Indeed the firewalls and routers can be considered bastion hosts. Due to their exposure a great deal of effort must be put into designing and configuring bastion hosts to minimize the chances of penetration. Other types of bastion hosts include web, mail, DNS, and FTP servers.

Placement

There are two common network configurations that include bastion hosts and their placement. The first requires two firewalls, with bastion hosts sitting between the first "outside world" firewall, and an inside firewall, in a demilitarized zone (DMZ

Demilitarized zone (computing)

In computer security, a DMZ is a physical or logical subnetwork that contains and exposes an organization's external services to a larger untrusted network, usually the Internet...

). Often smaller networks do not have multiple firewalls, so if only one firewall exists in a network, bastion hosts are commonly placed outside the firewall.

Bastion hosts are related to multi-homed hosts and screened hosts. While a dual-homed

Dual-homed

In firewall technology, dual-homed is one of the firewall architectures for implementing preventive security. It provides the first-line defense and protection technology for keeping untrusted bodies from compromising information security by violating trusted network space.A dual-homed host is a...

 host often contains a firewall it is also used to host other services as well. A screened host is a dual-homed host that is dedicated to running the firewall.
Bastion server can also be set up using ProxyCommand with OpenSSH.

Examples

These are several examples of bastion host systems/services:

• Web server
  Web server
  Web server can refer to either the hardware or the software that helps to deliver content that can be accessed through the Internet....
  
  
• DNS (Domain Name System)
  Domain name system
  The Domain Name System is a hierarchical distributed naming system for computers, services, or any resource connected to the Internet or a private network. It associates various information with domain names assigned to each of the participating entities...
  
   server
• Email
  Email
  Electronic mail, commonly known as email or e-mail, is a method of exchanging digital messages from an author to one or more recipients. Modern email operates across the Internet or other computer networks. Some early email systems required that the author and the recipient both be online at the...
  
   server
• FTP (File Transfer Protocol)
  File Transfer Protocol
  File Transfer Protocol is a standard network protocol used to transfer files from one host to another host over a TCP-based network, such as the Internet. FTP is built on a client-server architecture and utilizes separate control and data connections between the client and server...
  
   server
• Proxy server
  Proxy server
  In computer networks, a proxy server is a server that acts as an intermediary for requests from clients seeking resources from other servers. A client connects to the proxy server, requesting some service, such as a file, connection, web page, or other resource available from a different server...
  
  
• Honeypot
  Honeypot (computing)
  In computer terminology, a honeypot is a trap set to detect, deflect, or in some manner counteract attempts at unauthorized use of information systems...
  
  
• VPN (Virtual Private Network)
  Virtual private network
  A virtual private network is a network that uses primarily public telecommunication infrastructure, such as the Internet, to provide remote offices or traveling users access to a central organizational network....
  
   server
• Deep-Secure Bastion

Best Practices

Because bastion hosts are particularly vulnerable to attack, due to the level of required access with the outside world to make them useful, there are several best practice suggestions to follow:

• Disable or remove any unneeded services or daemons
  Daemon (computer software)
  In Unix and other multitasking computer operating systems, a daemon is a computer program that runs as a background process, rather than being under the direct control of an interactive user...
  
   on the host.
• Disable or remove any unneeded user accounts.
• Disable or remove any unneeded network protocols.
• Configure logging and check the logs for any possible attacks.
• Run an intrusion detection system on the host.
• Patching the operating system with the latest security updates.
• Lock down user accounts as much as possible, especially root or administrator accounts.
• Close all ports that are not needed or not used.
• Use encryption
  Encryption
  In cryptography, encryption is the process of transforming information using an algorithm to make it unreadable to anyone except those possessing special knowledge, usually referred to as a key. The result of the process is encrypted information...
  
   for logging in to the server.

See also

• Demilitarized Zone
• Hardening (computing)
• Firewall (computing)
  Firewall (computing)
  A firewall is a device or set of devices designed to permit or deny network transmissions based upon a set of rules and is frequently used to protect networks from unauthorized access while permitting legitimate communications to pass....
  
  
• Proxy Server
  Proxy server
  In computer networks, a proxy server is a server that acts as an intermediary for requests from clients seeking resources from other servers. A client connects to the proxy server, requesting some service, such as a file, connection, web page, or other resource available from a different server...