Bastion host
A Bastion host is a special purpose computer on a network specifically designed and configured to withstand attacks. The computer generally hosts a single application, for example a proxy server, and all other services are removed or limited to reduce the threat to the computer. It is hardened in this manner primarily due to its location and purpose, which is either on the outside of the firewall or in the DMZ and usually involves access from untrusted networks or computers.
Background
The term is generally attributed to Marcus J. Ranum in an article discussing firewalls. In it he defines bastion hosts as
...a system identified by the firewall administrator as a critical strong point in the network's security. Generally, bastion hosts will have some degree of extra attention paid to their security, may undergo regular audits, and may have modified software.[1]
Definition
It is a system identified by firewall administrator as critical strong point in network security. A bastion host is a computer that is fully exposed to attack. The system is on the public side of the demilitarized zone (DMZ), unprotected by a firewall or filtering router. Frequently the roles of these systems are critical to the network security system. Indeed the firewalls and routers can be considered bastion hosts. Due to their exposure, a great deal of effort must be put into designing and configuring bastion hosts to minimize the chances of penetration. Other types of bastion hosts include web, mail, DNS, and FTP servers.[2]
Placement
There are two common network configurations that include bastion hosts and their placement. The first requires two firewalls, with bastion hosts sitting between the first "outside world" firewall, and an inside firewall, in a demilitarized zone (DMZ). Often smaller networks do not have multiple firewalls, so if only one firewall exists in a network, bastion hosts are commonly placed outside the firewall.[3]
Bastion hosts are related to multi-homed hosts and screened hosts. While a dual-homed host often contains a firewall it is also used to host other services as well. A screened host is a dual-homed host that is dedicated to running the firewall. Bastion server can also be set up using ProxyCommand with OpenSSH.[4]
Examples
These are several examples of bastion host systems/services:
- DNS (Domain Name System) server
- Email server
- FTP (File Transfer Protocol) server
- Honeypot
- Proxy server
- VPN (Virtual Private Network) server
- Web server
Best Practices
Because bastion hosts are particularly vulnerable to attack, due to the level of required access with the outside world to make them useful, there are several best practice suggestions to follow:
- Disable or remove any unneeded services or daemons on the host.
- Disable or remove any unneeded user accounts.
- Disable or remove any unneeded network protocols.
- Configure logging and check the logs for any possible attacks.
- Run an intrusion detection system on the host.
- Patching the operating system with the latest security updates.
- Lock down user accounts as much as possible, especially root or administrator accounts.
- Close all ports that are not needed or not used.
- Use encryption for logging into the server.
See also
References
- ↑ "Thinking about firewalls". Vtcif.telstra.com.au. 1990-01-20. Retrieved 2012-01-19.
- ↑ "Intrusion Detection FAQ: What is a bastion host?". SANS. Retrieved 2012-01-19.
- ↑ "Building a Bastion Host Using HP-UX 11". Secinf.net. 2002-10-16. Retrieved 2012-01-19.
- ↑ "Using ProxyCommand with OpenSSH and a Bastion server. | Chmouel's Blog". Chmouel.com. 2009-02-08. Retrieved 2012-01-19.