Jump to content

Main menu Navigation ●Main page ●Contents ●Current events ●Random article ●About Wikipedia ●Contact us ●Donate Contribute ●Help ●Learn to edit ●Community portal ●Recent changes ●Upload file

●Create account ●Log in ●Create account ● Log in Pages for logged out editors learn more ●Contributions ●Talk

(Top) 1 Definitions 2 Placement 3 Use cases 4 Examples 5 See also 6 References

Bastion host

●Deutsch ●Español ●فارسی ●Français ●Italiano ●Lombard ●Português ●Русский Edit links ●Article ●Talk ●Read ●Edit ●View history Tools Actions ●Read ●Edit ●View history General ●What links here ●Related changes ●Upload file ●Special pages ●Permanent link ●Page information ●Cite this page ●Get shortened URL ●Download QR code ●Wikidata item Print/export ●Download as PDF ●Printable version Appearance From Wikipedia, the free encyclopedia

Abastion host is a special-purpose computer on a network specifically designed and configured to withstand attacks, so named by analogy to the bastion, a military fortification. The computer generally hosts a single application or process, for example, a proxy serverorload balancer, and all other services are removed or limited to reduce the threat to the computer. It is hardened in this manner primarily due to its location and purpose, which is either on the outside of a firewall or inside of a demilitarized zone (DMZ) and usually involves access from untrusted networks or computers. These computers are also equipped with special networking interfaces to withstand high-bandwidth attacks through the internet.

Definitions

[edit]

The term is generally attributed to a 1990 article discussing firewallsbyMarcus J. Ranum, who defined a bastion host as "a system identified by the firewall administrator as a critical strong point in the network security. Generally, bastion hosts will have some degree of extra attention paid to their security, may undergo regular audits, and may have modified software".^[1]

It has also been described as "any computer that is fully exposed to attack by being on the public side of the DMZ, unprotected by a firewall or filtering router. Firewalls and routers, anything that provides perimeter access control security can be considered bastion hosts. Other types of bastion hosts can include web, mail, DNS, and FTP servers. Due to their exposure, a great deal of effort must be put into designing and configuring bastion hosts to minimize the chances of penetration".^[2]

Placement

[edit]

There are two common network configurations that include bastion hosts and their placement. The first requires two firewalls, with bastion hosts sitting between the first "outside world" firewall, and an inside firewall,^[3]^: 33 in a DMZ. Often, smaller networks do not have multiple firewalls, so if only one firewall exists in a network, bastion hosts are commonly placed outside the firewall.^[4]

Use cases

[edit]

Though securing remote access is the main use case of a bastion server, there are a few more use cases of a bastion host such as:^[5]

Authentication gateway
VPN alternative
Alternative to internal admin tools
Alternative to file transfers
Alternative way to share resource credentials
Intrusion detection
Software inventory management

Examples

[edit]

These are several examples of bastion host systems/services:

References

[edit]

^ "Thinking about firewalls". Vtcif.telstra.com.au. 1990-01-20. Archived from the original on 2020-01-05. Retrieved 2012-01-19.

^ Ronald L. Krutz; Russell Dean Vines (May 2003). The CISM Prep Guide: Mastering the Five Domains of Information Security Management. Wiley. p. 12. ISBN 978-0-471-45598-1.

^ R. Shirey (August 2007). Internet Security Glossary, Version 2. Network Working Group. doi:10.17487/RFC4949. RFC 4949. Informational.

^ Steves, Kevin (October 16, 2002). "Building a Bastion Host Using HP-UX 11". WindowsSecurity.com. Archived from the original on July 8, 2017. Retrieved July 20, 2021.

^ "Alternative Use Cases for a Bastion Host". Adaptive.live. Adaptive.

Retrieved from "https://en.wikipedia.org/w/index.php?title=Bastion_host&oldid=1225754367" Categories: ●Internet Protocol based network software ●Computer network security Hidden categories: ●Articles with short description ●Short description is different from Wikidata ●This page was last edited on 26 May 2024, at 14:04 (UTC). ●Text is available under the Creative Commons Attribution-ShareAlike License 4.0; additional terms may apply. By using this site, you agree to the Terms of Use and Privacy Policy. Wikipedia® is a registered trademark of the Wikimedia Foundation, Inc., a non-profit organization. ●Privacy policy ●About Wikipedia ●Disclaimers ●Contact Wikipedia ●Code of Conduct ●Developers ●Statistics ●Cookie statement ●Mobile view