A bastion host is a computer designed to withstand attacks. It hosts a single application, such as a proxy server, which serves as a gateway between the internal network and the Internet.
A bastion host can repel attacks because it only runs the application while all other services are removed or reduced. It has tighter security because it is usually located on the firewall or outside it. And so even if untrusted computers or networks can access it, it does not put the other systems in the internal network at risk.
Read More about “Bastion Host”
A bastion host is often customized to protect an intranet or internal network. It lies outside the network and only serves as a line of communication from inside out. In cases where a bastion host serves as a honeypot, it attracts attacks so their sources can be traced and consequently blocked.
How Bastion Hosts Work
- Every network service that won’t affect how a bastion host runs is disabled. The only thing it does is allow internal computers to gain Internet access. So, bastion hosts do not have user accounts. That way, no one can log into and take control of it to gain access to the intranet. Even the Network File System (NFS), which lets a computer access files in a network remotely, should be disabled so that intruders can’t use the bastion host to extract data from the intranet. The best place to put a bastion host is on its own subnet or its own network on an intranet firewall. Even if it hacked, no other intranet resources could be compromised.
- Bastion hosts log all activity, so network administrators can tell if the intranet is under attack. They often keep two copies of system logs. That way if one is destroyed or tampered with, the other is still available as a backup. One way to keep a secure copy of the log is to connect the bastion server via a serial port to a dedicated computer, whose only purpose is to keep track of the secure backup log.
- A bastion host has an automated monitor or a sophisticated program that regularly checks its system logs and sends an alarm if it finds a suspicious pattern. An example would be someone attempting more than three unsuccessful logins.
- Users can place a filtering router between the bastion host and the intranet for additional security. The filtering router can check all packets between the Internet and the intranet while dropping unauthorized traffic.
In sum, a bastion host does not allow direct access to and from the intranet to the Internet. Every time a computer connected to the intranet accesses the Internet, it sends the request to the bastion host. The bastion host then gets the results. These results pass through the firewall, which checks if they are safe to send to the intranet-connected system. Only when the data passes the security check can the computer asking for it get it. In a sense, none of the internal IP addresses show up outside the network. Any external user will only find the bastion host’s IP address, adding a layer of protection to the intranet.