What is a Bastion Host?

A bastion host is the public face of an internal computer system or network to the Internet and is used to protect sensitive or private data and internal networks. It is one computer or more, depending upon the size of the system and complexity of the security protocols, that is designated as the only host computer that can be addressed directly from a public network. Bastion hosts are designed specifically to screen the remainder of the computer network from being exposed to attack or other breaches of security from the outside. The bastion host is not a general-purpose computer but, instead, it is a special-purpose computer that must be specifically configured to withstand outside attack.

Typically, a network administrator will configure a bastion host to have only a single application, such as a proxy server, on the machine, because it is completely exposed to larger distrusted networks such as the Internet. All other applications, unnecessary services, programs, protocols and network ports are removed or disabled in such a way as to lessen threats to the bastion host. Even with trusted hosts within the computer network, bastion hosts will not share authentication services. This is done so that, even if the bastion is compromised, an intruder will not gain further access into the system that the bastion was designed to protect.

In order to be useful, a bastion host has to have some level of access by outside networks but, at the same time, this access makes it especially vulnerable to attack. To minimize vulnerability, hardening is done so that possible ways of attack are limited. A network administrator, as part of the hardening process, will do such things as remove or disable unnecessary user accounts, lock down root or administrator accounts, close ports that aren’t used and configure logging to include encryption when signing onto the server. The operating system will be updated with the latest security updates, and an intrusion detection system also might be run on the bastion host.

Bastion hosts are used for such services as mail hubs, web site hosting, file transfer protocol (FTP) servers and firewall gateways. A network administrator might also use this type of host as a proxy server, virtual private network (VPN) server or domain name Ssystem (DNS) server. The name "bastion" is taken from medieval history. For increased protection, fortresses were built with projections, called bastions, that allowed men to mass behind them and shoot arrows at attackers from a position of greater security.