A bastion host is a computer system that protects sensitive data and internal networks from external attacks. It is specifically configured to resist attacks and only has necessary applications. Hardening is done to minimize vulnerability, and it can be used for various services such as mail hubs, website hosting, and firewall gateways.
A bastion host is the public face of an internal computer system or network to the Internet and is used to protect sensitive or private data and internal networks. It is one or more computers, depending on the size of the system and the complexity of the security protocols, that is designated as the only host computer that can be directly addressed from a public network. Bastion hosts are specifically designed to protect the rest of the computer network from being exposed to attacks or other security breaches from the outside. The bastion host is not a generic computer but, instead, it is a specific computer that must be specifically configured to resist external attacks.
Typically, a network administrator will configure a bastion host to only have a single application, such as a proxy server, on the machine, because it is fully exposed to larger suspicious networks such as the Internet. All other unnecessary applications, services, programs, protocols, and network ports are removed or disabled to reduce threats to the bastion host. Even with trusted hosts within the computer network, the bastion hosts will not share authentication services. This is done so that even if the bastion is compromised, an intruder will gain no further access to the system that the bastion was designed to protect.
To be useful, a bastion host must have some level of access from external networks, but at the same time, this access makes it particularly vulnerable to attack. To minimize the vulnerability, hardening is done to limit the possible ways of attack. A network administrator, as part of the hardening process, will do things like remove or disable unnecessary user accounts, lock out root or administrator accounts, close ports that are not being used, and configure logging to include encryption when logging into the server. The operating system will be updated with the latest security updates and an intrusion detection system may also be running on the bastion host.
Bastion hosts are used for services such as mail hubs, website hosting, file transfer protocol (FTP) servers, and firewall gateways. A network administrator might also use this type of host as a proxy server, virtual private network (VPN) server, or domain name Ssystem (DNS) server. The name “bastion” is taken from medieval history. For added protection, fortresses were built with ledges, called ramparts, which allowed men to mass behind them and shoot arrows at attackers from a more secure position.
Protect your devices with Threat Protection by NordVPN
