A Bastion Host (BH) is a computer on a network perimeter which is running a hardened Operating System (OS). This protection includes patches, authentication, encryption, and eliminates unnecessary software and services (Weaver, Weaver, Farwood, & Weaver, 2012).
Weaver et al.’s (2012) provides the following list of BH characteristics:
- A machine with adequate memory and processor speed.
- All patches up to date.
- BH fits the network configuration and is in a secured controlled physical environment.
- Only necessary services installed. All other services disabled or uninstalled.
- Service accounts such as the administrator account are removed or disabled. Administrative privileges should be given to another created account.
- Machine is backed up to include configuration and log files.
- Regular security audits.
- Connected to the network.
BH’s are usually located outside the internal network and used with packet filtering devices such as routers and firewalls. on either side. This helps protect the BH from attack because packets are filtered before they reach the BH (Weaver et al., 2012).
Dillard (n.d.) states that BH’s typically host web, mail, DNS, and FTP services, and are configured differently from other computers and servers. Each BH fulfills a specific role, all unnecessary services, protocols, programs, and network ports are disabled or removed. A BH does not share authentication services with trusted hosts within the network so that if a BH is compromised the intruder will not have unrestricted access. In addition to other hardening already mentioned, Access Control Lists (ACLs) will be modified on the file system and other system objects. Logging of all security related events need to be enabled and steps need to be taken to ensure the integrity of the logs so that a successful intruder is unable to erase evidence of a breach.
References
Dillard, K. (n.d.). IDFAQ: What is a bastion host? Retrieved April 3, 2017, from https://www.sans.org/security-resources/idfaq/what-is-a-bastion-host/2/11.
Weaver, R., Weaver, D., Farwood, D., & Weaver, R. (2012). Guide to Network Defense and Countermeasures (3rd ed.). Boston, MA: Course Technology, Cengage Learning.
