The classic definition of a bastion is a tower which protrudes from the wall
of a castle. Bastions were typically placed at the ends of outer curtain
walls and provided the initial defense of the castle proper. If the bastion
or the wall were breached an attacker would generally have access to an
outer courtyard (DMZ anyone?) but one would still need to breach the inner
walls to actually be in a position to take the castle proper. Positioning of
bastions also tended to provide the defenders a significant killing field
that the attackers were in while attempting to breach the walls/bastions,
but that isn't really too germaine...
Taking that definition, a bastion host is any system which is subject to
direct attack/access (the bastion wall if you will)but which is phyically
seperate from the internal network (the castle proper if you will). Some
generic examples of bastion hosts are perimeter routers, firewalls, and
devices residing on DMZs. In practice, a bastion host can be simply defined
as any device through which internal<->external communication must occur.
For example, the router connecting to an ISP can be considered a bastion
host between the outside world and the network beyond the router. A firewall
can be considered a bastion host between the outer world and the DMZ(s) and
internal network(s).
More involved definitions of bastion hosts extend the definition to
requiring that bastion hosts prevent direct communications from occuring,
that the communications be proxied instead. An application level gateway
(ALG), for example an SMTP proxy, can be a considered a bastion host by both
definitions. If the ALG is built into the firewall, then the above example
of a firewall holds true, though more secure. If the ALG resides on the DMZ
though, it could be considered a bastion host between the outside world and
the internal network. For firewalls with multiple interfaces, if the
outside, inside and DMZ are on seperate interfaces, the firewall could be
considered a bastion host yet again between the DMZ (and thus the ALG's
residing there) and the internal network potentially requiring
communications to potentially traverse 3 bastion hosts (firewall, ALG then
firewall again) before being permitted to the inside network. An item of
note is that one may have multiple bastion hosts (an SMTP proxy, an HTTP
proxy, etc.) and that bastion hosts may reside at multiple levels of the
security perimeter design (i.e. the firewall acting as a bastion between the
world and the DMZ then an ALG again acting as a bastion between the world
and the inside).
In a well designed network, yes someone attempting to surf the net *should*
pass through a bastion host. Now whether that should be a proxy of some sort
or not is subject to some debate, but I would recommend that a proxy be used
if for no reason other than the caching benefits it can provide to large
environments. As for how this works, it tends to be through a process of
NAT/PAT and application proxying.
Anyway, there is one more definition to add to the list :-)
HTH
Wes Noonan, MCSE/MCT/CCNA/CCDA/NNCSS
Senior QA Rep.
BMC Software, Inc.
(713) 918-2412
[EMAIL PROTECTED]
http://www.bmc.com
> -----Original Message-----
> From: ks Quah [mailto:[EMAIL PROTECTED]]
> Sent: Tuesday, April 10, 2001 06:29
> To: [EMAIL PROTECTED]
> Subject: What is a bastion host
>
>
> HI,
> How does a bastion host work?
> Does all the traffic goes through it before going to the
> internet network???
> what happened if some1 from the internel network wanna to
> surf the net...
>
> he have to pass the bastion host before going into the net?
>
> Thanks
> Quah
>
>
> -
> [To unsubscribe, send mail to [EMAIL PROTECTED] with
> "unsubscribe firewalls" in the body of the message.]
>
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
