Results 1 to 5 of 5

Thread: Bastion Host - Some Confusion?

  1. #1
    Junior Member
    Join Date
    Nov 2005
    Posts
    19

    Bastion Host - Some Confusion?

    Well this might seem a stupid question, but i am confused on this.
    Have been reading about firewalls and their deployment architecture
    And the term bastion host comes a lot.
    What i m not able to understand is that in a screened subnet architecture, does the bastion host act as a reverse proxy,
    and is the link from router connected to a bastion host and then a link from bastion host to the subnet having servers, or the link from router is connected to the subnet hosting servers and bastion host is also placed in their itself connected with the switch that also conencts servers

    And if we r placing a firewall, then does the bastion host also perform some functioning of a firewall or not.

  2. #2
    Just Another Geek
    Join Date
    Jul 2002
    Location
    Rotterdam, Netherlands
    Posts
    3,401
    Look at the meaning of the word bastion.

    1 : a projecting part of a fortification
    2 : a fortified area or position
    3 : something that is considered a stronghold

    That should provide enough cluess as to what a bastion host is and does..

    So, yes, you would connect the router to the bastion host. The bastion host screens all in- and outgoing traffic to the server subnet.
    Oliver's Law:
    Experience is something you don't get until just after you need it.

  3. #3
    Junior Member
    Join Date
    Apr 2006
    Posts
    21
    Ive done abit of research and all i can manage to find is this http://www.bitd.clrc.ac.uk/Activity/BastionServer Hope it helps :P
    This ain\'t about me im better them you\'ll ever be. You dont concern me i know you\'ll never get to me. You want a shot? I can take your best bring it on. - Slayer
    Gentoo Linux

  4. #4
    Junior Member
    Join Date
    Nov 2005
    Posts
    19
    So at which layer of OSI does the bastion host do the screening. Is it at application layer. If yes then what is the difference between a proxy and a Bastion host.
    And if one looks at the network image at this link http://www.answers.com/topic/bastion-host
    Here the bastion host is sitting in the DMZ and what i understand of the network architecture shown is: From external router a wire goes to a switch, and from this switch a wire goes to WEB server, another to mail server,etc, and another to Bastion host , and another to the internal router. And this type is mentioned as screened subnet. So according to this arch. if the web server is to be accessed the request will first go to BastionHost (BH), and then it will be forwarded to the server. That means the ip of web server advertised to outer world will be in reality the ip of BH.
    And if the BH is compromised then all data coming from internal network can be sniffed frmo the switch. So had it not been better if a 3 interface router been put up instead of 2 routers. Of the 3 interfaces one goes to DMZ, one to external world and last to internal network.
    You can close your eyes to what you donot want to see,
    But you cannot close your heart to what you donot want to feel.

  5. #5
    Just Another Geek
    Join Date
    Jul 2002
    Location
    Rotterdam, Netherlands
    Posts
    3,401
    A BH works on layer 7.. Traffic flows from the Internet through a firewall (layer 3/4 filtering) to a BH. The BH filters on layer 7 and basicly proxies the requests to the web-, mail- or ftpserver. A firewall prevents access from the DMZ (BH) to the internal network. The BH is a hardened server that uses proxies. If your BH gets 0wn3d you're screwed anyway.. So you need to make sure it's sufficiently hardened..
    Oliver's Law:
    Experience is something you don't get until just after you need it.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •