So at which layer of OSI does the bastion host do the screening. Is it at application layer. If yes then what is the difference between a proxy and a Bastion host.
And if one looks at the network image at this link http://www.answers.com/topic/bastion-host
Here the bastion host is sitting in the DMZ and what i understand of the network architecture shown is: From external router a wire goes to a switch, and from this switch a wire goes to WEB server, another to mail server,etc, and another to Bastion host , and another to the internal router. And this type is mentioned as screened subnet. So according to this arch. if the web server is to be accessed the request will first go to BastionHost (BH), and then it will be forwarded to the server. That means the ip of web server advertised to outer world will be in reality the ip of BH.
And if the BH is compromised then all data coming from internal network can be sniffed frmo the switch. So had it not been better if a 3 interface router been put up instead of 2 routers. Of the 3 interfaces one goes to DMZ, one to external world and last to internal network.