It's a heavily fortified server that sits inside the firewall, and it is the main point of contact between the intranet and the Internet. By having an isolated, heavily defended server as the main point of contact, the rest of the intranet resources can be shielded from attacks starting on the Internet. Bastion hosts are built so that every network service possible is disabled on them-the only thing the server does is allow for specified Internet access. So, for example, there should be no user accounts on a bastion server, so that no one can log into it and take control of it and then gain access to the intranet. Even the Network File System (NFS), which allows a system to access files across a network on a remote system, should be disabled, so that intruders can't gain access to the bastion server and then get at files on the intranet. The safest way to use bastion hosts is to put them on their own subnet as part of an intranet firewall. By putting them on their own network, if they are broken into, no other intranet resources are compromised. Bastion servers log all activity so that intranet administrators can tell if the intranet has been attacked. They often keep two copies of system logs for security reasons: In case one log is destroyed or tampered with, the other log is always available as a backup. One way to keep a secure copy of the log is to connect the bastion server via a serial port to a dedicated computer, whose only purpose is to keep track of the secure backup log. Automated monitors are even more sophisticated programs than auditing software. Automated monitors regularly check the bastion server's system logs, and send an alarm if it finds a suspicious pattern. For example, an alarm might be sent if someone attempted more than three unsuccessful logins. There can be more than one bastion host in a firewall. Each bastion host can handle one or more Internet services for the intranet. Sometimes, a bastion host can be used as a victim machine. This is a server that is stripped bare of almost all services except one specific Internet service. Victim machines can be used to provide Internet services that are hard to handle using proxying or a filtering router, or whose security concerns are not yet known. The services are put on the victim machine instead of a bastion host with other services. That way, if the server is broken into, other bastion hosts won't be affected. Placing a filtering router between the bastion host and the intranet provides additional security. The filtering router checks all packets between the Internet and the intranet, dropping unauthorized traffic. When a bastion server receives a request for a service, such as sending a Web page or delivering e-mail, the server doesn't handle the request itself. Instead, it sends the request along to the appropriate intranet server. The intranet server handles the request, and then sends the information back to the bastion server. The bastion server now sends the requested information to the requester on the Internet. Some bastion servers include auditing programs, which actively check to see whether an attack has been launched against them. There are a variety of ways to do auditing. One way to audit is to use a checksum program, which checks to see whether any software on the bastion server has been changed by an unauthorized person. A checksum program calculates a number based on the size of an executable program on the server. It then regularly calculates the checksum to see if it has changed. If it has changed, someone has altered the software, which could signal an attack.