Contents:
A bastion host is a server placed between the public internet and a company’s private network. It enhances security by allowing access only to specific, authorized users.
If you know about jump servers, you’ll recognize this remote access security concept. If not, you will by the end of this article.
Understanding the functionality, types, and security requirements of bastion hosts will help you distinguish between them.
Key takeaways:
- using a firewall doesn’t exclude using a bastion host
- configuring a bastion server correctly needs high skills and extra care
- bastion hosts can be vulnerable to brute force, Man-in-the-Middle, or DDoS attacks
- a Privileged Account and Session Management solution is a safer, easier-to-use alternative to bastion host servers
How does a bastion host work?
Imagine a random user on the internet trying to get remote access to a database on a company’s intranet. Just like the guard of a medieval tower, the bastion host will ask the visitor to authenticate their identity.
They do not decide which users to put on the free passage list. Its job resumes to applying the rules when authenticating visitors and monitoring their session.
Common access control rules
When bastion hosts allow or deny access, they follow a set of rules. For example:
- The visitor must confirm identity through multi-factor authentication
- Authentication of a certain visitor only grants access to a certain segment or resource of the internal network
- The user has a fixed amount of time for the visit. After that, the session ends, and they need to authenticate again.
Once the guard checks the visitor is who they pretend to be, they allow them to pass.
During the visit or the communication session, the user will only interact through the bastion host. This means the whole session will be under surveillance.
A better way to control who gets accepted into your private network is by using a privileged account and session management (PASM) tool. IT teams use PASM solutions to:
- enable
- revoke
- and track permissions of privileged accounts in a few clicks.
Why use a bastion host?
Network admins use bastion hosts as a unique access point to the intranet. Only leaving one gateway open to the castle instead of 5 others means you only have one item to protect.
Setting up a bastion host adds a layer of security that controls and monitors access to sensitive data. You’ll only have to protect one entry point.
Here are the most common bastion hosts use cases:
- Securely managing domain controllers remotely. In multinational companies, IT teams need to update servers found in various offices worldwide. For that, they need safe access from their external network to the local one. Setting up a bastion host that checks access permissions is a common solution to this problem.
- Secure remote access for employees
- Network segmentation – isolate the private network from the external one or create private subnets for different departments. For example, a bastion host could grant a user access to the human resources database while denying a request for the financial one.
- Logging and monitoring – besides monitoring access logs, the bastion can keep track of unsuccessful login attempts that could indicate an attack
But there’s one nasty thing about using bastion hosts. Since they are an access point to the whole treasure, they are attractive targets for hackers. Threat actors will go out of their way trying to breach the bastion host’s defense. So, you’ll need to bring your A-game to protect them.
Bastion hosts’ common security risks
Bastion hosts are a network security measure, but they are not safe by themselves. You need to secure them just like you do with other assets in your infrastructure. As control access points, bastion hosts are often exposed to a series of risks. Here are the most common:
- Brute force attacks and credential stuffing
- Known exploits and zero-day vulnerabilities
- Man-in-the-Middle Attacks (MitM)
- Denial of Service (DoS) Attacks
How to secure a bastion host?
To secure a bastion host, the first step is to configure it properly. This means:
- choosing an Operating System (OS) that suits the rest of your infrastructure – go with Windows if most of your workstations use it, for example
- implementing access logging
- closing OS networking permissions
- removing unnecessary user accounts and restrict permissions
- disabling all services that are not needed
- if you’re not using the bastion host as a router, disable routing
Another critical aspect of configuring a bastion host is securing SSH connections. Bastion hosts have public IP addresses, and you can access them by SSH (SecureShell) protocol. A SSH connection allows you to:
– manage other computers
– transfer files, including malware
– execute commands on a remote endpoint
To set up a SSH connection you need to:
– get the bastion host online and active
– know the machine’s IP address – which is public for bastion hosts
– have the firewall accept SSH connections
– get access permission from the bastion host
If set well, this last requirement makes the difference. Enabling multi-factor authentication and a clear access control policy are among the most important prevention measures.
Cybersecurity experts at Pythoholic say that since the bastion host is an entry point to private networks, one should:
Restrict SSH access only through the bastion host’s IP address and set up appropriate security groups to enforce these rules.
Source – Pythoholic YouTube video
Once you configured the device, enhance the bastion host’s security posture.
10 best practices to secure a bastion host:
Strengthen defense and protect your bastion host by using these 10 best practices:
- restrict access to the bastion host using IP whitelisting or VPNs
- enforce key-based SSH authentication
- use an automated patch management tool to close known vulnerabilities in time
- enforce multi-factor authentication
- use a network vulnerability scanner to prevent port scanning and other attacks
- monitor and log access to detect and respond to suspicious activities
- abide the principle of the least privilege
- don’t host sensitive data on the bastion server
- only install the software the bastion host needs for serving its purpose
- block any unused ports
Bastion host types
There are various types of bastion hosts, based on configuration and purpose. They all have the same mission – keeping hackers away from your private resources. Here’s a short description of each:
- single-homed
The single-homed bastion host only directly connects to the internal network. It uses a firewall or router to communicate with the external network.
- dual-homed
This bastion host has two network interfaces:
- one connected to the internal network
- one connected to the external network.
All traffic between the two networks passes through the bastion host, which monitors and controls it.
- screened host
This bastion host stands behind a screening router or firewall which restricts direct access to it.
- screened subnet
The bastion host is in a demilitarized zone (DMZ). Firewalls separate it from both the internal and the external network.
- virtual
This is a bastion host configured on a virtual machine (VM) instead of a physical computer. A virtual bastion host is more flexible and easier to integrate into cloud environments.
- cloud-based
This type of bastion host works in a cloud environment, like AWS or Azure. It enables secure remote access to cloud resources and services.
What is the difference between a firewall and a bastion host?
Firewalls and bastion hosts serve different purposes as network security tools. Using a firewall doesn’t replace a bastion host.
You can imagine the firewall like a mobile wall, that stands in place to block unauthorized, malicious traffic. It allows passing to those queries that follow a set of rules:
- come from a certain geographical area
- belong to a preapproved domain list, etc.
Bastion hosts are safe entry points that only allow authorized users to pass. Before getting access, the users must authenticate themselves. Also, bastion hosts track access and log sessions.
IT teams use both firewalls and bastion hosts for network protection.
Bastion host vs jump server
Jump servers facilitate and secure access between networks placed in different security zones. System Administrators use jump servers to set up secure remote connections to private security zones. It’s a safety measure for performing administrative tasks on remote devices.
A bastion host server is an entry point that is both exposed to an external network and has access to a private one.
Bastion Host alternatives
Choosing an access control alternative to bastion hosts depends on your infrastructure, resources, and industry security requirements.
VPN (virtual private networks) solution vendors will say that using a VPN does the job and is less vulnerable to cyberattacks. But VPNs do nothing more than encrypt communication.
Hackers exploit VPN flaws. It happened to MITRE and it happened to Zyxel.
Identity Access Management (IAM) solutions are tools that check the user’s identity before granting access to company resources: email, databases, and applications. So, they only solve part of the problem. You can use IAM tools to:
- manage user identity
- enforce Role Based Access Control
But they don’t cover session logging. Logs are a critical intelligence source for threat detection and incident response. They tell the incident response team who did what and when during a certain period. Also, you can’t use IAM to enforce the principle of the least privilege, which is a top security best practice.
You can solve this problem with a Privileged Account Session Management solution. It provides safe management for privileged accounts and sessions.
A bastion host lets users connect via SSH or RDP then authenticates and grants them access to internal systems. It logs user sessions but offers limited granularity.
With PASM solutions, users request access to the privileged accounts and go through a multi-factor authentication process.
Once they prove they are who they claim to be, the PASM tool grants them access. Additionally, the tool monitors all the activity and records the privileged access session. Any suspicious behavior triggers real-time alerts.
By enhancing granularity of session monitoring and logging, PASM tools improve threat detection and incident response.
How can Heimdal help?
Heimdal’s Privileged Access Session Management (PASM) offers secure, controlled access to privileged accounts. Unlike a traditional bastion host, it covers all the services you need for securing access:
- centralizes and controls access to privileged accounts, ensuring strong authentication and authorization
- monitors and records sessions in real time. In case of suspicious activities, it triggers detection and response on the spot
- automates password rotation and stores credentials in a secure vault, thus reducing the risk of credential theft
- enforces detailed access policies, like the principle of the least privilege. This means a user’s account will only have access to those assets and permissions needed for the user to complete their tasks.
- offers comprehensive logs and reports for compliance, and audit
Conclusion
Some say using bastion hosts and jump servers is obsolete. In small IT infrastructures, if you configure them right and harden security, they are a fair solution for their role.
But you should remember that a bastion host can only do one trick. Work as a gateway between an external and an internal network. That’s all.
Depending on your company’s specific needs, resources, and skills, a bastion host can do a good job protecting access to your private network.
You’ll need to manage it with extra care and keep a keen eye on patching, vulnerability scanning, and so on.
Or you can use a PASM tool instead and solve all access control tasks with 2 or 3 clicks.
If you liked this article, follow us on LinkedIn, Twitter, Facebook, and Youtube, for more cybersecurity news and topics.