Bastion Host

General

Definition

A hardened, publicly accessible server that serves as the sole entry point for administrative SSH or RDP access to an internal network. Bastion hosts (or jump boxes) reduce the attack surface by concentrating and auditing remote access.

Role of a Bastion Host

A bastion host is a hardened server positioned at the boundary between a trusted internal network and an untrusted external network, providing a controlled entry point for administrative access. Rather than exposing SSHSecure Shell. A cryptographic protocol for secure remote login, command execution, and file transfer over an unsecured network. SSH (port 22) replaced insecure protocols like Telnet and rlogin. ports of all internal servers to the internet, operators connect to the bastion and then hop to internal targets. This funnels all administrative traffic through a single, heavily audited system where authentication, session recording, and access controls can be rigorously enforced.

Hardening Requirements

A bastion host's security posture is critical because it is intentionally internet-accessible. Hardening includes: disabling all non-essential services, enforcing public-key SSHSecure Shell. A cryptographic protocol for secure remote login, command execution, and file transfer over an unsecured network. SSH (port 22) replaced insecure protocols like Telnet and rlogin. authentication with no password fallback, enabling multi-factor authentication, applying strict FirewallA network security device or software that monitors and filters incoming and outgoing traffic based on predefined rules. Firewalls can block traffic by IP address, port number, protocol, or application-layer content. rules that permit SSH only from known IP ranges, and shipping all logs to a central SyslogA standard protocol (RFC 5424) for transmitting log messages from network devices, servers, and applications to a central log collector. Syslog messages include severity levels from emergency (0) to debug (7). server outside the bastion's control. The bastion itself typically has no access to resources beyond the administrative jump path — it is a transit point, not a general-purpose server.

Modern Alternatives

Cloud environments offer managed bastion services that eliminate the need to manage a standalone instance. These services tunnel sessions over HTTPSHTTP Secure. The encrypted version of HTTP that uses TLS to protect data in transit between a browser and a web server. Identified by the padlock icon in browsers and the https:// URL scheme. rather than SSHSecure Shell. A cryptographic protocol for secure remote login, command execution, and file transfer over an unsecured network. SSH (port 22) replaced insecure protocols like Telnet and rlogin. and store session logs natively. VPNVirtual Private Network. A technology that creates an encrypted tunnel between a device and a remote server, protecting data in transit and masking the user's real IP address. Used for privacy, security, and accessing restricted networks. solutions provide an alternative by creating an authenticated Overlay NetworkA virtual network built on top of an existing physical (underlay) network using encapsulation protocols like VXLAN or GRE. Overlay networks provide logical separation and flexibility without modifying the underlying infrastructure. tunnel that gives administrators the same internal network access without a jump host. NACNetwork Access Control. A security approach that enforces policies on devices attempting to join a network, verifying identity, health (antivirus, patches), and compliance before granting access. Integrates with RADIUS and 802.1X. enforcement at the VPN gateway ensures only compliant devices can connect, extending the bastion's access control model to cover the entire administrative path.

Related Terms

More in General