The same principles apply to network bastions. Bastion hosts act like gatekeepers at the network edge or on the edge of secure zones. This gatekeeper decides who enters the “castle” and who remains outside.
Businesses position bastions strategically to withstand cyber attacks. They protect data or devices from harm through a range of features:
Security centralization
Bastions provide a way to centralize network security via SSH connections. The bastion host checks the device and user credentials. If users are on approved access lists, the bastion approves the connection and allows entry.
This solution is efficient but generally insecure. Most companies prefer to strengthen their defenses via VPNs, firewalls, and access management systems.
Jump servers
Jump servers are secure gateways that allow administrators to manage software or devices within protected network zones. The bastion acts as a jump server by requesting authentication credentials and controlling access, keeping attack surfaces as small as possible.
For instance, bastions may allow a firewall administrator to change filtering settings while denying requests from all other users.
Companies often use bastions as jump servers to maintain distributed network assets. Networks may extend across the world. Bastion hosts allow a centrally-located IT department to access distant office networks securely.
Access control
As the outer fortification, bastions enforce access control policies. They request multiple authentication factors and check user credentials against secure directories.
Bastions also provide a secure proxy gateway for SSH (Secure Shell) connections. SSH creates secure connections between remote devices and internal services. The SSH protocol encrypts data passing through the bastion. SSH agent forwarding allows users to access multiple servers via the bastion gateway.
Network logging
Finally, bastion hosts log user access and session activity. All users and data entering a private network must pass through the server. Logging tools track general information about user sessions. However, they do not track user activity in-depth, but these logs can be integrated with external security systems to create alerts about suspicious behavior.
Single-bastion inline
Single-Bastion inline hosts place a single fortified server between the untrusted networks (like the public internet) and internal network assets.
This bastion server type acts like a gateway for network traffic, filtering traffic before it reaches network devices. This filtering function may complement firewalls, intrusion detection systems (IDS), or additional proxy servers.
A single-bastion host can enhance network security. However, the use of one server creates a single point of failure. Concentrated attacks can overwhelm security tools on a single server, raising security risks for critical assets.
Dual-bastion inline
Dual-bastion host setups place two fortified servers between an untrusted external network and internal network assets. The two servers exist in series, creating a chain of network defenses.
In a dual-bastion inline arrangement, the first host directly faces the public internet. This host executes basic security tasks, including packet inspection and firewall filtering.
The second bastion faces internal network devices. This host adds extra layered security together with intrusion detection, deep packet inspection, or proxy server functions.
Layered bastion host setups are usually more secure than single host configurations. Attackers struggle to take down dual servers, and layered security neutralizes threats efficiently. This setup suits load balancing, where one bastion manages incoming traffic, and the other handles outbound connections. It also provides a backup if one server fails, ensuring continuous operations for critical data or sensitive applications.
On the negative side, dual-bastion host setups are more complex to configure. Dual bastions may increase network latency. Maintenance is also more complicated and resource-intensive.
Internal bastion host
Internal bastion hosts are fortified servers located within internal networks. These bastion servers operate behind network firewalls. They are not directly exposed to an external network.
Internal bastions are a preferred option when defending critically important servers or devices and sensitive internal resources. The internal bastion provides an extra line of defense and limits east-west traffic within the network. Security teams can use internal bastions to create secure zones and guard against insider threats.
Bastions create a perimeter around critical assets. Servers use authentication and IAM tools to allow secure access. They log activity and filter internal traffic while enabling legitimate access for network users.
Internal bastion hosts enhance security but may increase network complexity. Bastions can become traffic bottlenecks and can be compromised by some network attacks.
What are the security risks of using a bastion host?
When they function correctly, bastion hosts enhance network security. However, compromised bastions can expose networks to security risks. Compromised hosts become secure gateways for attackers — defeating the initial purpose.
Attackers gaining control of a bastion host can use their position to access other network resources. They may extract sensitive data from traffic flowing across the host, and use this data to gain further access.
Compromised hosts aren’t the only security issue to worry about. Other bastion host risks include:
Misconfiguration. Attackers can exploit improperly configured access control rules. A poorly configured bastion host can also obscure visibility into network activities. This makes it harder for security teams to ensure timely
threat detection and response to attacks.
Maintenance. Bastion hosts are complex to deploy and manage. The IT department must deliver up-to-date patches and retire a deprecated operating system or security tools. Regular audits consume time and resources technicians can spend on other security tasks.
Single points of failure. Relying on a single bastion host creates a single target for attackers. Host failure can expose the private network to external threats. Bastion downtime can also take systems offline until technicians restore security features.
SSH key vulnerabilities. Extra security problems arise if you use your bastion host as an SSH proxy. Attackers obtaining SSH keys gain root-level network access. SSH is not designed for secure key management, creating a constant cybersecurity risk.
Bastion hosts are labor-intensive and carry significant risks. Consider alternative measures to counter external threats. If not, take care when adding bastion protection to your private network.
Best practices for securing bastion hosts
If you opt for bastion host protection, it’s important to do so safely. With that in mind, here are some best practices to follow when securing bastion hosts:
Minimize the attack surface. Large attack surfaces put bastion hosts at risk. Remove all unnecessary software or processes. Only retain protocols or tools that promote security. Use port scanning regularly to check for vulnerabilities.
Implement access control measures. Only authorized users should be able to access the bastion host. Use network-level controls to admit approved IP addresses and manage SSH connections. Update firewall settings to cover all relevant users.
Use SSH safely. As noted earlier, SSH creates security risks. Protect remote connections with multi-factor authentication. SSH does not reset keys automatically, so schedule regular SSH key updates.
Automate patch management processes. Take human error out of the equation. Automate patch deliveries to keep bastion host firmware up-to-date.
What is the difference between a firewall and a bastion host?
Now we know more about defending a bastion host, let’s clear up some misconceptions about what they are (and what they do).
For instance, people often confuse bastions and firewalls. This is understandable as bastion hosts often include firewall capabilities. Firewall appliances inspect and filter traffic passing across the entire network perimeter. Sometimes, firewalls provide sufficient protection. However, firewalls on their own have limited access management capabilities.
Bastions also operate at the network edge. Unlike firewalls, bastions protect and manage access to specific locations or assets. Onboard firewalls and security tools create a demilitarized zone outside the network perimeter.
This DMZ adds an extra layer of protection beyond firewall filters. Fortified bastion hosts offer greater control over internal network access. They are also hardened to cope with cyber threats, while firewalls are not.
VPN vs. bastion host
Another common point of confusion is between VPNs and bastion hosts. Again, this is understandable. Both technologies allow secure remote access and SSH connections. But they are very different.
VPNs create encrypted tunnels to transfer data. Users generally install a VPN client on their device. The client encrypts data and routes it via a VPN server, which assigns a new IP address and passes data to its destination.
Using a VPN solves some of the security problems we noted earlier. VPNs protect SSH keys beneath a layer of encryption. They shrink the attack surface by creating private connections without direct exposure to the public internet.
Bastion hosts are exposed to external networks, leaving security risks unaddressed. They also represent a single point of failure, which is less of a problem with VPNs.
On the other hand, administrators can harden bastions to minimize threats. Bastions also make it easier to prevent data extraction. VPN users can download data onto remote devices, and switching off the VPN can put this data at risk.
Hybrid VPN and bastion host setups are also possible. VPNs protect remote access connections in a user-friendly way, while bastions protect sensitive endpoints and create secure zones for high-value data.
Does your business need a bastion host?
Possibly, but probably not. Companies mainly use bastion hosts to lock down sensitive data. For instance, you may handle protected health information (PHI) or customer financial records. The bastion creates a DMZ around critical data only approved users can enter.
Bastion hosts are also useful for connecting different offices. Admins can safely manipulate software remotely, while the bastion excludes unauthorized users.
Some businesses use bastions in remote access systems. If you rely on SSH connections and are happy to risk a single point of failure, bastions provide robust protection for on-premises assets.
However, bastion server architecture is outdated and risky. Bastions are poorly suited to safeguarding cloud computing assets. Cloud-based firewall-as-a-service (FWaaS), remote access VPNs, Zero Trust Network Access (ZTNA) and access management tools provide a scalable and more secure alternative.
Maintaining bastion hosts is costly and complex, a problem for small and medium-sized enterprises that need to cut overheads. Larger businesses may find uses for bastion technology, but for many companies, the risks and costs are not worthwhile.
Find the right security solution with NordLayer
Bastion hosts are outdated and risky, but what is the best way to secure on-premises, remote, and cloud-hosted assets? NordLayer’s Zero Trust solutions provide a streamlined alternative.
NordLayer’s remote access VPN enables secure access to your private network and sensitive resources. Companies can create private gateways to replace bastion hosts, while site-to-site VPNs safely establish secure connections to hybrid networks.
Our Multiple Network Access Control (NAC) solutions let you control access to hybrid services at a granular leve. Threat prevention tools prevent access to malicious websites and unauthorized intrusion, and scan downloads for malware. Users do not need to configure bastion hosts. Flexible solutions plug every potential vulnerability.
Assess your network security needs and create a data protection strategy. When you do, go beyond bastions and outdated technology. Contact the NordLayer team to discuss next-generation remote access security.
