Understanding Bastion Hosts: Definition, Design Principles, Features, and Deployment Options

What Is a Bastion Host

A bastion host, deployed in a specific network environment, safeguards network and data from external and internal threats by monitoring and recording the actions of operation personnel on servers, network devices, security devices, databases, etc., enabling centralized alerts, timely handling, and audit accountability.

In short, a bastion host controls who can log into which assets (preventive and real‑time control) and records what they do after logging in (post‑event forensics).

Often called an operation audit system, its core is controllability and auditability. Controllability includes permission control (e.g., handling employee departure or role change) and behavior control (e.g., disabling dangerous commands centrally).

Why a Bastion Host Is Needed

The concept evolved from jump servers (also called front‑end servers). Around 2000, large enterprises deployed a jump server in the data center so that operation staff first logged into the jump server before accessing other servers.

Jump servers lacked control and audit of operator behavior, leading to accidental or illegal operations that were hard to trace. They also posed security risks: if the jump server was compromised, all downstream resources were exposed. Certain resources (e.g., telnet) could be accessed via jump servers, but many others (FTP, RDP, etc.) were not well supported.

Recognizing these shortcomings, organizations sought better security technologies that provide role management, authorization approval, resource access control, operation logging and audit, system change control, and reporting, thereby improving IT internal control compliance. Around 2005, bastion hosts emerged as standalone products, reducing operational risk and simplifying secure management.

Design Philosophy of a Bastion Host

The bastion host follows the 4A model: Authentication, Authorization, Account, Audit.

Goals of a Bastion Host

The construction goals can be summarized in five points, all aimed at reducing operational risk:

Audit: What did you do?

Authorization: Which actions can you perform?

Account: Where are you going?

Authentication: Who are you?

Source: When did you access?

Value of a Bastion Host

Centralized management

Centralized permission distribution

Unified authentication

Centralized audit

Data security

Operational efficiency

Operational compliance

Risk control

Principles and Functional Modules

Typical bastion host functions are divided into the following modules:

1. Operations Platform

RDP/VNC, SSH/Telnet, SFTP/FTP, Database operations, Web system operations, Remote application operations.

2. Management Platform

Three‑rights separation, identity verification, host management, password vault, operation monitoring, electronic work orders.

3. Automation Platform

Automatic password rotation, automated operations, data collection, automated authorization, automated backup, automated alerts.

4. Control Platform

IP firewall, command firewall, access control, transmission control, session interruption, operation approval.

5. Audit Platform

Command logging, text logging, SQL logging, file storage, full‑text search, audit reports.

Three‑rights interpretation: configuration, authorization, audit. Three‑roles interpretation: system administrator, security administrator, audit officer. Three‑roles vs. three‑rights: eliminate super‑admin; the three roles are not necessarily three people; security admin and audit officer must be different persons.

Authentication Methods

Since a bastion host serves as a unified operation entry, it must support flexible authentication, such as:

1. Local Authentication

Username/password with strong password policies.

2. Remote Authentication

Third‑party AD/LDAP/Radius integration.

3. Two‑Factor Authentication

USB key, dynamic token, SMS gateway, mobile app token, etc.

4. Third‑Party Authentication Systems

OAuth2.0, CAS, etc.

Common Operational Modes

B/S operation: via browser.

C/S operation: via client software (e.g., Xshell, CRT).

H5 operation: web‑based remote desktop supporting SSH, Telnet, Rlogin, RDP, VNC without installing local tools.

Gateway operation: SSH gateway proxy for direct host login, suitable for automation scenarios.

Other Typical Features

File transfer through the bastion host using RDP/SFTP/FTP/SCP/RZ/SZ.

Fine‑grained control over users, commands, and transfers.

Open API support.

Deployment Options

1. Single‑Node Deployment

Typically deployed in a bypass mode, attached to a switch with access to all devices.

Bypass deployment, logical chaining.

No impact on existing network topology.

2. HA High‑Availability Deployment

Two bastion hosts deployed in bypass mode with a heartbeat link and synchronized data, exposing a virtual IP.

One primary and one standby, providing a VIP.

Automatic failover when the primary fails.

3. Remote‑Sync Deployment

Multiple data centers host several bastion hosts that automatically synchronize configuration information.

Multi‑site deployment with automatic configuration sync.

Operators use the local bastion host for management.

Unaffected by network/bandwidth issues; serves disaster‑recovery purposes.

4. Cluster (Distributed) Deployment

When managing a large number of assets, many bastion hosts form a cluster: one primary, one standby, and additional nodes as cluster members, all exposing a single virtual IP.

Two hardware bastion hosts (primary/standby) providing a VIP.

Automatic takeover by standby on primary failure.

Open‑Source and Commercial Products

Common bastion host solutions include commercial products such as Xingyun Manager and NiuShield, as well as open‑source options like JumpServer. Selection depends on specific scenarios and requirements.