What Is a Bastion Host and How Does It Secure Operations?

What Is a Bastion Host

A bastion host (also called a privileged access management or audit system) monitors and records the actions of operations personnel on servers, network devices, security devices, and databases, providing centralized alerts, timely handling, and audit accountability.

Why a Bastion Host Is Needed

Traditional jump servers only provide a single entry point without controlling or auditing user actions, leading to operational errors, security risks, and difficulty tracing incidents. Bastion hosts evolved to address these shortcomings by offering role‑based access, authorization, audit, and compliance capabilities.

Design Philosophy (4A)

The core design follows the 4A model: Authentication, Authorization, Account, and Audit.

Goals (5W)

What: Record what actions were performed.

Which: Define which actions are permitted.

Where: Identify which assets are accessed.

Who: Verify the identity of the user.

When: Capture the time of access.

Value

Centralized management

Centralized permission assignment

Unified authentication

Centralized auditing

Data security

Operational efficiency

Compliance

Risk control

Architecture

Typical bastion host architecture includes modules for operation, management, automation, control, and auditing.

Core Functional Modules

Operation Platform : RDP/VNC, SSH/Telnet, SFTP/FTP, database, web system, remote application.

Management Platform : Separation of duties, identity verification, host management, password vault, monitoring, electronic tickets.

Automation Platform : Automatic password rotation, automated operations, data collection, authorization, backup, alerting.

Control Platform : IP firewall, command firewall, access control, transmission control, session termination, operation approval.

Audit Platform : Command, text, SQL, file logs, full‑text search, audit reports.

Explanation:
Three‑rights separation
Understanding of three rights: configuration, authorization, audit
Understanding of three roles: system admin, security admin, audit admin
Three‑role principle: eliminate super admin; three roles are not necessarily three people; security admin and auditor must be different persons.

Authentication Methods

Local authentication: username/password with strong‑password policy.

Remote authentication: support for AD/LDAP/Radius.

Two‑factor authentication: USB key, dynamic token, SMS gateway, mobile app token.

Third‑party systems: OAuth2.0, CAS, etc.

Common Operation Modes

B/S: browser‑based management.

C/S: client software such as Xshell, CRT.

H5: web‑based remote desktop supporting SSH, Telnet, RDP, VNC.

Gateway: SSH gateway for proxy login, suitable for automation.

Other Common Features

File transfer via bastion host (RDP/SFTP/FTP/SCP/RZ/SZ).

Fine‑grained control over users, commands, and transfers.

Open APIs for integration.

Deployment Options

1. Single‑node deployment

Side‑car deployment attached to a switch, requiring only network reachability.

Logical side‑car connection.

No impact on existing network topology.

2. HA high‑availability deployment

Two nodes with heartbeat synchronization, providing a virtual IP; the standby takes over if the primary fails.

One active, one standby, shared VIP.

Automatic failover.

3. Multi‑site synchronization deployment

Multiple data‑center nodes synchronize configuration automatically, allowing local access and resilience against network or bandwidth issues.

Distributed deployment with automatic config sync.

Local bastion access per site.

Disaster‑recovery capability.

4. Cluster (distributed) deployment

When managing many assets, a cluster of bastion hosts is used: one master, one standby, and additional nodes as cluster members, all exposing a single virtual IP.

Master‑standby with VIP.

Automatic takeover on failure.

Open‑Source Solutions

Both commercial and open‑source bastion hosts exist; popular open‑source options include Jumpserver, which can be deployed according to the scenarios described above.