What Is a Bastion Host and Why Your Organization Needs One

What Is a Bastion Host

A bastion host is a security appliance deployed in a specific network environment to protect networks and data from external and internal threats by monitoring and recording the actions of operations personnel on servers, network devices, security devices, and databases.

In short, a bastion host controls who can log into which assets and records what they do after logging in.

Often called an operations audit system, its core is controllability and auditability. Controllability includes permission control (e.g., handling employee departures) and behavior control (e.g., disabling dangerous commands centrally).

Why a Bastion Host Is Needed

The concept evolved from jump servers used around 2000, where enterprises deployed a single server that all operators had to log into before accessing other machines.

Jump servers lacked control and audit capabilities, leading to accidental or malicious operations, difficult incident investigation, and severe security risks if compromised.

Recognizing these shortcomings, organizations sought a solution that provides role management, access control, operation logging, system change control, and reporting to improve IT internal control compliance. Around 2005, bastion hosts emerged as standalone products, reducing operational risk and simplifying secure management.

Design Philosophy

The bastion host follows the 4A model: Authentication, Authorization, Account, Audit.

Goals (5W)

Audit: What did you do?

Authorization: Which actions can you perform?

Account: Where are you going?

Authentication: Who are you?

Source: When did the access occur?

Value

Centralized management

Centralized permission allocation

Unified authentication

Centralized audit

Data security

Operational efficiency

Compliance

Risk control

Architecture and Core Modules

Typical bastion host architecture includes the following modules:

1. Operations Platform

RDP/VNC, SSH/Telnet, SFTP/FTP, Database, Web system, Remote application operations.

2. Management Platform

Three‑power separation, identity verification, host management, password vault, operation monitoring, electronic work orders.

3. Automation Platform

Automatic password rotation, automated operations, data collection, automated authorization, backup, alerting.

4. Control Platform

IP firewall, command firewall, access control, transmission control, session termination, operation approval.

5. Audit Platform

Command logs, text logs, SQL logs, file storage, full‑text search, audit reports.

说明：三权分立
三权的理解：配置，授权，审计
三员的理解：系统管理员，安全保密管理员，安全审计员
三员之三权：废除超级管理员；三员是三角色并非三人；安全保密管理员与审计员必须非同一个人。

Identity Authentication

The bastion host supports flexible authentication methods:

Local authentication with strong password policies.

Remote authentication via AD/LDAP/Radius.

Two‑factor authentication (USB key, dynamic token, SMS, mobile app).

Third‑party authentication systems such as OAuth2.0, CAS.

Common Operation Modes

B/S: Browser‑based operations.

C/S: Client‑software operations (e.g., Xshell, CRT).

H5: Web‑based remote desktop supporting SSH, Telnet, RDP, VNC, etc.

Gateway: SSH gateway for proxy login, suitable for automation.

Other Common Features

File transfer via RDP/SFTP/FTP/SCP/RZ/SZ.

Fine‑grained control over users, commands, and transfers.

Open API support.

Deployment Options

1. Single‑node deployment

Side‑car deployment beside switches, accessing all devices without affecting existing network topology.

Side‑car logical connection.

No impact on current network structure.

2. HA high‑availability deployment

Two side‑car bastion hosts with heartbeat and synchronized data, exposing a virtual IP.

Active‑standby hardware pair providing VIP.

Automatic failover on primary failure.

3. Remote‑site synchronized deployment

Multiple data centers host bastion hosts that automatically sync configuration.

Multi‑site deployment with automatic config sync.

Operators use the local bastion host.

Resilient to network/bandwidth issues, supporting disaster recovery.

4. Cluster (distributed) deployment

For large device inventories, a cluster of bastion hosts is used: one active, one standby, and additional nodes as cluster members, all presenting a single virtual IP.

Active‑standby pair with VIP, plus additional nodes.

Automatic takeover on primary failure.

Open‑Source Bastion Host Products

Common solutions include commercial options (e.g., Xingyun Manager, New Shield) and open‑source projects such as JumpServer. Selection depends on specific scenarios and requirements.

Source: https://www.toutiao.com/i6881462700229329421 Author: 猿话