Why Every Organization Needs a Bastion Host: Design, Features, and Deployment Strategies

What Is a Bastion Host

A bastion host is a security gateway deployed in a network to monitor, record, and control the actions of administrators on servers, network devices, security appliances, and databases, enabling centralized alerts, rapid response, and auditability.

Why a Bastion Host Is Needed

Originally derived from jump servers used around 2000, traditional jump servers only provided a single entry point without controlling or auditing administrator actions, leading to operational errors, security risks, and difficulty tracing incidents. Bastion hosts address these shortcomings by offering role‑based access, command control, and comprehensive auditing.

Design Principles (4A)

The core design follows the 4A model: Authen (authentication), Authorize (authorization), Account (accountability), and Audit (audit).

Goals (5W)

What – audit: record what actions were performed.

Which – authorize: define which actions are permitted.

Where – account: identify where the actions originated.

Who – authentication: verify who performed the actions.

When – source: capture the time of access.

Core Functional Modules

Operations Platform : supports RDP/VNC, SSH/Telnet, SFTP/FTP, database, web‑app, and remote‑application operations.

Management Platform : implements separation of duties, identity verification, host management, password vaulting, operation monitoring, and electronic work orders.

Automation Platform : provides automatic password rotation, automated operations, data collection, authorization, backup, and alerting.

Control Platform : includes IP and command firewalls, access control, transmission control, session termination, and operation approval workflows.

Audit Platform : records commands, text, SQL, file uploads, offers full‑text search, and generates audit reports.

说明：三权分立
三权的理解：配置，授权，审计
三员的理解：系统管理员，安全保密管理员，安全审计员
三员之三权：废除超级管理员；三员是三角色并非三人；安全保密管理员与审计员必须非同一个人。

Authentication Methods

Local authentication with strong password policies.

Remote authentication via AD/LDAP/Radius.

Two‑factor authentication (USB key, dynamic token, SMS gateway, mobile app token).

Third‑party systems such as OAuth2.0 or CAS.

Common Operation Modes

B/S: browser‑based management.

C/S: client‑software tools (e.g., Xshell, CRT).

H5: web‑based remote desktop supporting SSH, Telnet, Rlogin, RDP, VNC without local tools.

Gateway: SSH‑gateway proxy for automated operation scenarios.

Additional Features

File transfer through RDP/SFTP/FTP/SCP/RZ/SZ.

Fine‑grained control over users, commands, and transfers.

Open APIs for integration.

Deployment Options

Single‑node: passive (bypass) deployment alongside network switches.

HA (high‑availability): two nodes with heartbeat and a virtual IP; failover to the standby node.

Multi‑site synchronization: multiple data‑center instances automatically sync configurations.

Cluster (distributed) deployment: one master with standby and additional nodes as cluster members, exposing a single virtual IP.

Open‑Source Solutions

Among available bastion host products, commercial options include 行云管家 and 纽盾堡垒机, while the open‑source community offers JumpServer, which can be evaluated based on specific use‑case requirements.