Identity-aware access proxy in the BeyondCorp, Teleport, Azure Bastion service are few examples of Bastion service. Supports client authentication, device attestation. Primary access control integrated with corporate IAM. Additional authentication depends on the service that is responsible for forwarding connections (e.g., SSH) Public network to internal application and services mapping. Single service that understands and accepts multiple protocols Individual components to support multiple services (SSH, FTP, HTTP, etc.) Supports multi-cloud, multi-datacenter cluster allowing interconnected geo-spanned access points. Generally attached to a single private network Supports cloud native workflow, can be ephemeral service, can deploy in Kubernetes, or offered as a PaaS. Below are a few differentiators between a bastion host and a bastion service. A bastion service solves the shortcomings we mentioned above and brings more value in terms of manageability and security. Consider a case for SSH bastion - should you use agent forwarding or proxy jump or configure the PAM module to support out-of-band authentication?īastion service is the new evolution of bastion hosts. There is no consistent way to create and configure a bastion host. Lack of support for modern standardized authentication.Īdministrators prefer standard and secure features out of the box. This may increase the attack surface of the host and defeat the purpose(one of which is reducing an attack surface) of the bastion host. VMs debate, a requirement for managing a dedicated host can be a deal-breaker for smaller teams.Ĭhallenges in extending bastion capabilities.Įxtending the capabilities of a bastion host to support multiple protocols or application support requires installing more dependencies. Further, bastion host can itself be used as a firewall (a bridge to connect to internal network servers) or can host application services on top of its security-hardened system.Īlthough bastion hosts themselves provide good enough security to protect direct network access to servers and applications, they have the following shortcomings:Ī bastion host requires a dedicated server to be managed. Ranum in his 1993 article on the topic “ Thinking About Firewalls,” where he discusses that a bastion host is a security-hardened server, which should be the strongest and the last checkpoint in a network before the access is allowed to the internal network or internally hosted application. The term “bastion hosts” was initially used by Marcus J. Bastion hosts (Bastion 1.0)īastion hosts (also commonly called bastion servers) are typically configured with a bare minimum operating system with protocol-specific servers such as OpenSSH server or RDP gateway. The concept of bastions can be applied to the real life fortification of a place or a building or a computer network. Where do bastions fit in these scenarios? Do we even need one? A short primer on bastions Bastionsīy definition, bastions are a fortified checkpoint to counter or contain a threat. Software-defined networking solutions have overtaken hardware firewall boxes, and the requirement of managing bare metal servers has shifted to container deployed or even serverless applications. These speculations are not irrelevant as in recent years, the corporate IT network perimeter as we knew it is diminishing, and the concept has been shifted to data, identity, and compute perimeter. Many assume that they are the “old way” of network access and have little relevance in the modern cloud native stack. There is a growing discussion among network engineers, DevOps teams, and security professionals about the security benefits of bastions. TL DR - Yes! Bastions are still the recommended solution to manage secure remote access to cloud infrastructures.