home

Bastion host

Bastion host

(also jump box)

Bastion host definition

A bastion host is a specialized computer designed and configured to withstand cyberattacks. The purpose of a bastion host is to prevent malicious traffic from entering the network by processing and filtering all incoming traffic. A bastion host resides outside the firewall, between two firewalls, or on the public side of a DMZ (demilitarized zone). It is deliberately exposed on a public network and is prone to attacks.

How a bastion host works

1. Bastion hosts provide access to a private network from an external network (e.g., the internet). They act as proxy servers.
2. A bastion host resides on its own subnet with an IP address accessible from the public network.
3. The host only accepts specific types of connections (e.g., secure Secret Shell) with a range of IP addresses.
4. Access to internal resources is controlled with preconfigured ACLs and allowlists.

Examples of bastion hosts

• Mail
• Domain Name System (DNS)
• Web and file transfer protocols
• Routers

Advantages of using a bastion host

• Simpler security administration. Administrators can configure the internal network to block and allow certain types of traffic, making security management simpler.
• Easier user management. Administrators don’t need to revoke access to each private network when employees leave.
• Easy access to resources. You can access private resources from your local computer quickly and without additional admin effort.

Further reading