(also jump box)
Bastion host definition
A bastion host is a specialized computer designed and configured to withstand cyberattacks. The purpose of a bastion host is to prevent malicious traffic from entering the network by processing and filtering all incoming traffic. A bastion host resides outside the firewall, between two firewalls, or on the public side of a DMZ (demilitarized zone). It is deliberately exposed on a public network and is prone to attacks.
How a bastion host works
- Bastion hosts provide access to a private network from an external network (e.g., the internet). They act as proxy servers.
- A bastion host resides on its own subnet with an IP address accessible from the public network.
- The host only accepts specific types of connections (e.g., secure Secret Shell) with a range of IP addresses.
- Access to internal resources is controlled with preconfigured ACLs and allowlists.
Examples of bastion hosts
- Domain Name System (DNS)
- Web and file transfer protocols
Advantages of using a bastion host
- Simpler security administration. Administrators can configure the internal network to block and allow certain types of traffic, making security management simpler.
- Easier user management. Administrators don’t need to revoke access to each private network when employees leave.
- Easy access to resources. You can access private resources from your local computer quickly and without additional admin effort.