Bastion hosts present distant entry to non-public networks from an exterior community. Generally used as SSH proxy servers to assist system administration, bastions present a handy, securable path via a protected community perimeter. As with VPN and RDP, nevertheless, the bastion host is an outdated distant entry know-how that doesn’t work properly in at the moment’s decentralized computing atmosphere.
On this article, we are going to introduce the bastion host idea, why firms use it, and the way bastions work. We may also clarify how bastions — particularly these offering SSH proxy providers — create new safety dangers.
What’s a bastion host?
A bastion host is a devoted server that lets licensed customers entry a personal community from an exterior community such because the web. Positioned outdoors the firewall or inside a DMZ, the bastion host turns into the one ingress path to these inside assets. Entry management turns into simpler to handle whereas minimizing the potential assault floor.
Technically, any single-purpose server offering entry management could possibly be a bastion host. This contains DNS, internet, or mail servers. These programs face the web, in order that they should be on the general public aspect of a firewall or DMZ. On the similar time, they could present licensed customers entry to sure inside assets.
Community directors usually use bastion hosts to remotely handle networked belongings. On this situation, the bastion’s sole objective is to supply SSH proxy providers. Distant directors signal into the bastion after which signal into the subnet or useful resource they should preserve.
Bastions simplify safety administration. The inner community may be configured to dam all internet-bound site visitors and solely enable SSH communications with the bastion host. With all exterior site visitors channeled via the bastion, directors can focus their safety efforts on defending a single asset.
On the similar time, consumer administration turns into less complicated. When an worker leaves, directors don’t must revoke entry to every non-public community and subnet. Revoking the previous worker’s entry to the bastion cuts them off from all the pieces else.
How do bastion hosts work?
To know how a bastion host works, we are going to have a look at a easy situation through which an organization’s directors want entry to Linux situations linked on a subnet inside a digital non-public cloud. Exposing a port in every occasion to the general public web would give directors the entry they want. However the safety implications make that method too dangerous.
As an alternative, a bastion host is used as a bridge between the general public web and the non-public subnet. The bastion runs as a locked-down, single-purpose system — on this case, an SSH proxy server. Directors strip the bastion of all pointless purposes, ports, processes, consumer accounts, and protocols. All the pieces that doesn’t serve the bastion host’s single objective as an SSH proxy will get disabled or deleted.
The bastion host resides by itself subnet with an IP tackle that’s accessible from the general public web. The bastion solely accepts SSH connections from a restricted vary of IP addresses within the IT division. ACLs, allowlists, and different network-level entry controls restrict entry from the bastion to its protected subnets.
When licensed customers must entry a useful resource on the non-public subnet, they have to first use their SSH keys to determine a reference to the bastion host. As soon as authenticated, they’ll then use one other set of SSH keys to attach with the non-public community.
What are the safety dangers of utilizing a bastion host?
As a result of bastion hosts are publicly seen and broadly used to supply SSH proxy providers, they’ve turn out to be a goal for cyberattacks. SSH itself is the issue. Designed as a safer different to TELNET and different early communications protocols, SSH added authentication and encryption. Nonetheless, this thirty-year-old protocol has not stored up with enterprise networking’s speedy evolution. Points of SSH that undermine safety embrace:
- SSH keys grant elevated, even root-level, entry.
- Non-public SSH keys don’t expire robotically.
- Outdated, susceptible SSH hashing algorithms are nonetheless in use.
- SSH has no built-in integration with Identification Suppliers or different safety programs.
- Key administration options aren’t a part of the SSH protocol.
In impact, SSH is a private productiveness instrument that’s used at enterprise scale. With out centralized administration options or safety integrations, SSH leaves key administration to particular person customers. Until everybody within the group follows greatest practices completely on a regular basis, SSH inevitably creates an prolonged assault floor.
A latest examine combining an evaluation of hundreds of thousands of consumer and host keys with a survey of CIOs all over the world discovered:
- On common, every server had 2.5 root entry keys, a minimum of one in every of which was orphaned.
- On common, every server had 2 duplicate and 1 shared non-public key.
- Regardless of the acknowledged danger, 40% of enterprises had no automated instruments to take away unused SSH keys.
With out safety system integration, authentication is left to SSH’s trusting method to authentication. The shortage of centralized administration makes de-provisioning harder. Former staff might retain entry to non-public programs for months or years. As well as, SSH is simple to misconfigure as a result of its deep function set.
Superior menace actors can now spend lower than $50,000 to compromise OpenSSH’s SHA-1 hashing algorithm. That funding is price it. Compromised SSH keys may give attackers elevated or root entry to the bastion host and the networked assets it protects.
What are the perfect practices for securing bastion hosts
Given the bastion’s function as a portal via a safe perimeter, bastion host greatest practices deal with defending the server from assault.
Harden the bastion host
A bastion server will need to have the smallest attainable assault floor. As talked about earlier, it needs to be stripped of all the pieces that doesn’t straight assist the bastion’s operation. All different daemons, processes, protocols, and purposes must go. Visitor and different further consumer accounts needs to be disabled.
Tighten community controls
Entry to the bastion host should be restricted to licensed customers. Community-level entry controls ought to limit incoming SSH connection requests from a recognized vary of IP addresses. Non-public subnets needs to be configured to solely settle for SSH connections from the bastion. Relying on the use case, the community can stop site visitors from passing out via the bastion.
Though tough at scale, there are methods to handle SSH keys. Including multi-factor authentication helps defend towards compromised privileged accounts. Periodically resetting SSH keys reduces the chance of orphaned keys. Common audits assist to establish overly permissive keys.
What alternate options exist for securing firm assets apart from bastion hosts?
Most of the cybersecurity dangers enterprises face each day are generated by decades-old distant entry safety programs. SSH, RDP, VPN, and comparable applied sciences had been developed within the Nineteen Nineties. Again then, the safe perimeter was the dominant community safety paradigm. Trusted customers accessed on-premises assets from their desktop computer systems. Safety infrastructure defended the non-public community from exterior threats.
At the moment, computing and its related dangers have turn out to be way more advanced. Customers are now not sitting within the workplace — and so they might not be staff. The units they use, now not tethered to a desk, could entry assets from anyplace. And the assets themselves are more and more hosted within the cloud. On this atmosphere, counting on a bastion host for entry management may be simply as dangerous as a VPN.
Zero Belief Community Entry is a contemporary method to safe entry management that meets at the moment’s challenges. Relatively than defending networks, Zero Belief protects every useful resource by assuming that any connection request is an assault. Each consumer should confirm their identification explicitly no matter who they’re, what system they use, or the place they’re positioned. As soon as authenticated, the consumer solely receives the least quantity of entry they should do their work.
Twingate’s Zero Belief answer can substitute bastion hosts and the safety weaknesses they create. In contrast to bastion hosts, Twingate doesn’t require public-facing IP addresses. All non-public assets and networks are rendered invisible to the web by software-defined perimeters.
Decentralizing entry management reduces the menace floor additional. Bastion hosts channel all exterior site visitors which makes them targets for assault. Twingate establishes direct, encrypted tunnels between the consumer’s system and the precise useful resource they should use.
Twingate integrates with Identification Suppliers, multi-factor authentication programs, and different components of an current safety stack. Easy administration consoles make it simpler to alter permissions as customers’ roles evolve — or take away permissions fully when a consumer departs.
Lastly, Twingate is absolutely appropriate with SSH so directors can use the instruments they know to handle their programs. Twingate handles the authentication and authorization features extra securely than SSH ever might.
Substitute your bastion hosts with Twingate’s distant entry answer
Bastion hosts have turn out to be pervasive components of enterprise networks. They supply a single distant entry path to protected community assets. Locking down the bastion host and designing community infrastructure to manage entry lets firms focus safety assets on a single asset. The bastion’s worth as an SSH proxy makes it a well-liked solution to handle community assets remotely.
Nonetheless, the bastion’s public IP tackle makes it a gorgeous goal for cybercriminals. Widespread reliance on SSH is a selected weak point that makes the bastion a vital vector for assaults.
Twingate’s Zero Belief Community Entry answer makes distant entry safety simpler to deploy and handle in at the moment’s cloud-centric computing atmosphere. Directors can use SSH to remotely handle non-public assets, whether or not within the cloud or on-premises, extra securely and effectively.
Contact Twingate to study extra about changing bastion hosts with our Zero Belief distant entry answer.