Blog article

What Is A Bastion Host? Choosing A Network Security Solution For Your Business

This article explains what a bastion host is, the security risks involved with using one and the alternatives for your business.

Lukas Dolnicek


Min read

Elevate your network security with GoodAccess

There are several layers of security that you can put in place to protect your network from an external threat. One such security tool to use is a cloud business VPN, however, there are many other options available to cover different attack vectors.

You may have read that a bastion host is a potential solution to your cybersecurity risks. However, bastion hosts are outdated technology and won't be able to protect you against all attempted attacks.

It is important to know what a bastion host is so that you can understand why alternative security methods are necessary.

Table of contents

What Is a Bastion Host?

How a bastion host works

What is SSH protocol in relation to bastion hosts?

Does your business need a bastion host?

The security risks involved in using bastion hosts

Business Security Alternatives: Virtual Private Network (VPN) Vs. Bastion Host

Wrapping Up on What a Bastion Host Is

💡 Key Terms to Understand

Secure shell (SSH): This is a secure connection that uses encryption so that no one can intercept and read the data being sent between two computers on a network.

A demilitarized zone (DMZ): An isolated section of a computer network that typically hosts services that are available to external users, such as a website.

Local area network (LAN): A network of computers that is limited to a physical area, such as an office building.

Cyberattack: When an ill-intended individual attempts to break into your business network to steal your sensitive data and compromise your systems, usually for financial gain.

Domain name system (DNS): A network service that turns the domain name or URL of a website into an IP address.

Internal instances: Virtual machines or servers that run on a cloud platform that hosts resources like databases and application servers.

What Is a Bastion Host?

Your business likely has some form of a private network (or virtual network), which is a combination of all your:

➡️ User devices.

➡️ Servers.

➡️ LANs.

➡️ Network devices like printers.

➡️ Cloud storage.

➡️ Software and applications.

A bastion host is a special computer that plays the role of a gatekeeper between a device and your private network. Due to potential blocking of internet traffic by the internal network and hosted services, SSH may be the only means to access these services.

A bastion host forms a bridge between your device and the network you want to connect to.

Only authorized users can access the other computers on this private network using this bridge.

This prevents unauthorized access to your business network, blocking hackers from accessing your resources and sensitive data.

Bastion hosts also provide an added layer of security if you have remote employees who need to access your business resources from various locations outside your physical office.

Additionally, private networks with bastion hosts in place can connect geographically separated branches to your headquarters. This allows for secure communication between branches and access to shared resources.

Bastion Hosts and Security Guards

You can think of a bastion host as a security guard that controls who can and cannot access a building.

This security guard has a list of people who are authorized to enter the building. If you are not on this list, you are not authorized to enter.

You must be able to verify your identity to this security guard before you can access the building.

How a bastion host works

When set up, a bastion host is connected to your private network, also known as a private subnet, and a public or external network like the Internet.

If one of your employees wants to access your private network, they must connect to your bastion host using a secure connection such as SSH.

The bastion host will verify your employee’s identity—much like the security guard mentioned above. If they are an authorized user–-like if their name is on the list—they can access your private network.

Typically, a bastion host is placed outside your business firewall in a DMZ so that it is the only way through which someone can access your resources and data.

Where Would You Find a Bastion Host?

Within your business, a bastion host would be a security method to protect your private network. However, any server with the sole purpose of providing access control is technically a bastion host.

This means that even DNS, email, or web servers count as bastion hosts. These servers face the public network—the Internet—so they need to be on the public side of your DMZ or firewall.

Bastion hosts act as a secure bridge between private and public networks. Having this bridge in place means your employees have remote access to your private network while maintaining a decent level of security.

A bastion host is stripped of most applications and processes, and typically hosts a single application, making it more effective.

Bastion Hosts and Bridges

Just like a bridge that connects two locations, a bastion host is a secure point of access between two networks.

A bridge usually has an entry and an exit. Bastion hosts are a point of entry and exit between two networks.

Only authorized people can cross this bridge to travel from one end to the other, as this bridge is protected by our security guard mentioned earlier.

What are instances?

In the context of a bastion host setup, instances refer to virtual machines or servers that run on a cloud platform like Amazon Web Services (AWS).

These private instances can be used to run a bastion host on the cloud.

Cloud instances are:

➡️ Scalable: A cloud instance can be scaled up or down based on your business needs.

➡️ Highly available: Cloud instances can ensure a bastion host is always available.

➡️ Cost-effective: An instance can be turned off when not in use, reducing costs.

➡️ Flexible: Private instances on the cloud are easily configured.

What is SSH protocol in relation to bastion hosts?

SSH (secure shell) is a protocol that allows secure remote access to a computer or device.

It provides a secure way to connect to a remote system over an unsecured network, such as the Internet, and is usually used to log into a server or remotely manage network devices.

An SSH key is a pair of files used to authenticate a user on an SSH server. These two files are a private key and a public key.

When a user wants to connect to an SSH server, the client uses their private key to encrypt a message that is sent to the server.

When an authorized employee wants to access a resource on your private subnet, they must use SSH keys to establish a connection with the bastion host.

Once an employee has passed authentication, they can use another key pair to connect with your business network.

Does your business need a bastion host?

You have sensitive information stored within your business. This data could be usernames and passwords, credit card numbers, customer details, and financial records.

As a business owner, you would not want anyone from outside your company to be able to access these private resources.

To prevent this from happening, a bastion host provides access to your employees but prevents hackers from gaining access to your information.

Some other reasons you may want to use a bastion host server within your business include:

➡️ Secure remote access: Having remote teams makes your business far more vulnerable to attacks. Having a bastion host in place protects your private resources and allows employees to access your network remotely.

➡️ Network segmentation: You can segment your private network, keeping it isolated from your external network.

➡️ Logging and monitoring: You can monitor everyone who accesses your resources and keep track of everything that is happening within your network. This includes unsuccessful logins, which helps you identify an attack.

➡️ Single point of access: A bastion host creates a single point of access that makes it easier to control who accesses your business resources. This can prevent attackers from gaining access to your entire network once they have penetrated one system.

➡️ Hardening: Usually, bastion hosts are hardened. This means they are secured against some of the more common attacks, making it difficult for attackers to access your network.

The security risks involved in using bastion hosts

Based on the above, you may think that a bastion server is the best way to protect your business.

However, bastion hosts are an outdated technology that was created over 30 years ago.

This makes it easier for attackers to penetrate your private subnets, which is just one reason why this is no longer an effective security solution for your business.

Let’s take a look at a few of the other reasons why a bastion host is a risky choice for your business:

❌ If your bastion host is compromised, a hacker can easily access your private subnets.

❌ If it is not properly configured and secured, a bastion host can help a hacker advance their attack even deeper.

❌ If you do not monitor your bastion host closely, a hacker might go undetected.

❌ Your bastion host will need to undergo regular checks and be properly updated so that it is not vulnerable to the latest security threats.

Based on these points, it becomes clear that a bastion host not only requires a lot of time and effort to maintain, but also becomes quite easy to penetrate if you make even the smallest error in your setup.

Business Security Alternatives: Virtual Private Network (VPN) Vs. Bastion Host

A business security solution that is far more effective than a bastion host is a VPN.

A VPN creates a secure and encrypted connection between a device, like a laptop, smartphone or desktop computer, and private network.

Compared to a bastion host, a VPN provides several more significant advantages.


✅ Provides a secure and encrypted tunnel for all your traffic to pass through. A bastion host only secures access to specific resources.

✅ Allows your employees to access internal resources as if they were on an internal network. A bastion host requires users to log into a separate server before they can access internal resources.

✅ Can be used to access internal resources from anywhere in the world through an Internet connection. A bastion host is only accessible from specific locations or through specific external IP addresses.

✅ Can be used to connect an internal network from different external IP addresses, whereas a bastion host is only accessible from specific external IP addresses.

✅ Uses encryption to secure your data as it travels between an employee’s device and your network. A bastion host relies on basic security protocols such as firewalls.

✅ Can be implemented in different ways, such as a remote access VPN or a site-to-site VPN, whereas a bastion host is only used for remote access to specific resources.

Why GoodAccess Is the Right Security Solution for Your Business

Not only is the GoodAccess cloud VPN for businesses able to do everything we’ve mentioned above, but the product is also packed with carefully designed features to protect your company.

While a bastion host might protect your business to some extent, the GoodAccess cloud VPN is the perfect solution to ensure your business is as secure as possible.

Additionally, the affordability of our product means your small business is protected against costly attacks without having to pay for complex and expensive infrastructure.

Wrapping Up on What a Bastion Host Is

A successful cyberattack against a small business can have devastating effects. Apart from damaging your systems and interrupting your operations, an attack can even result in you going out of business.

Having bastion hosts in place is a useful way to allow employees access to your internal services that you do not want to expose publicly or to your cloud services. In most cases it serves as a proxy server that allows users to connect to remote servers via ssh.

However, bastion hosts might expand the business attack surface since they are exposed on a public network (Internet) and thus vulnerable to brute force attacks. Another risk comes from the fact that bastions are using the Secure Shell Protocol (SSH) to provide internal access, which is often a sweet spot for attackers.

Using a VPN designed specifically for businesses is a far more modern solution than a bastion host. It has been developed using the latest security features to defend against current types of attacks and allows controlling and monitoring who accesses your network.

Visit our website to sign up for your free, full-feature GoodAccess trial. You’ll learn more about our VPN and why it is the best defense against cybercriminals.

Frequently Asked Questions (FAQs)

What is SSH agent forwarding?

SSH agent forwarding is a feature of SSH that allows you to use a single set of SSH keys to authenticate multiple servers without copying your SSH keys to each server.

SSH agent forwarding can be used along with a bastion host to provide secure access to internal resources.

An SSH tool such as OpenSSH is used to establish SSH connections and manage SSH keys.

What is perimeter access control security?

Much like access control, perimeter access control security is a way to protect a network by controlling who can access it and what they are able to do once they are inside it.

This is achieved by establishing a perimeter around the network, which acts as a barrier or a set of rules that determines who can enter and exit a network.

Some common perimeter access control methods include firewalls, VPNs, and bastion hosts.

What is an external IP address?

An external IP address is a unique code that is assigned to a device—like a laptop, desktop computer, or smartphone—that is connected to the Internet.

An external IP address is assigned to your device by your Internet service provider (ISP).

There are two types of external IP addresses: static IPs and dynamic IPs.

A dynamic external IP address changes all the time. A static external IP address never changes. It remains the same indefinitely.

A static external IP address can be used in conjunction with a VPN to do something called IP whitelisting, which allows you to control exactly which devices access your network from an external device.

How is a proxy server used with a bastion host?

A proxy server and a bastion host work the same way in the sense that they control access to a network. However, they serve different purposes.

While a bastion host is a server that sits on the perimeter of a network and allows remote access to internal networks, a proxy server controls access to the Internet.

Let’s get started

See why your peers choose GoodAccess. Create your free account today and enjoy all premium features for 14 days, hassle-free.
Trusted by 1300+ customers