24

What's are the differences/similarities between a "bastion host" and a "jump host"? Are they usually used interchangeably?

kolistivra
  • 343
  • 1
  • 3
  • 7

2 Answers2

22

A Bastion host is a machine that is outside of your security zone.
And is expected to be a weak point, and in need of additional security considerations.

Because your security devices are technically outside of your security zone, firewalls and security appliances are also considered in most cases Bastion hosts.

Usually we're talking about:

  • DNS Servers
  • FTP Servers
  • VPN Servers

A Jump Server is intended to breach the gap between two security zones.

The intended purpose here is to have a gateway to access something inside of the security zone, from the DMZ.
The main reason I've seen this utilized is to make sure that the one known entrance to a specific server that has to be accessible from the outside is kept up to date and is known in its purpose as only having to connect to (a) specific host(s).

Usually this is a hardened Linux box only used for SSH.

Reaces
  • 5,547
  • 4
  • 36
  • 46
  • The difference seems subtle -- isn't a VPN server intended to breach the gap between two security zones? [This article](http://radar.oreilly.com/2014/01/is-the-jump-box-obsolete.html) seems to imply that a jump host is a type of bastion host. – jhfrontz Jun 27 '16 at 15:01
  • 5
    @jhfrontz The main difference as I understand and use it, is that a jump host is used for remote access. And Bastion hosts offer services that need to face the internet. Look at jump hosts as border guards, and bastion hosts as a tellers window at a bank. You can get services from the teller, but you don't access the bank. On the other hand once past the border checkpoint you're inside the country. – Reaces Jun 30 '16 at 21:23
  • I get how the other two (DNS and FTP servers) conform to the teller analogy but I thought the VPN server was listed as an example of a bastion host -- I was thinking that a VPN server is for offering remote access (i.e., a border guard). Or is the suggestion that a VPN connection is a "service" (and that connectivity to points on the internal network can be limited) vs. access? – jhfrontz Jul 01 '16 at 00:42
  • 2
    @jhfrontz The reasoning here is that the vpn server isn't the one you connect to. It creates the tunnel you use to connect with. But you generally don't ssh into your vpn enabled firewall :) – Reaces Jul 01 '16 at 05:53
0

Bastion hosts are a server specifically designed to provide access to a private network from an external network to withstand attacks and illegal access. It's also known as a jump box. Which act as a proxy server and allow client machines to connect to remote servers via it. Any single-purpose server providing access control could be a bastion host. This includes DNS, web, or mail servers.

Network administrators/System administrators mainly used bastion hosts to remotely manage the remote machines/servers. These systems face the internet, so they need to be on the public side of a firewall. Because bastion hosts are publicly visible and widely used to provide SSH proxy services, they have become a target for cyberattacks. So the bastion host/jump box should be secure.

enter image description here

Ezeelogin
  • 1
  • 1