Bastion hosts vs. VPNs
Bastion hosts can be a valuable resource for companies, improving security and limiting access to shared resources. However, it may not be necessary to use a bastion host when resources can be accessed directly from your network. This article will explore what bastion hosts are, what they’re used for, their limitations, and how they compare to VPNs such as Tailscale.
Securing the connection between employee devices and company resources should be an essential part of any organization’s security strategy. This growing challenge can be exacerbated as employees increasingly expect to be able to connect to work environments from anywhere, including from home, while traveling, and at the office. Giving employees the right tools to work securely is a critical step to protect your organization from cyberattacks.
There are many ways to provide a secure connection between users and company resources, one of which is through a bastion host. A bastion host is usually a highly restricted and heavily monitored server that provides access from the public internet to a private network. Another way to create a secure connection between users and company resources is by adding them to a virtual private network (VPN). A VPN creates a private connection between two devices by creating an encrypted tunnel directly between the requesting device and its destination.
Bastion hosts and VPN technologies both emerged in the 1990s, and either can provide employees with a secure connection to their work environment. It wasn’t until the advent of cloud computing, however, that these technologies could be delivered at scale. The primary difference between bastion hosts and VPNs is that a bastion host, by necessity, creates a single point of entry or failure, whereas a VPN creates separate encrypted private tunnels for each connection.
This article will cover bastion hosts in detail, address their use cases and limitations, and compare them to VPNs such as Tailscale — an alternative that can be superior in terms of latency and security.
What is a bastion host?
Also known as a jump box, a bastion host is a hardened computer meant to withstand cyberattacks: It will disable any unnecessary network services and run only the bare minimum of applications — such as a proxy server, load balancer, or firewall — in order to provide a connection, leaving far fewer attack vectors to be exploited. Bastion hosts are also fitted with logging and monitoring in their underlying operating system (such as Linux) to help you identify any attacks or security incidents.
Bastion hosts are encased in external firewalls within a demilitarized zone (DMZ). The DMZ allows bastion hosts to be accessed by an external client. This is necessary to provide an entry point for public networks into the network; however, if the connection is compromised in the DMZ, the network is also compromised.
In a standard virtual computer environment, unhealthy or unnecessary servers are discarded or replaced. By contrast, a bastion host gets specific attention to maintain the secure environment. In other words, servers are treated as pets as opposed to cattle in the DevOps model.
Bastion host use cases
A bastion host lives remotely on a server. Secure shell protocol (SSH) allows users to log in to the bastion host remotely and run queries to a private network. Administrators commonly use a bastion host to run an SQL query where the database is inaccessible from the public internet.
Bastion hosts also allow better access management for IT admins who want to control access to resources in a way that doesn’t expose login credentials. Hosts can be set up as highly secure environments where policies can be implemented to filter access for different users. A bastion host can be faster to set up than a VPN since they tend to be simple servers as opposed to requiring network infrastructure.
Bastion hosts also offer some protection against data exfiltration, which is the unauthorized transfer of data from one device to another. Users on a VPN can download sensitive files directly to their workstations, and when the VPN connection is disabled, those files are now outside the protected file system. With bastion hosts, admins can disable folder redirection to prevent users from removing data from the internal network in the first place. This is an important feature for companies with many remote employees, as it gives them more control over the use and dissemination of company files.
Bastion host shortcomings
Bastion hosts have a number of disadvantages to be considered.
Management overhead
With a bastion host, users contact a specific server to access company infrastructure. Since the server is the ingress point for everyone — as opposed to individual connections between devices — this introduces a notable bottleneck with a great deal of operational overhead.
Network vulnerability
If the bastion server is down, no one can access the network, and the server can be overloaded with concurrent connections or a targeted attack. Companies may also be managing multiple bastion hosts for different networks. Even though some configuration can be automated, the more bastion hosts a company must manage, the greater the risk of misconfiguration, outdated patches, or an incorrect script exposing the server to cyberattack.
Susceptibility to cyberattacks
The cybersecurity landscape is always changing. Just like new software can disrupt the technology market, new advances in threat technology can make current security measures outdated. This increases vulnerability, and if bastion servers aren’t up to date and at the cutting edge of security practices, they can become obsolete and susceptible to cyberattack.
Reliance on access keys
Each bastion host has a set of public and private access keys that other servers can use to connect securely to it. Only the host knows the private key, and doesn’t share this data. It’s best practice to frequently rotate these keys to flush out any hacking attempts on the key. Due to the lack of enforceable controls surrounding them, keys are not always rotated, making it difficult to properly secure certifications.
Single point of failure
Most importantly, a bastion host is a single point of entry to a secure system, meaning that it’s also a single point of failure. Once a bastion host is compromised, everything it has access to is compromised as well. This can make bastion hosts a primary target for cyberattacks.
Given these shortcomings, admins often look for another solution that provides the security and scalability needed for a large remote workforce. This is where a modern, WireGuard®-based corporate VPN can provide an elegant solution.
Why you should use a VPN instead of a bastion host
You’ve learned that bastion hosts tend to rely on SSH to provide a connection, which introduces a number of security concerns. SSH relies on users following traditional security best practices, such as strong passwords and key rotation. These practices are often ignored; in fact, modern security best practices suggest avoiding passwords entirely in favor of more secure options such as single sign-on (SSO). Malicious software on the internet continuously scans for SSH servers and tries to guess weak passwords. SSH does not force users to rotate keys, so even though it’s best practice, almost no one does it.
Because the main risk to a bastion host is its single point of failure, employees can lose access to shared resources in the event of a cyberattack, and a compromised or stolen key can lead to the entire network being compromised.
VPN solutions like Tailscale improve the security of the connection by moving the SSH connection to a private mesh network. This network is end-to-end encrypted through the VPN network. The biggest advantage of using a VPN is that — unlike bastion hosts, which are accessible on the public internet — a VPN creates a private, direct connection, which represents a reduced attack surface compared to that of a bastion host.
If you have a global footprint, the traffic in your network may have traversed a long distance to pass through the bastion host before reaching the private network. This adds latency and limits throughput. Tailscale addresses this by keeping all VPN servers on their private peer-to-peer network, which is more secure and also faster than managing individual bastion hosts directly. It also automatically rotates your access keys on the secure network to provide an additional built-in security benefit.
Tailscale also supports multi-factor authentication, which requires users to log in using an additional device only they have access to. This enhances the security of the network with an extra layer on top of the standard password layer. With Tailscale, only authorized users can connect to the SSH server. Tailscale’s network access controls allow you to set up security policies that specify who can access your server.
Conclusion
Bastion hosts provide a secure way to connect to company infrastructure by acting as a single point of ingress for multiple employees connecting remotely. While it can be easier to manage a single point of contact, the fact that these hosts are a single point of failure makes them particularly vulnerable when it comes to security. Your passwords can be exposed if you don’t have secure password management or don’t frequently rotate your keys. These are common points of attack against bastion hosts because passwords can be used to access the bastion host and, in turn, the entire private network.
To address these issues, Tailscale has developed a solution that replaces the need for bastion hosts entirely by moving resources, and therefore SSH connections, inside a virtual private network — which also improves security and reduces latency. To give it a try, download Tailscale for free today.
FAQs
What are some advantages of using a bastion host?
Because they are typically simple servers, bastion hosts can be faster to set up than VPNs. They allow better access management for IT admins who want to control access to resources in a way that doesn’t expose login credentials, and they can be set up as highly secure environments where policies can be implemented to filter access for different users.
What are the drawbacks of a bastion host?
Despite their popularity, bastion hosts have disadvantages. Their effectiveness is dependent on keeping them up to date with the latest security measures, and they can require significant resources to maintain. Because they are the single point of ingress to a network, they represent a bottleneck that can slow traffic. Worse, if the bastion host goes down, users won’t be able to access the network at all; and if the bastion host becomes compromised, the entire network becomes vulnerable to attack.
