Teleport Workload Identity with SPIFFE: Achieving Zero Trust in Modern Infrastructure
May 23
Virtual
Register Today
Support
LOG IN
Teleport logoTry For Free
Contact SalesTry for Free
Support
LOG IN
Home > Teleport Academy > Infrastructure Access

What are bastion hosts?

Posted 25th Feb 2024 by Travis Swientek
What is Secretless (Passwordless) Authentication?
What are Access Requests?
What is Authorization?
What are Ephemeral Privileges?
What is Just-In-Time (JIT) access?
Principle of Least Privilege: What It Is & How to Implement It
What is RBAC?
Configure RBAC for Kubernetes EKS
RBAC for Google Cloud Kubernetes Engine (GCP GKE)
What is ABAC?
What is MAC (Mandatory Access Control)?
What is OAuth 2.0 (Open Authorization)?
What is FIDO (Fast IDentity Online)?
What is U2F (Universal 2nd Factor)?
What is WebAuthn?
What is OIDC (Open ID Connect)?
What Is SAML (Security Assertion Markup Language)?
The Failures of Shared Secrets and How We Can Replace Them
How to Configure Single Sign-On (SSO) for Accessing AWS EKS Clusters
Just-in-Time Access for Amazon EKS
Authenticating GCP GKE with Google Workspace SSO
Authenticating AWS EKS Kubernetes Clusters with Google Workspace SSO
Authenticating AWS EKS Kubernetes Clusters with GitHub SSO
Authenticating Azure AKS Kubernetes Clusters with GitHub SSO
Authenticating Google Kubernetes Engine Clusters with Okta SSO
Authenticating AWS EKS Kubernetes Clusters with Okta SSO
Authenticating Azure AKS Kubernetes Clusters with Okta SSO
Configuring Okta as an Identity Provider for Kubernetes Clusters
Azure AKS RBAC

Bastion hosts are secure gateways for controlling access to internal networks, offering hardened security, strong authentication, and network segmentation to protect against cyberattacks.

Bastion hosts act as fortified gateways that control access to internal resources from external networks. They are specifically designed and configured to withstand cyberattacks, providing a secure entry point for remote access through protocols like SSH (Secure Shell) to Linux and RDP (Remote Desktop Protocol) to Microsoft Windows. In most cases, bastion hosts operate as a proxy server, preventing cyberattackers from entering a private network and serving as a critical cybersecurity measure in traditional network achitectures. Firewalls, routers, DNS servers, or anything that provides perimeter access control security can be considered a bastion host.

Benefits of Bastion Hosts

By funneling all traffic through a single, secure pathway, bastion hosts help reduce the attack surface and enforce access control policies, protecting companies from external threats.

Key Features of Bastion Hosts

  • Hardened Security: Bastion servers are meticulously configured with the highest security standards to resist unauthorized access and cyberattacks.
  • Access Control and Authentication: Bastion hosts often incorporate strong authentication mechanisms, including multi-factor authentication (MFA) and SSH keys, to verify the identity of users attempting to access the internal network.
  • Network Segmentation: Placed in a demilitarized zone (DMZ) or a specially designated subnet, bastion hosts act as a buffer between the external internet and the private network, enhancing network security.
  • Audit and Monitoring: Bastion hosts enable detailed auditing and logging of access attempts and activities, facilitating compliance and the investigation of security incidents.

Bastion Host Limitations

Although bastion hosts offer a layer of security for traditional network configurations, they present certain limitations in modern, distributed environments:

  • Complexity and Management Overhead: The configuration and maintenance of bastion hosts can be complex and resource-intensive.
  • Scalability Issues: As organizational infrastructure grows, especially with cloud computing and multi-cloud strategies, scaling bastion hosts and managing access becomes increasingly challenging.
  • Single Point of Failure: Concentrating access through a bastion host can create a single point of failure, potentially putting the entire network at risk if compromised. Bastion hosts do not prevent lateral attacks if a network is breached.

Teleport Take

Teleport Access Platform offers a modern alternative to traditional bastion hosts by for secure access management. With Teleport Access Platform, companies no longer need to configure bastion hosts to secure remote access to resources, simplifying complexity while unifying access across fragmented access silos. Teleport Access Platform leverages:

  • Zero Trust Architecture: Teleport eliminates the need for a traditional perimeter-based security model by verifying the identity of users and devices for every access request, ensuring that trust is never assumed. Teleport secures remote access with zero trust to applications and workloads, not just the network, and all the way through the layers of the infrastructure stack.
  • Cryptographic Identity: Instead of relying on shared secrets or credentials stored in a vault, Teleport uses cryptographic identity for authentication of users and non-human identities, significantly reducing the risk of credential theft and unauthorized access. Companies do not need to manage SSH keys to secure SSH connections or other private keys governing access.
  • Unified Access: Teleport unifies secure access to infrastructure across cloud (e.g., AWS), on-premises, and hybrid environments, eliminating the need to protect access silos with fragmented security strategies. By supporting SSH connections, RDP access, database access, application access, cloud access, Kubernetes access and more, companies can unify their approach to securing infrastructure access and support DevOps workflows.
  • Enhanced Audit and Compliance: Teleport offers comprehensive logging and auditing capabilities, surpassing the monitoring and audit trail requirements provided by traditional bastion hosts, enabling organizations to easily meet compliance standards.

By adopting Teleport Access Platform, organizations can move beyond the limitations of bastion hosts, embracing a more flexible, secure, and scalable approach to infrastructure access. Teleport's innovative use of zero trust principles and certificate authority simplifies remote and third-party access, eliminates cumbersome VPNs and bastion hosts, and addresses the challenge of access silos, setting a new standard for modern access management.

What is Secretless (Passwordless) Authentication?
What are Access Requests?
What is Authorization?
What are Ephemeral Privileges?
What is Just-In-Time (JIT) access?
Principle of Least Privilege: What It Is & How to Implement It
What is RBAC?
Configure RBAC for Kubernetes EKS
RBAC for Google Cloud Kubernetes Engine (GCP GKE)
What is ABAC?
What is MAC (Mandatory Access Control)?
What is OAuth 2.0 (Open Authorization)?
What is FIDO (Fast IDentity Online)?
What is U2F (Universal 2nd Factor)?
What is WebAuthn?
What is OIDC (Open ID Connect)?
What Is SAML (Security Assertion Markup Language)?
The Failures of Shared Secrets and How We Can Replace Them
How to Configure Single Sign-On (SSO) for Accessing AWS EKS Clusters
Just-in-Time Access for Amazon EKS
Authenticating GCP GKE with Google Workspace SSO
Authenticating AWS EKS Kubernetes Clusters with Google Workspace SSO
Authenticating AWS EKS Kubernetes Clusters with GitHub SSO
Authenticating Azure AKS Kubernetes Clusters with GitHub SSO
Authenticating Google Kubernetes Engine Clusters with Okta SSO
Authenticating AWS EKS Kubernetes Clusters with Okta SSO
Authenticating Azure AKS Kubernetes Clusters with Okta SSO
Configuring Okta as an Identity Provider for Kubernetes Clusters
Azure AKS RBAC

Table of Contents

Background image

Teleport Enterprise

Protect your infrastructure with essential security & compliance capabilities

Tags
bastion host
proxy server