What is Bastion Host
Assume that you are creating a cluster or setting up some infrastructure in a
public cloud environment. The public cloud
environment allows you to provision a private, isolated section of the Cloud where
you
can launch various services and other resources in a virtual network that you
define.
We refer to this private network as a virtual private cloud (VPC).
The next important part of creating an infrastructure in the cloud is to
provide
a mechanism for secure connection and a communication channel to your VPC
resources.
There are a variety of considerations to design a secure communication channel to
your
VPC. The first decision that you might want to take is to provide an external IP
address.
You might want to assign an external IP address to some of the machines and
services
as your users would need to access them over the internet.
However, there are a variety of scenarios, when you do not want to assign an
external
IP to some of the instances in your VPC. For example, I created a Hadoop cluster
for
my development team in a VPC. I want my development teams to connect to some of
these
machines using an SSH tool. However, I don’t want to assign an external IP address
to
any of these machines to avoid various security risks. However, that gives me a new
problem.
When instances do not have external IP addresses, they can only be reached by
some
other instances on the network. How to allow my development teams, sitting in a
corporate
network, to access these machines over an SSH connection?
The most convenient method is to provide an instance in your network to act as
a
trusted relay for inbound connections. We call that instance a Bastion Host.
What is Bastion host?
Anything that provides perimeter access control security can be considered as the Bastion Host or Bastion Server. In fact, a Bastion host also known as a Jump Box is a particular purpose computer on a network that acts as a proxy server and allows the client machines to connect to the remote server. The Bastion hosts are used in cloud environments as a server to provide access to a private network from an external network such as the Internet. Since it is exposed to potential attack, a Bastion host must be protected against the chances of penetration.
How Bastion host works?
Bastion hosts are there to provide a point of entry into a network containing private network instances. The following figure shows the details of how a Bastion server works.
As shown in the figure, all your isolated instances have only internal IP addresses
in your VPC. However, the Bastion host
instance has an external IP address as well as an internal IP address. If you need
to
access instances on the internal network that do not have an external IP address,
you
can connect to a Bastion host and then connect to your internal instances from that
Bastion
host. This method uses a two-step SSH connection. Since the Bastion host uses a
two-step
SSH connection, it allows you to connect to the development environment without
external
IPs and additional firewall rules. When using a bastion host, you log into the
bastion
host first, and then into your target private instance. Because of this two-step
login,
the bastion hosts are sometimes called "jump servers."
The Bastion host can be started and stopped to enable or disable inbound SSH
communication
from the Internet.
Bastion Host Best Practice
By default, SSH on your private instances as well as Bastion server is configured
to use private keys for authentication.
When you connect to some other cases from a bastion host instance, you still
require
a private key. The easiest method is to keep a copy of the private key of the users
in
the bastion host. This method is simple but not a recommended, because if the
bastion
host is compromised, all the private keys associated with the users will also be
compromised.
The answer to the problem is to use the SSH agent forwarding in the implementation
of
bastion hosts.
The best practice is to use the ssh-agent forwarding instead of storing the
target
machine's private key on the bastion host. You must use the ssh-agent forwarding
even
if you are using the same key-pair for both bastion and target instances.
Other than the use of Agent Forwarding, you should also take great care of
hardening
the security for the Bastion server. You must remove all unnecessary packages and
installations
from the Bastion host. It should only host that is essential.
How SSH Agent Forwarding works?
The ssh-agent is a helper program that keeps track of user's identity keys such as
SSH private key. The agent can then use
the keys to log into other servers without having the user type in a password. By
default,
the agent uses SSH keys stored in the .ssh directory under the user's home
directory.
The ssh-add command is used for adding new private keys to the agent that are
stored
outside the .ssh directory.
Furthermore, the SSH protocol implements agent forwarding. Agent forwarding is
a
mechanism for single sign-on that can progress transitively. The SSH single sign-on
works
independent of organizational boundaries and geography. SSH agent forwarding can
easily
implement single sign-on to servers on the other side of the world, in cloud
services,
or at customer premises. No central coordination is needed. All you need to do is
to
set the ForwardAgent option as yes on the client, and the
AllowAgentForwarding
option set to yes on the server. That’s it. Everything else works seamlessly.
You can use the following sequence of activities to use the SSH Agent
forwarding
from a Linux machine.
- Make sure that your Public SSH Key is configured to both the Linux Bastion host and to the instancesthat do not have an external IP address. You can follow your Cloud provider’s document to get this configured.
- Start the ssh-agent on your local machine. On most Linux systems, ssh-agent is automatically configured, and no additional actions are required to use it.
- Use the ssh-add command to load your private SSH key from your local computer into the agent.
- Connect to the Linux bastion host instance and forward your private keys with ssh. The -A argument sets the ForwardAgentoptions to yes and enablesprivate key forwarding.
- Connect to the instance that does not have an external IP address by using SSH.
If the connection is successful, you can use the terminal to run commands on the instance that does not have an external IP address.When you are done, you can use the exit command to close each instance connection and return to your local workstation.
SSH Agent Forwardingon Windows
If you are using a windows machine, you might have to use an SSH tool such as Putty. The process is the same as Linux machine.
- Start Putty and enter your Bastion Host IP address.
- Go to connections, SSH, Auth and browse your Private Key file.
- Select the Allow agent forwarding to checked state.
- Connect to your Bastion server.
- Connect to the instance that does not have an external IP address by using SSH.
If the connection is successful, you can use the terminal to run commands on the instance that does not have an external IP address.When you are done, you can use the exit command to close each instance connection and return to your local workstation.
Advantages & Disadvantages
The Bastion Host has the following advantages.
- It provides a single point for the logins in the network. This makes the firewall rules simple.
- It would be easier to log all the attempts and take necessary measures for failing attempts.
- It simplifies authentication via SSO.
- It is an easy and quick method for small to medium sized teams.
The Bastion Host has following limitation.
- It is generally used only for SSH access to remote servers. To access applications running on a private network, for example, on port 8080, Bastion is not the solution
Bastion Alternatives
Bastion Host is just one alternative to provide a secure connection to your VPC resources. Cloud VPN is the other most commonly used alternative toextend your existing network to theVPC. The VPN allows direct routing of traffic from your premises to the private IP interfaces of VPC. The traffic is encrypted transmitted over public links to the Cloud.