This chapter covers bastion hosts and jump servers, critical components of secure network architecture that control and monitor access to internal resources. For SY0-701, this maps to Objective 3.1: Security Architecture, specifically the implementation of secure network designs such as DMZs, VLANs, and bastion hosts. Understanding how these hardened gateways function is essential for designing networks that resist unauthorized access and limit the blast radius of a compromise. You will learn the mechanisms, deployment variants, and exam-tested distinctions between bastion hosts, jump boxes, and related concepts.
Jump to a section
Imagine a space station with a single pressurized airlock for entry and exit. The station's interior is a highly controlled environment—any breach could be catastrophic. The airlock is a small chamber with two doors: one to the outside (untrusted space) and one to the station's interior (trusted network). To enter, an astronaut first opens the outer door, steps in, and closes it. Only after the outer door is sealed can the inner door be opened. This ensures that no vacuum or contaminants from space directly enter the station. In the same way, a bastion host acts as a single, hardened entry point to a private network. All external access must go through it—no direct connections from the internet to internal servers are allowed. The bastion host is heavily secured (hardened), just as the airlock is built to withstand the vacuum. A jump server is like a dedicated airlock for administrators: they connect to the jump server first, authenticate, and then from there initiate connections to internal systems. The jump server logs every action, similar to a camera recording who enters the airlock. This prevents attackers from bypassing security controls—they would have to compromise the heavily guarded airlock first. Mechanistically, the airlock's two-door system enforces a 'no direct path' rule, exactly as a bastion host's two-step connection process (user -> bastion -> internal server) enforces network segmentation and access control.
What Are Bastion Hosts and Jump Servers?
A bastion host is a specialized computer intentionally exposed to an untrusted network (typically the internet) to serve as the sole entry point to a private network. It is hardened against attacks—meaning it runs only essential services, applies all security patches, uses strong authentication, and is heavily monitored. The term originates from medieval fortifications where a bastion was a projecting part of a fortress that allowed defenders to cover the approaches. In networking, the bastion host is the 'gateway' that all external users must pass through to reach internal resources.
A jump server (also called a jump box or jump host) is a bastion host specifically used by administrators to access and manage systems in a separate security zone (e.g., a production network or a DMZ). The key difference is that a bastion host may serve multiple roles (e.g., web server, mail relay, VPN endpoint), while a jump server is dedicated to administrative access. In practice, many use the terms interchangeably, but the SY0-701 exam expects you to recognize that a jump server is a type of bastion host focused on management access.
How They Work Mechanically
Consider a typical enterprise with a web server in a DMZ and a database server in the internal network. Without a bastion host, an administrator might configure the firewall to allow RDP (port 3389) from the internet directly to the internal database server. This is a huge risk—any vulnerability in RDP or weak credentials could expose the entire internal network.
With a bastion host:
The administrator connects via SSH (port 22) or RDP to the bastion host, which sits in a DMZ or a dedicated management network. The firewall allows inbound traffic only to the bastion host's IP on port 22 (or 3389).
The bastion host authenticates the user—typically with multi-factor authentication (MFA) and a strong password or SSH key.
Once authenticated, the administrator can initiate a second connection from the bastion host to the internal database server. The bastion host acts as a 'jump' point.
All traffic is logged on the bastion host, including source IP, destination, timestamps, and command history (for SSH).
This two-step process ensures that:
No direct path exists from the internet to internal systems.
The attack surface is reduced to a single, hardened system.
All administrative actions are auditable.
Key Components, Variants, and Standards
Hardening: Bastion hosts must be stripped of unnecessary services, applications, and user accounts. Only the minimum required for connectivity (e.g., SSH server, RDP server, VPN server) should run. The OS is patched regularly, and intrusion detection software (e.g., OSSEC, Tripwire) monitors for changes.
Authentication: Strong authentication is mandatory. This includes SSH key pairs (2048-bit RSA or better), MFA (e.g., TOTP via Google Authenticator or hardware tokens like YubiKey), and integration with directory services (LDAP, Active Directory) with account lockout policies.
Logging and Monitoring: All access attempts (successful and failed) must be logged centrally via syslog or SIEM. For SSH, tools like auditd can log commands. Session recording (e.g., using script or commercial tools like CyberArk) provides a video-like replay of sessions.
Network Segmentation: Bastion hosts are placed in a separate network segment (DMZ or management network) with strict firewall rules. The internal firewall should only allow traffic from the bastion host to specific internal servers, not any-to-any.
Standards: NIST SP 800-125 (Guide to Security for Full Virtualization Technologies) and NIST SP 800-207 (Zero Trust Architecture) discuss bastion hosts as part of a 'policy enforcement point.' The CIS Benchmarks provide hardening guidelines for bastion hosts running Linux or Windows.
How Attackers Exploit or How Defenders Deploy This
Attackers target bastion hosts because compromising them gives access to the entire internal network. Common attack vectors include: - Credential theft: Brute-forcing SSH passwords, phishing for MFA codes, or exploiting weak SSH keys. - Vulnerability exploitation: Unpatched SSH vulnerabilities (e.g., CVE-2018-15473 for OpenSSH user enumeration) or RDP vulnerabilities (e.g., BlueKeep CVE-2019-0708). - Session hijacking: If the bastion host is compromised, attackers can piggyback on existing connections to internal systems. - Log tampering: Attackers may delete or modify logs to cover their tracks.
Defenders deploy bastion hosts with: - Fail2ban or similar tools to block IPs after multiple failed login attempts. - SSH key-only authentication (password authentication disabled). - MFA enforcement for all logins. - Network segmentation so that even if the bastion is compromised, lateral movement is limited. - Honeypot accounts on the bastion to detect attackers.
Real Command/Tool Examples
Linux Bastion Host Setup (SSH):
1. Install OpenSSH server:
sudo apt-get install openssh-server2. Harden SSH configuration in /etc/ssh/sshd_config:
PermitRootLogin no
PasswordAuthentication no
PubkeyAuthentication yes
AllowUsers adminuser
Port 22
Protocol 2
MaxAuthTries 3
ClientAliveInterval 300
ClientAliveCountMax 03. Restart SSH:
sudo systemctl restart sshd4. Configure firewall to allow only SSH from specific source IPs (if possible):
sudo ufw allow from 203.0.113.0/24 to any port 22 proto tcp
sudo ufw enable5. Enable logging and monitoring:
sudo apt-get install auditd
sudo auditctl -w /var/log/auth.log -p wa -k auth_logWindows Bastion Host Setup (RDP):
Use Windows Server Core to reduce attack surface.
Enable Network Level Authentication (NLA) for RDP.
Configure RDP to require MFA via RD Gateway or third-party solution.
Restrict RDP access via Windows Firewall to specific IPs.
Jump Server Usage (SSH ProxyJump):
An administrator can use the -J flag to jump through the bastion:
ssh -J admin@bastion.example.com admin@internal-server.example.comThis establishes an SSH connection to the bastion first, then from there to the internal server. The traffic between the client and bastion is encrypted, and the bastion relays the connection.
Logging Example:
On the bastion, /var/log/auth.log would contain entries like:
Mar 10 14:23:01 bastion sshd[1234]: Accepted publickey for admin from 203.0.113.5 port 54321 ssh2: RSA SHA256:abc...
Mar 10 14:23:05 bastion sshd[1234]: Received disconnect from 203.0.113.5 port 54321:11: disconnected by userIdentify Need for Bastion Host
The security architect reviews the network architecture and identifies that administrators require remote access to internal servers. Without a bastion host, direct RDP/SSH from the internet would expose internal systems. The architect decides to implement a bastion host in a DMZ to enforce a single entry point and centralize logging.
Harden the Bastion Host
The engineer provisions a dedicated server (physical or virtual) with a minimal OS installation. They remove all unnecessary packages, disable unused services, apply latest patches, and configure the host firewall to allow only SSH (port 22) from authorized management subnets. They create a non-root administrative account with SSH key authentication and disable password login. MFA (e.g., TOTP) is configured via PAM. The engineer also installs and configures auditd and sends logs to a central SIEM.
Configure Network Segmentation
The bastion host is placed in a management DMZ with strict firewall rules. The external firewall allows inbound SSH from the internet (or specific IPs) only to the bastion host's IP. The internal firewall allows outbound SSH from the bastion host only to specific internal servers (e.g., 10.0.1.0/24). No other traffic is permitted. The engineer tests connectivity: from an external client, SSH to bastion succeeds; direct SSH to internal servers fails.
Enforce Access Controls and Logging
The architect configures the bastion host to require MFA for all logins. They set up SSH ProxyJump or an RDP gateway so that administrators must first authenticate to the bastion before connecting to internal systems. All SSH sessions are logged using `sudo script` or a session recording tool. Logs are forwarded to a SIEM (e.g., Splunk) with alerts for failed logins, suspicious commands, or connections from unusual IPs.
Test and Audit the Setup
The security team performs penetration testing against the bastion host, attempting brute-force attacks, SSH vulnerability scanning, and social engineering to obtain credentials. They verify that MFA blocks unauthorized access, that logs capture all attempts, and that no direct path to internal networks exists. A quarterly audit reviews bastion host logs and user access rights. Any anomalies trigger incident response procedures.
Scenario 1: SOC Analyst Investigating Unauthorized Access
A SOC analyst at a financial institution sees an alert from the SIEM: multiple failed SSH logins to the bastion host from an IP in a hostile country. The analyst pulls up the bastion host's auth.log and sees 100 failed attempts in 5 minutes. The analyst checks the firewall logs and confirms the source IP is not in the allowed list (the firewall should have blocked it). Investigation reveals the firewall rule was misconfigured to allow any source. The analyst blocks the IP, corrects the firewall rule, and escalates to the network team. The correct response is to immediately block the IP, verify the firewall rule, and scan for any successful unauthorized access. A common mistake is to ignore the alert because it's 'just brute force'—but the misconfigured firewall is a critical vulnerability.
Scenario 2: Engineer Deploying Jump Server for Cloud Migration
A cloud architect is moving workloads to AWS. They deploy a jump server (EC2 instance) in a public subnet with a security group allowing SSH only from the corporate VPN IP range. The jump server is hardened: no SSH passwords, only key pairs, MFA via AWS IAM, and CloudTrail logging enabled. All internal instances are in private subnets with security groups that allow SSH only from the jump server's private IP. The architect tests by SSHing to the jump server, then from there SSHing to an internal instance. Logs show both connections. A common mistake is to allow SSH from the jump server to all internal instances (0.0.0.0/0) instead of specific IPs, which would allow lateral movement if the jump server is compromised.
Scenario 3: Incident Response After Bastion Host Compromise
An attacker gains access to a bastion host via a stolen SSH key (from a developer's laptop). The attacker uses the bastion to SSH into a database server and exfiltrates data. The IR team identifies the breach when the SIEM alerts on unusual outbound data transfer from the database server. The team isolates the bastion host (disconnects it from the network), revokes the compromised SSH key, and reviews logs to determine the scope. The correct response includes preserving logs, identifying the initial access vector, and implementing key rotation and MFA. A common mistake is to simply rebuild the bastion host without analyzing how the key was stolen, leaving the same vulnerability.
Exactly What SY0-701 Tests
Objective 3.1 (Security Architecture) includes the implementation of secure network designs. Specifically, you must understand:
The purpose of a bastion host: a hardened system that acts as a gateway between untrusted and trusted networks.
The difference between a bastion host and a jump server: a jump server is specifically for administrative access; a bastion host can serve other functions (e.g., web server, mail relay).
How bastion hosts enforce network segmentation and reduce attack surface.
Best practices: hardening, MFA, logging, and network segmentation.
Common Wrong Answers and Why
'A bastion host is the same as a firewall.' — No. A firewall filters traffic; a bastion host is a system that users log into. Firewalls are network devices; bastion hosts are servers.
'A jump server is used to bypass security controls for convenience.' — Wrong. Jump servers are used to centralize and audit access, not bypass controls.
'Bastion hosts should have all services enabled for flexibility.' — The opposite is true; they should be minimal.
'Placing a bastion host in the internal network is best practice.' — It should be in a DMZ, not the internal network, to separate it from trusted resources.
Specific Terms and Values
Port numbers: SSH (22), RDP (3389).
Common bastion host OS: Linux (hardened), Windows Server Core.
Authentication methods: SSH keys, MFA (TOTP, smart cards).
Related concepts: DMZ, screened subnet, dual-homed host, proxy server.
Trick Questions
'Which of the following is a bastion host?' — Options might include a web server in a DMZ, an internal file server, a firewall, or an IDS. The correct answer is the web server in the DMZ if it's the only entry point.
'What is the primary purpose of a jump server?' — Options: to provide internet access, to manage systems in a separate security zone, to host applications, to filter traffic. Correct: to manage systems in a separate security zone.
'A company wants to allow remote employees to access internal servers. Which should they implement?' — Options: VPN, bastion host, firewall, IDS. Both VPN and bastion host are possible, but the exam may expect bastion host if the scenario emphasizes centralized logging and auditing.
Decision Rule for Eliminating Wrong Answers
On scenario questions: If the scenario involves administrative access to internal systems, look for 'bastion host' or 'jump server'. If it involves user access to applications, look for 'VPN' or 'reverse proxy'. If the answer choice mentions 'allowing direct connections', it is likely wrong. Eliminate answers that suggest placing the bastion host in the internal network or that describe it as a firewall.
A bastion host is a hardened server that serves as the sole entry point from an untrusted network to a trusted network.
A jump server is a bastion host dedicated to administrative access (SSH/RDP).
Bastion hosts are placed in a DMZ, not the internal network.
Hardening includes disabling unnecessary services, using SSH keys, enforcing MFA, and centralizing logs.
Common ports: SSH (22), RDP (3389).
Bastion hosts reduce attack surface by eliminating direct paths to internal systems.
Always log and monitor all access to bastion hosts; use SIEM for alerts.
The SY0-701 exam expects you to distinguish bastion hosts from firewalls, VPNs, and jump servers.
These come up on the exam all the time. Here's how to tell them apart.
Bastion Host
General-purpose hardened gateway
May serve multiple roles (web, mail, VPN)
Placed in DMZ
Used for both user and admin access
Example: a hardened web server in DMZ that also allows SSH
Jump Server
Specialized for administrative access
Typically only used for SSH/RDP to internal systems
Placed in management network or DMZ
Used exclusively by administrators
Example: a Linux box used only to SSH into production servers
Bastion Host
Provides direct login to a system
Operates at application layer (SSH, RDP)
Requires user to have an account on the bastion
Best for occasional administrative access
Less scalable for many users
VPN Concentrator
Creates an encrypted tunnel to the network
Operates at network layer (IPsec, SSL/TLS)
Authenticates user and assigns an IP on the internal network
Best for remote user access to multiple resources
More scalable for large numbers of users
Mistake
A bastion host is the same as a firewall.
Correct
A firewall is a network security device that filters traffic based on rules. A bastion host is a server that users log into to access internal resources. Firewalls operate at layers 3-4 (and sometimes 7); bastion hosts operate at the application layer (e.g., SSH, RDP). They complement each other.
Mistake
Jump servers bypass security controls for convenience.
Correct
Jump servers centralize and enforce security controls. They require strong authentication, logging, and auditing. They do not bypass controls; they make them more manageable.
Mistake
A bastion host should be placed in the internal network for better protection.
Correct
Placing a bastion host in the internal network defeats its purpose—it would allow direct paths from the internet to the internal network. Bastion hosts should be in a DMZ or screened subnet to isolate them from both untrusted and trusted networks.
Mistake
Bastion hosts are only needed for SSH or RDP access.
Correct
While commonly used for SSH/RDP, bastion hosts can also serve as VPN endpoints, web servers, or mail relays. The key is they are hardened and serve as a single entry point.
Mistake
A bastion host eliminates the need for a firewall.
Correct
Firewalls are still required to restrict traffic to and from the bastion host. The bastion host is a component of a layered defense, not a replacement.
A bastion host is a general-purpose hardened gateway that can serve multiple roles (e.g., web server, mail relay, SSH gateway). A jump server is a specific type of bastion host used exclusively for administrative access (typically SSH or RDP) to internal systems. In exam questions, if the scenario mentions 'administrative access' or 'management', the answer is likely 'jump server'. If it mentions 'public-facing service' or 'single entry point for external users', it's 'bastion host'.
No. A bastion host should be placed in a DMZ (screened subnet) that is separate from both the internet and the internal network. This ensures that even if the bastion host is compromised, the attacker does not have direct access to internal systems. The internal firewall should only allow traffic from the bastion host to specific internal IPs.
At minimum, use SSH key-based authentication (password authentication disabled) and multi-factor authentication (MFA). For Windows, use Network Level Authentication (NLA) for RDP and MFA via RD Gateway. Avoid using default accounts or weak passwords. Integrate with directory services (LDAP/AD) for centralized user management.
It reduces the attack surface by providing a single, hardened entry point that is heavily monitored. It enforces network segmentation—no direct connections from the internet to internal servers. It centralizes logging and auditing of all administrative access. It also allows for more stringent security controls (MFA, IP whitelisting) that would be difficult to enforce on every internal server.
Yes, bastion hosts are often virtual machines. However, the VM should be hardened just like a physical server. Ensure the hypervisor is also secured, and consider using dedicated hardware for high-security environments. In the cloud, bastion hosts are commonly deployed as EC2 instances (AWS) or VMs (Azure) with strict security group rules.
Collect authentication logs (/var/log/auth.log on Linux, Security log on Windows), system logs, firewall logs, and command history (for SSH). Forward them to a SIEM for real-time analysis. Alert on failed logins, sudo usage, connections from unusual IPs, and any changes to system files.
Not exactly. A VPN provides network-level access, allowing users to access any internal resource. A bastion host provides application-level access to specific systems. They can be used together: users VPN into the network, then SSH through a bastion host to internal servers. The exam may ask which is better for a given scenario—VPN for broad user access, bastion host for controlled administrative access.
You've just covered Bastion Hosts and Jump Servers — now see how well it sticks with free SY0-701 practice questions. Full explanations included, no account needed.
Done with this chapter?