The Banyan Security Blog

Solve bastion challenges with Banyan Security – and deploy in minutes

Historically, bastion hosts were helpful to those trying to encrypt communications in a secure channel over the public internet. SSH was the best way to run commands from a local machine to a remote server, without facing interceptions and modifications to data transmissions. This was an improvement on an even older client-server protocol – which sent communications without even encrypting them.

Today, however, bastion hosts no longer fit well with the modern work environment: as more and more corporations transition to remote work, cloud services, and identity-based security measures, workers are finding themselves increasingly in need of secure, quick access from anywhere. While SSH bastion hosts provide a known degree of security, SSH key management is left to the devices of individual users, and access via SSH is often restricted to those within a specific IP range, which doesn’t lend itself well to the new world of “secure access from anywhere.”

Here, we’ll walk you through the top three issues related to bastion host use and show how replacing your bastion host with Banyan can resolve these. We’ll also give you a brief overview of how you can get started with Banyan.

Common issues with SSH bastion hosts

As previously mentioned, using SSH bastion hosts often creates security issues. SSH is a well-verified, secure cryptographic protocol, but it doesn’t have built-in key management capabilities. This means that users need to rely on their own self-discipline to ensure that keys are regularly rotated, renewed, or revoked – which doesn’t scale well and isn’t a realistic goal in the long run. The only alternative is to invest in a third-party service who can manage keys for them, which can be costly while only serving a narrow purpose.

Some choose to protect SSH servers by putting them in a DMZ on the edge of a private network. This, however, creates bottlenecks and increases latency, as connections must now pass through the DMZ and then make it past the SSH server to yet another server inside the protected network.

Managing SSH users’ credentials and access groups, as well as SSH servers themselves, quickly gets messy and complicated. And, unfortunately, there’s often limited visibility into which SSH users are accessing your backend resources at any given time.

Issues with SSH bastion hosts

  • Hassles related to SSH key management (protection, rotation, renewal, and revoked access)
  • Difficulties managing SSH users’ credentials and respective access groups
  • Limited visibility into who is accessing your backend resources

Why you should replace your SSH bastion with Banyan

Banyan provides a simple service that replaces bastion hosts, offering secure remote access – without the headache of key and credential management. Instead, Banyan leverages the IDP that’s already used by an organization to authenticate and issue short-lived certificates with the user’s corresponding entitlements. We ensure access based on user and device identity – not based on IP addresses, which say nothing about a user or device’s security posture.

Advantages of replacing bastions with Banyan

  • With Banyan, you don’t need to personally manage keys, credentials, and SSH servers. Instead, we leverage the IDP already used by your organization to authenticate and issue short-lived certificates according to the user’s permissions.
  • Banyan leverages a zero-trust security model, verifying individual users and offering access based on authentication and authorization, not based on IP addresses (which don’t reflect a user or device’s security posture at all).

How to get started

Sign up and get Banyan Security Team Edition for free. Deploy in minutes by following these simple steps:

  1. Set up the Banyan Connector
  2. Define the service(s) that users require secure access to
  3. Test the connection
  4. Validate access
  5. Validate blocking access based on device posture

For a more comprehensive guide on how to get started with Banyan’s Team Edition, check out our SSH Bastion Replacement Cookbook.