We will see topics such as DMZ, jump server, bastion host, NAT etc.
Network address translation (NAT) and IP masquerading
Network address translation (NAT) is a method of remapping one IP address space into another by modifying network address information in Internet Protocol (IP) datagram packet headers while they are in transit across a traffic routing device. The technique was originally used for ease of rerouting traffic in IP networks without readdressing every host. More advanced NAT implementations feature IP masquerading.
IP masquerading is a technique that hides an entire IP address space, usually consisting of private IP addresses, behind a single IP address in another, usually public address space. It allows to share one Internet-routable IP address of a NAT gateway for an entire private network. Because of the popularity of this technique to conserve IPv4 address space, the term NAT has become virtually synonymous with IP masquerading.
As network address translation modifies the IP address information in packets, it has serious consequences on the quality of Internet connectivity and requires careful attention to the details of its implementation. NAT implementations vary widely in their specific behavior in various addressing cases and their effect on network traffic. The specifics of NAT behavior is not commonly documented by vendors of equipment containing implementations.
Demilitarized Zone (DMZ)
A DMZ is a physical or logical subnetwork that contains and exposes an organization's external-facing services to an untrusted network such as the Internet. The purpose of a DMZ is to add an additional layer of security to an organization's local area network (LAN); an external network node can access only what is exposed in the DMZ, while the rest of the organization's network is firewalled.
Jump server
A jump server is a special-purpose computer on a network typically used to manage devices in a separate security zone. Also referred to as jump host or jumpbox or secure administrative host.
The most common example is managing a host in a DMZ from trusted networks or computers.
Bastion Host
A bastion host is a special purpose computer on a network specifically designed and configured to withstand attacks. It generally hosts a single application, for example a proxy server, to reduce the threat. Its location is either on the outside of a firewall or in a demilitarized zone (DMZ). Its purpose usually involves access from untrusted networks or computers.
The firewalls and routers can be considered bastion hosts. Due to their exposure, a great deal of effort is made to minimize the chances of penetration. Other types of bastion hosts include web, mail, DNS, and FTP servers.
Bastion Host vs. Jump server
Though bastion host and jump server are used interchangeably by some, there are some differences.
Bastion Host mostly serves a single service to unprotected networks like DNS, HTTP etc. Jump Server is usually is used to manage other systems in a network.
Jump servers provide access to servers in a secure zone and they will be inside of a network or DMZ. A bastion host is usually on the public side of the DMZ unprotected and fully exposed to attack.
NAT vs. Bastion Host (AWS)
NAT can provide internet traffic to EC2 instances in private subnet.
Bastion host is mainly used to securely administer EC2 instances in private subnets through SSH or RDP. Some people also call it as Jump host (though there is some differences as we saw above).
- heartin's blog
- Log in or register to post comments
Recent comments