# How BastionXP Works

BastionXP is an open source and open standards based PKI/CA which is built using Google’s Open Source Crypto Libraries.

BastionXP is packaged and distributed as a single binary.

# What is BastionXP

BastionXP is primarily a PKI/CA that also performes many other functions. BastionXP can do the following functions simultaneously or as a standalone function:

  1. BastionXP is a PKI/CA that automatically creates, signs and distributes short-lived SSH and X.509 certificates to end users for remote SSH access. BastionXP is an identity based infrastructure access solution that generates SSH and X.509 certificates after an user authenticates successfully via OAuth or SAML based SSO and Two-Factor Authentication(2FA) providers such as MS Office 365, Google Suite, Okta, GitHub, OneLogin etc.
  2. BastionXP is an SSH Bastion Host(jump host or SSH proxy) server that provides secure SSH access to all compute resources in a private network behind it. Bastion host function eliminates the need to expose all your compute resources to the internet. Only the bastion host server will be exposed to the internet and all other compute resources behind it can be accessed only through the bastion host.
  3. BastionXP is a reverse tunneling server that can connect to servers and edge compute resources behind NAT and Firewall. BastionXP agents running in the host machines establish a reverse TLS tunnel with the BastionXP reverse tunnel server. Users from the public network can access the private compute resources using SSH over the reverse TLS tunnel. This function is very useful for accessing all compute resources in multi-cloud, private cloud and hybrid cloud through a single access plane.

# How Identity Based Secure Access Works

BastionXP PKI/CA issues certificates based on user or server identity using Identity and Access Management (IAM) solutions such as Microsoft Azure Active Directory, AWS IAM, Okta, OneLogin or others. SSH certificates are issued after an user authenticates successfully via OAuth or SAML based SSO and Two-Factor Authentication(2FA) providers such as MS Office 365, Google Suite, Okta, GitHub, OneLogin etc.

Moreover, BastionXP issues short-lived SSH certificates that expire on a daily basis, eliminating the need to purge the certificate of a user from all the servers when he/she leaves the organization.

BastionXP automates certificate rotation, when a security compromise requires certificate rotation.

BastionXP also supports Role Based Access Control (RBAC) using SSH certificates. This restricts who can access what resources within an organization and at what privilege levels. Roles and groups defined in an IAM could be leveraged by BastionXP to generate certificates with appropriate access rights to acess infrastructure.

# Components of BastionXP server:

BastionXP server has three main components - proxy, auth server, and SSH server. Based on the configuration, BastionXP single binary can perform the role of a proxy server or auth server or SSH server or a combination of all the three functions.

BastionXP solution architecture

# Proxy Server

The proxy server performs the following functions:

  • SSH Bastion Host/Jump Host/Proxy Server
  • Reverse Tunnel Server

# Auth Server

The auth server performs the following functions:

  • PKI/CA
  • Authtoken
  • Certificate rotation
  • Role Based Access Control
  • Identity based infrastructure access
  • Audit Logs
  • SSH Session Recording and Replay

# SSH Bastion Host:

SSH bastion host or jump host is an SSH proxy that authenticates and proxies SSH connections from SSH clients in the public network to host machines in the private network. SSH bastion host is used to safely access host machines behind it in a private network. As a result, host machines are not directly exposed to the public internet and can be accessed only via the bastion host.

# Reverse Tunnel Server

Reverse tunnel server provides SSH access to host machines in a private network behind NAT router and firewall that doesn’t have a bastion host of its own. The private network could be an office intranet or a VPC in a different cloud vendor. Reverse tunnel server runs along with the SSH bastion host service in the same BastionXP server.

Reverse tunnel server is useful for accessing hybrid cloud, multi-cloud compute resources using a single BastionXP instance.

Reverse tunnels originate from the BastionXP agents running in the host machines or edge compute resources behind NAT router or firewall and terminate at the reverse tunnel server running in the Bastion Host. SSH clients in the public network connect to the Bastion Host as usual, unaware of the fact that the host machines are not directly connected to the Bastion Host. The bastion host forwards the SSH connection to the host machines through the reverse tunnel.

Reverse tunnels use X.509 client certificates and mTLS connections to connect to the reverse tunnel server for zero-trust security.

# SSH server

The SSH server performs the equivalent of OpenSSH sshd server functionality when run in the host machines. BastionXP when run in the SSH server mode in the host machine can perform SSH session recording. When the SSH session completes, recorded session files are uploaded to the auth server.

# PKI/CA:

Auth server functions as a Public Key Infrastructure(PKI) / Certificate Authority(CA). The PKI/CA generates both SSH certificates and X.509 SSL/TLS certificates. The CA creates, signs and distributes host certificates to host machines and user certificates to user machines upon successful SSO login and the user identity is verified. Certificates are issued following Role Based Access Control (RBAC) policies. Certificates have a validity period (a value that could be configured according to an organization’s security policy) and therefore expire eventually.

RSA private keys are created locally on the host and user machines. Private keys never leave the host or user machines. Only the public keys, derived algorithmically from the private keys, are sent over HTTPS tunnels to the CA for signing. Signed certificates are returned back on the same HTTPS tunnels.

# Authtoken:

Auth server creates authtokens for specific purposes such as API access and downloading host certificates on the host machines etc. Authtokens are created following RBAC policies. Only admin users have the permission to create authtokens for API access and host certificate downloads. Authtokens can be created only after a successful SSO login. Authtokens have an expiry date. Authtokens used to download certificates have extremely short-lives.

# Identity and Role Based Infrastructure Access:

BastionXP bastion host grants access to any infrastructure (compute resources) based on user identity and roles defined in an Identity and Access Management software such as MS Azure Active Directory, AWS IAM, Okta, OneLogin etc. Role Based Access Control(RBAC) is available in the Enterprise version of BastionXP server.

End users need to login via an SSO provider using Two-Factor Authentication(2FA : Password + OTP). BastionXP free trial version supports SSO login via GitHub OAuth. BastionXP Enterprise version supports SSO login via OAuth and SAML based SSO providers such as MS Office 365, Google Suite, Okta, OneLogin.

# Audit Logs:

BastionXP generates tons of logs for various user events. Logs are generated when authtokens are created, certificates are created, or when a user logins in via SSH session. Logs can be sent to a log analyzing tool and can be analyzed to detect anomalies.

# SSH Session Recording and Replay:

BastionXP SSHd server records all user session as a raw file (and not as a video file). After an SSH session ends, the server transports the SSH session recording file to the Auth server. The authserver stores the session recording files for auditing purposes. SSH sessions can be played back like a video playback. All commands executed by a user during an SSH session can be played back during an audit.