**
Fortress machine:
**
4A features:
- Centralized authentication (authentication)
At present, many systems use basic account and password authentication, because there is no technical mechanism restrictions, the password is set too simple, unable to achieve the uniqueness of user identification, we must consider strengthening authentication methods and unified management. - Centralized account (account)
account is used to identify identity, manage access rights, etc. Western Digital's bastion machine supports a variety of two-factor authentication mechanisms. Through SMS authentication, RAM sub-account MFA and other technologies, it can prevent the identity fraud and reuse of operation and maintenance personnel, and control the risk of account password leakage. - Centralized authority (authorization)
The operations that each account can do in the system are different. It requires administrators to perform fine authorization to ensure that each account has the most appropriate authority to prevent unauthorized operations. At present, each system has a set of independent authentication, authorization and audit mechanisms, which are maintained and managed by administrators. - Centralized audit (audit)
In the field of IT operation and maintenance, the bastion machine is mainly to review and supervise the authenticity, correctness, and compliance of operation and maintenance personnel. All operations and behaviors are visualized and provide real-time monitoring, recording, online playback and other functions, providing a basis for retrospective operation and maintenance operations and accident analysis to achieve the purpose of operation and maintenance audits.
Function: As the company grows in size, the number of O & M personnel will also increase, and the permissions for different O & M personnel will also be different, and when there is a problem to be held accountable, you can use the bastion machine as the O & M personnel to operate the equipment An "entrance" that must be entered to clarify the access rights and behavior monitoring of each operation and maintenance personnel. When a problem occurs and the source of the problem needs to be traced back, the source can be traced through the previous monitoring behavior (audit) to determine the source of the problem. In the bastion machine, we can log in to the server uniformly, just enter the password of the user in the bastion machine, select the server to enter, and do not need to record the remote login password of a server.
Gatekeeper:
Gatekeeper (GAP, security isolation gatekeeper): It is a device that uses special hardware with multiple control functions to cut off the link layer connection between networks on the circuit, and can perform safe and moderate application data exchange between networks. .
Function: Communicate under the condition of ensuring the absolute security of the network. If an unsafe factor is found, it will be disconnected at the physical level. Similar to disconnecting the network cable, the gatekeeper allows users to have direct access and access to different networks. Control, because if there is no link connection, you ca n’t directly attack through the network.
Firewall:
-
Development history
1st generation firewall (packet filter firewall)-"2nd generation firewall (application proxy firewall)-" 3rd generation firewall (state detection firewall (it was originally in the form of software, deployed on minicomputers, and has a physical firewall after 1995)) -》 Dedicated firewall (such as WAF, etc.)-》 UTM (Unified Threat Management)-》 NGFW (Next Generation Firewall) -
For devices such as UTM, although most of the functions are integrated, they cannot be linked to use. Because of the independence of the modules, the device performance is very consuming and it is easy to cause downtime. Therefore, there are not many modules that can be used at one time.
-
The next-generation firewalls are currently used more frequently. Due to the integrated detection process, they can satisfy the multi-functional linkage effect, which is much better than UTM.
