Editor's Note: In the "2021 JumpServer Open Source Fortress Machine City Meet Guangzhou Station" event held on December 11, 2021, Liu Sheng, head of the Guangdong New Generation Communication and Network Innovation Research Institute, shared the title of "New Generation Communication and Network Innovation". The keynote speech of the network innovation research institute's bastion machine selection ideas". The following content is organized based on this speech.
The Guangdong New Generation Communication and Network Innovation Research Institute is jointly established by the Guangdong Provincial Department of Science and Technology, the Guangzhou Municipal Government and the Guangzhou High-tech Zone. A comprehensive R&D platform that promotes the transfer, transformation and demonstration application of scientific research achievements by conducting research on basic, cutting-edge and applied technologies for the international frontier fields and bottlenecks in my country's network communication industry.
Since its establishment in 2018, the Guangdong Academy of New Generation Communication and Network Innovation (hereinafter referred to as the "Research Institute") has undertaken more than ten major national and provincial scientific research projects, built a number of basic scientific research platforms, and initially obtained a number of Achievements, and formed a number of cases in the application of 5G industry.
Liu Sheng, head of the Network Information Department of Guangdong New Generation Communication and Network Innovation Research Institute
Why do you need a bastion machine?
Since the main work directions of the research institute include the research of 5G front-end technology and the formulation of new-generation 6G technical standards, etc., the work content is very cutting-edge, so the research institute has very high requirements for safe operation and maintenance.
The network architecture of the research institute is divided into two network segments, namely the office network and the R&D network. The office network is mainly used by the staff in the institute. There is a large amount of high-value data information on the R&D network. If early workers need to access the assets of the R&D network through the office network client, they need to use a springboard for access control. However, due to the limitations of the springboard itself, it brings the following practical problems to the safe operation and maintenance of the entire system:
1. The deployment architecture is complex and the cost is high;
2. It is impossible to record user behavior and to locate responsibility;
3. Early warning cannot be achieved for high-risk data operations.
The core requirements of the bastion machine system
Through the research and classification of practical problems encountered in the operation and maintenance process, the research institute has summarized some core functions that must be possessed in the selection of bastion machines:
■ Support browser access to assets
For assets of different systems, the old springboard is more troublesome to access. It is hoped that the new bastion host system can directly access assets through the browser, and support protocols such as RDP, SSH, DB, and FTP/SFTP;
■ Realize the tracking of user behavior
The original springboard machine cannot track user behavior. If there is a failure or a vicious event, it is impossible to determine which link is the problem, and it is impossible to effectively prevent similar problems. Therefore, the new bastion machine needs to support the function of server user behavior recording. In addition, due to the large number of R&D personnel, misoperation and information leakage are prone to occur, so the new bastion host system needs to be able to support the functions of command filtering, dangerous command alarms and file copy alarms to ensure the safe operation and maintenance of system sorting;
■ Account management
The IT infrastructure of the research institute is large, and there are many departments and personnel. Therefore, a multi-level organizational management system is indispensable for the new bastion machine system. In particular, it is necessary to provide unified AD account login and multi-level AD authority management. and other functions;
■ High availability deployment
The bastion machine system has been developed for a long time, and the ease of use of the system has been continuously improved. Letting everyone get started easily and quickly is not only a key indicator to measure the user experience of the bastion machine, but also has important significance for reducing the security operation and maintenance cost of the research institute. Because, from the perspective of the research institute, it is hoped that the new bastion machine system has the characteristics of high availability, simple expansion, easy maintenance and easy operation.
Why choose JumpServer?
Based on the above requirements, after a comprehensive comparison of the bastion machine systems on the market, we found that JumpServer has the core functions of the bastion machine that we actually need.
At present, the research institute manages R&D network assets through JumpServer. As a unified entry for asset access on the R&D network, the JumpServer bastion host adopts the active-standby deployment method. Development and testing staff can access JumpServer through Web pages and SSH clients, and it is compatible with firewalls, avoiding the problem that every technician needs to deploy a jump server on the R&D network when accessing assets on the R&D network when using the jump server before. .
In addition, JumpServer supports four core functions of authentication, authorization control, account management, and security auditing, providing a unified security management capability for servers, network devices, databases, and security devices.
▲ "Research Institute" bastion machine architecture design
With the in-depth use of the JumpServer bastion machine, we also found some important highlights, which to a large extent helped us improve the operation and maintenance security level of the overall system. The highlights of the JumpServer bastion host are as follows:
■ Decryption plan
Due to the large number of R&D personnel in the research institute, the security of fixed passwords will be greatly reduced, and the account password of the highest authority of the terminal device may also be leaked. The JumpServer bastion host provides a batch password change function, which can regularly modify the system user passwords of IT assets, and customize different password policies according to user needs. This function can solve the problem of password leakage in the case of personnel flow, which greatly protects the security of systems and assets;
■ Work order management
Code repositories and sensitive terminal equipment are the core assets of the institute. For back-end access to these assets, strict permission approval and full control are required. JumpServer provides work order management functions, including authorized work order application, first-level approval process, second-level approval process and other functions. Users can apply for assets or applications that need to be accessed in a self-service manner. Access will be granted to the applying user.
The core assets in the research institute can only be accessed through the dual authorization of the operation and maintenance level and the R&D leader. With the help of the work order management function of JumpServer, we have effectively reduced the cost of system security management, and the system security has also been greatly improved;
■ Session watermark
Some core codes and assets of the research institute are at risk of being leaked by taking photos or screenshots. JumpServer provides a session watermark function, with account information attached to the background of the asset operation interface, which can effectively prevent the leakage of sensitive information of assets through screenshots or photos, and can quickly locate the leaking users, effectively avoiding information leakage from the source. risk.