Editor's note: In January 2022, the JumpServer open source community conducted an online interview with Wang Gong from Snow Beer (Chengdu) Co., Ltd. on the topic of the use of the fortress machine. The following content is based on the content of this interview.
Founded in 1993, China Resources Snow Beer is headquartered in Beijing, with provincial-level companies covering the whole country and 70 breweries under its jurisdiction. In 2020, China Resources Snow Beer's domestic market share will exceed 30%, the total annual sales will reach more than 11.1 million tons, and the annual production capacity will exceed 18 million tons. In recent years, China Resources Snow Beer has successively launched measures such as brand remodeling, production capacity optimization, operational reform, and informatization upgrade to build a high-end brand matrix. In addition to the Snow Beer brand, the company has also developed high-end brands, and successively acquired well-known foreign brands such as Heineken, Sur, Red Jue, and Tiger, and the business scale has continued to expand.
As a national professional beer company, China Resources Snow Beer has always strictly followed relevant information security standards. Whether it is at the headquarters level or subordinate branches, standardized operation and maintenance security audit operations will be carried out for relevant IT assets. China Resources Snow Beer Sichuan Co., Ltd. (hereinafter referred to as Snow Beer Sichuan Company) is a regional company established by China Resources Snow Beer in Chengdu. It owns 9 beers in Chengdu, Mianyang, Deyang, Neijiang, Leshan, Nanchong, Guang'an, Suining and Liangshan. Production factory, products cover the southwest region.
At present, Snow Beer Sichuan's internal IT assets are audited for operation and maintenance security through the JumpServer open source fortress machine. Before using the JumpServer bastion host, the company had problems such as confusion in remote operations and potential security risks in direct database connection operations. Many internal operations on IT assets did not keep operation records, and problems could not be traced back. The existence of these problems has led to the demand for the use of bastion machines in Snow Beer Sichuan Company. The IT operation and maintenance team needs to build a recordable and auditable "springboard" system in the internal environment to facilitate internal users to securely connect and manage the company's IT. assets.
Why choose JumpServer?
Before using the JumpServer bastion machine, the IT operation and maintenance team of Snow Beer Sichuan Company also used the traditional bastion machine in stages. However, in the process of actual use, we found some shortcomings of the traditional bastion machine, which made us feel some inconvenience in the process of use. Specifically reflected in the following aspects:
1. The bastion machine I used before uses the Client method, which is the RDP client method. The traditional bastion machine simulates Microsoft's RDP remote desktop by installing plug-ins, which creates a threshold for the user's operating skills. However, accessing through the RDP client also has its own advantages. Users can copy and paste by following the operating habits of Ctrl+C and Ctrl+V in Windows. This is also the part that some users need to adapt to when they first use the JumpServer bastion host;
2. Most of the bastion machines on the market use a delivery model that integrates software and hardware. For the IT operation and maintenance team, the bastion machine needs to be managed as an independent physical asset. However, managing physical assets is not an easy task. We need to carry out operations such as declaration, management, scrapping, and updating. We need to carry out inventory every year, involving all aspects of the process. While providing the ability of IT asset management, the maintenance of traditional bastion machines also brings us extra work.
Considering the high threshold and inconvenience of using traditional bastion machines, I began to look for bastion machines that are more suitable for our actual business needs on the Internet. Since Python is often used in my daily work, it has become a habit for me to find some Python-related content on GitHub. By chance, I discovered the JumpServer open source bastion machine , a product developed in the Python language .
In the process of using JumpServer, we found that this bastion machine solved some of the inconveniences and deficiencies of the traditional bastion machine mentioned above, and brought us a very convenient experience:
■ JumpServer bastion machine supports Web Terminal, does not need to install plug-ins, is suitable for various browsers, and eliminates the complicated operation of installation and use;
■ The JumpServer bastion machine is lighter, and it is very convenient for operation and maintenance personnel to install and deploy by themselves, and the requirements for the server are not very high, which can save the tedious links in physical asset management. Enterprise users can quickly deploy JumpServer on existing hardware devices and quickly own a bastion machine.
Deployment Architecture of JumpServer
At present, Snow Beer Sichuan Company manages IT assets distributed in different locations in the intranet through JumpServer, and the intranet is connected by MPLS. During use, we can access JumpServer through web pages and SSH clients. In order to improve the security level, JumpServer supports MFA multi-factor authentication, and supports video auditing and SSH protocol access. JumpServer also fully possesses the four core functions of 4A (namely, authentication, authorization control, account management, and security audit), providing unified security management guarantee for intranet devices such as servers, network devices, databases, and security devices.
Figure 1 Deployment Architecture of JumpServer in Snow Beer Sichuan Company
JumpServer Highlights Features
I have been using the JumpServer open source bastion host for several years, and I have used many versions. Some practical and eye-catching functions of JumpServer can indeed improve the work efficiency of the operation and maintenance team, and can also ensure the security of system operation and maintenance. E.g:
■ The interface of JumpServer is beautiful and direct, providing a console of IT assets, which can easily view assets such as servers and network equipment;
■ Supports multiple authentication methods such as MFA secondary authentication, supports watermarks, multiple password policies, and improves security;
■ Support functions such as uploading video files to public cloud object storage, which is practical and safe;
Expectations and Recommendations for JumpServer
■ Maintain the frequency of update iterations and listen to the voice of users
My company mainly uses SQL Server databases, and previous versions of JumpServer supported a limited variety of databases. Recently, we saw that JumpServer has implemented the management and auditing of SQL Server databases in the v2.17.0 version. We plan to try this function this year. Many users hope that JumpServer can support more database types, and we have also seen the efforts of the JumpServer R&D team. Hope that JumpServer can maintain this high-speed iteration rhythm, listen to the needs of users, and continuously improve the product;
■ File transfer is sometimes unstable
When I use file transfer, sometimes when the file is relatively large, the transmission is occasionally interrupted. At present, the Nginx timeout setting can be adjusted according to the actual scenario of the customer to solve most of the interruption of file transmission, and we hope to continue to optimize and improve in future versions;
■ Add more message notification methods
At present, the message subscription notification method we use is email. In terms of usage habits, we still hope that JumpServer can provide the configuration function of the SMS interface, so that we can use SMS to send message notifications, and we look forward to it in the subsequent update functions.