Due to factors such as unknown sources, unauthorized operations, password leakage, data theft, and illegal operations, enterprises may face serious threats. Therefore, enterprises often build bastion machines to prevent and timely prevent such things from happening. So what aspects should enterprises pay attention to when building a fortress machine?
Principle 1: Account management of bastion machines
In order to facilitate login, enterprise managers often have multiple users using one account or one user using multiple accounts. Since the shared account is used by multiple people, when a problem occurs in the system, it is impossible to precisely locate the specific responsible person for malicious or misoperation. Therefore, when building a bastion machine, we must pay attention to having one account per person, never allowing multiple people to share a personal account, and not allowing a common account to log in to the bastion machine.
Principle 2: Access Control of Bastion Machines
The purpose of access control is to ensure that information resources are not illegally used and accessed by restricting the ability and scope of maintenance personnel to access data and information.
Principle 3: Command review of bastion machines
The operation audit function of the bastion machine mainly audits the account usage (login, resource access) and resource usage of the operation and maintenance personnel. For sensitive instructions, the bastion machine can block the response or trigger the audit operation, and the sensitive instructions that do not pass the audit can be checked. Bastion aircraft will intercept.
Principle 4: Authentication of Bastion Machines
It is recommended to perform two-factor identity confirmation through WeChat or SMS when performing various important operations such as host restart, password modification, session creation, snapshot rollback, disk replacement, etc. to ensure the identity of the visitor. legality.
Principle 5: Resource authorization for bastion machines
For user authorization, it is recommended to combine the company's internal CMDB to create a role-based access control model to achieve permission control. Through centralized access control and fine-grained command-level authorization policies, based on the principle of least privilege, centralized and orderly operation and maintenance operation management is realized.
Principle 6: Audit recordings of bastion machines
At the security level, in addition to the prior authorization of the bastion machine and the interception of sensitive instructions during the event, it is also necessary to provide the feature of post-operation and maintenance audit of the bastion machine. The operation and maintenance operations performed by the user in the bastion host will be recorded in the form of logs, and the administrator will audit the operation and maintenance operations of the operation and maintenance personnel through the log.
Principle 7: Operational Audit of Bastion Machines
The operation audit function of the bastion machine mainly audits the account usage (login, resource access) and resource usage of the operation and maintenance personnel. After the access log records of each server host are identified by a unified account and resource, the operation audit function of the bastion host can better track the complete usage process of the account.
The above are 7 principles that enterprises should pay attention to when building a fortress machine. Only by adhering to and complying with the 7 principles to build a fortress machine can the data security of the enterprise be guaranteed as much as possible. For start-up companies or small and medium-sized enterprises, cost is a big issue that has to be considered. Looking at the many brands of fortress machines on the market, the current mainstream fortress machines are divided into two categories: open source fortress machines and commercial fortress machines. When an enterprise chooses a suitable fortress machine to build, it needs to combine its own cost estimation and product performance characteristics. The open source bastion machine is flexible and convenient to use, but the later operation and maintenance cost is quite high, and it is necessary to hire a special person for operation and maintenance or find the original manufacturer for secondary development. In general, the cost is no less than directly purchasing a commercial bastion machine, and the open source bastion machine The original manufacturer is not responsible.
There are three types of commercial fortress machines. I won’t go into details here. If you are interested, you can refer to: What are the brands of fortress machines? What is the market share of fortress machine manufacturers? It is recommended that you use the cloud fortress machine, which is free of installation and maintenance. The Xingyun butler cloud fortress machine is the first and only fortress machine on the market that supports the auditing of Windows2012/2016 system operating instructions, and in addition to the private deployment version of the fortress machine, the line Cloud Butler also provides a cheaper SaaS form of bastion host with the same functions, providing users with a free management quota of 4 cloud hosts or LAN hosts. Generally speaking, the free quota of 4 hosts can meet the basic needs of startups or small and medium-sized enterprises.