Editor's Note: The author of this article is Mutong Technology Stian.
Shanghai Mutong Technology Co., Ltd. (MOONTON) was established in 2014. The company is headquartered in Shanghai and has branches in Indonesia, Singapore and other overseas places. Shanghai Mutong Technology Co., Ltd. (hereinafter referred to as Mutong Technology) is based on global game development and distribution, and has successfully launched a number of mobile game products with high reputation overseas. It is one of the Chinese game companies with the most overseas players.
At present, Mutong Technology has established long-term partnerships with government agencies, e-sports associations, and professional teams in more than 30 countries around the world. The company's Mobile Legends has become the largest MOBA (Multiplayer Online Battle Arena) overseas. Mutong Technology has a large number of computer room resources overseas, and many projects of the company have adopted independent networks. As a result, multi-game projects will face many challenges in terms of safe operation and maintenance.
Pain points of security operation and maintenance
The rapid development of Mutong Technology's business has brought many problems and challenges to its daily operation and maintenance management, which can be summarized as follows:
1. Isolation management issues of multi-project networks
Game companies generally have many projects, and the network between each project is independent and isolated. In this case, for operation and maintenance work, each project needs to manage its own bastion machine. This leads to problems such as decentralized management authority and difficulty in unified management;
2. Multi-IDC login acceleration problem
In the case of multiple projects, and the IDCs of each project are distributed globally, if the bastion machine is deployed in a certain node, there will be a phenomenon of high delay when logging in to some IDCs, which will lead to the daily operation and maintenance work experience. worse condition;
3. Auditing problems of existing network users
The company was unable to trace user behavior before, and every year encountered some problems such as system failure caused by user's misoperation. When a fault occurs, the company cannot immediately find out whether it is caused by the user's misoperation or whether there is a problem with the server performance, which makes it impossible to quickly troubleshoot and repair the problem. Therefore, the traceability of user behavior is also a problem that the company most urgently wants to solve;
4. Questions about the access audit of the database on the live network
The company game project uses a global logic database. In the daily operation and maintenance process, some tables often need to be viewed and modified. The previous processing method was to open up the office network through a reverse proxy, and then use the database management software to view and operate the tables. This operation is cumbersome, and there are certain security risks;
5. Problems with file upload audit on live network
The release packages, configuration files and other materials of the company's game projects need to be transmitted through the office network, mainly through Rsync. In this way, there is a problem of inability to perform file auditing and restrict user operations.
Bastion machine selection ideas
After a series of market research and selection, Mutong Technology Operation and Maintenance Center conducted a series of internal tests on JumpServer and found that its core functions can meet the core demands of enterprises for bastion machines. Key advantage features include:
■ Organizational management
JumpServer bastion machine enterprise edition supports organization management function, which can realize multi-tenant management and permission isolation. In this way, each project of the company can set up an organization, and set all users, assets, authorizations, etc. in a more fine-grained manner, which solves the problem of inconsistent multi-project management;
■ Log auditing and session management
The JumpServer bastion host supports log auditing and session management functions. When an operation and maintenance accident or investigation occurs, the problem can be quickly located and whether it is caused by human error or other faults, effectively preventing the same problem from recurring. This solves the problem of user behavior audit and traceability, and meets the company's security compliance requirements;
■ Remote application and database management
JumpServer Bastion Enterprise Edition supports remote application (RemoteApp) and database management functions. The database supports the command line and GUI access methods of the online database. At the same time, the remote application function can also be compatible with the database management software that the operation and maintenance personnel used to use for daily operations, which solves the problems of database authority control and application operation auditing. ;
■ File transfer and management
The JumpServer bastion host supports file transfer and management functions. Users can upload and download files through the Web terminal, and support FTP-API, which is convenient for user scripts to upload and download files, and supports the audit function.
Deployment Architecture of JumpServer Bastion Machine
Based on the above-mentioned core functions and the characteristics of multi-project and multi-location data centers of game companies, Mutong Technology finally chose the deployment method of distributed architecture.
To deploy the JumpServer bastion machine into the production environment, first deploy the central node in an IDC around the world, separate the Web Server and the DB Server, use two virtual IPs as the front end, and make availability based on Keepalived. This concurrency mechanism can be achieved within 5 seconds if one of the services has a problem, the system will automatically switch.
Then, based on the needs of the company's business scenarios, select several suitable IDCs around the world to deploy JumpServer slave nodes. The slave node only contains some components and authenticates to the central node through the Auth API. Each slave node usually adopts a high availability solution. In this way, in the daily operation and maintenance process, users can choose any node to log in to the bastion host based on different services and different computer rooms.
JumpServer bastion machine function highlights
In actual use, we found that JumpServer has some other functional highlights, which effectively improve the ability of enterprise security operation and maintenance audit in actual usage scenarios:
■ Decryption plan
JumpServer Fortress Enterprise Edition supports periodic batch password modification of assets and databases, and can generate random passwords. Users can freely choose a variety of password policies according to specific needs. This function solves the problem that the password of the bastion machine needs to be modified regularly, and greatly improves the security of the system and meets the company's security compliance requirements;
■ Multi-cloud asset management
JumpServer Fortress Enterprise Edition supports automatic and unified management of private cloud and public cloud assets. The company has deployed a large number of assets in the multi-cloud environment, and JumpServer can manage the IT assets on the multi-cloud in a unified manner, which greatly improves the efficiency of the company's asset management;
■ Web terminal operation
The operation mode of the web terminal enables many lightweight users to basically meet the needs of daily operation and maintenance and server management without installing command-line tools such as XShell. The operation is simple and it is very convenient to use.