China University of Mining and Technology is a national key university directly under the Ministry of Education. It is a university jointly established by the Ministry of Education, the Ministry of Emergency Management and the Jiangsu Provincial People's Government. It has successively entered the national "211 Project", "985 Advantageous Discipline Innovation Platform Project" and the national "Double First-Class" construction The school is now located in Xuzhou City, Jiangsu Province, a national historical and cultural city known as the "thoroughfare of five provinces". It has two campuses, Wenchang and Nanhu, covering an area of more than 4,200 acres.
Since 2019, China University of Mining and Technology has started to build the "Ten One" core tasks of the smart campus, namely one network (integrated and integrated network), one cloud (hyper-converged data cloud platform), and one table (personal information management table) , one account (identity management number), one lake (governance data lake), one space (ubiquitous chemical research space), one park (full coverage of smart park), one-stop (one-stop service), one cycle ( The whole cycle of talent training) and a wall (all-round security protection wall), comprehensively carry out the construction of campus information.
Pain points and difficulties of IT operation and maintenance
With the continuous expansion of the scale of the school's information system, China University of Mining and Technology is also facing many practical operation and maintenance management problems in the daily IT operation and maintenance work:
■ Fragmentation of IT assets and complex operation and maintenance environment
China University of Mining and Technology currently has more than 500 virtual machines and dozens of physical servers in the computer room of the "two schools and three places" data center, and servers of various units are distributed in different locations such as other computer rooms and laboratories of the school. The span is large, and there are many types of IT assets.
At the same time, many business systems of the school itself are built by the business department, and third-party manufacturers undertake the construction and operation. Therefore, engineers of third-party vendors and teachers of school business departments have the need to log in to IT assets remotely. This also leads to a very heavy workload in the daily operation and maintenance and auditing of the school information department;
■ There are security risks such as password disclosure and loss
After the virtual machine is allocated by the school, the account password of the virtual machine is kept and maintained by the teacher of the business department and the engineer of the manufacturer. The storage method is usually recorded in an Excel sheet or a notepad. This simple recording method will bring security risks of password disclosure. At the same time, due to the change of the position of the teacher in the business department and the replacement of the manufacturer's engineer, the password is often lost after being modified, and there are great security risks in the system, which is not conducive to the school's safe operation and maintenance and standardized management of IT assets;
■ Lack of a unified IT asset login entry, making auditing difficult
After the virtual machine is assigned to the business department or a third-party manufacturer, the operation and maintenance personnel do not have a unified access portal. Some access directly through the intranet, some use remote tools such as Sunflower, and some access remotely through VPN. The system lacks uniformity. The IT asset login portal.
The teachers in the business department don't know how many IT assets they have under their names, and the information department doesn't know who and when the school's IT assets are logged in. The opacity of information brings great hidden dangers to the security operation and maintenance of IT assets.
Facing the above-mentioned problems in the daily operation and maintenance of virtual machines and servers, the Information Department of China University of Mining and Technology decided to change the original IT asset operation and maintenance management method and build a more secure and standardized bastion machine operation and maintenance security system.
Reasons for choosing JumpServer bastion host
Aiming at the pain points and needs of the school’s IT asset operation and maintenance, the information department of China University of Mining and Technology conducted research and tests on a variety of bastion machine products on the market, and believed that the JumpServer bastion machine can meet the needs of the school at the technical level, and finally chose JumpServer The bastion machine enterprise version is an important component of the school's IT asset operation and maintenance security system. The main reasons for choosing the JumpServer bastion host include:
1. Web terminal access method without plug-in
The design idea of JumpServer bastion machine without plug-ins and pure browser access is very in line with the expectation of China University of Mining and Technology for the simplification and convenience of IT asset operation and maintenance. Operation and maintenance personnel do not need to install a dedicated client plug-in locally, and can directly access various types of IT assets under various operating systems through the browser web terminal;
2. Open source and open
As a popular open source bastion host, JumpServer has a very active open source community and provides an open API interface to facilitate users to expand richer functions. Based on the open capability of the interface, in the future, China University of Mining and Technology also plans to float the capability of the bastion machine to the school office hall, and support each department to apply for resource access permissions by itself.
At the same time, the national "14th Five-Year Plan" also focuses on the construction of a new open source ecology. As a national key university directly under the Ministry of Education, China University of Mining and Technology also hopes to jointly build an open source ecology with JumpServer through its own use and feedback;
3. Fast iteration speed
For a long time, JumpServer has insisted on releasing new versions iteratively on a monthly basis, and the product iteration update speed is fast. Users can put forward their needs and feedback on JumpServer through GitHub, technical exchange groups and other ways. The JumpServer open source project team has also been listening to users' voices, collecting user suggestions, adding new features in continuous update iterations, optimizing usage scenarios, and continuously optimizing user experience.
The deployment architecture of JumpServer
JumpServer bastion machine enterprise edition provides two delivery methods: pure software and software and hardware integrated machine. Based on the requirements of the school's current network environment, the school chose the software and hardware all-in-one machine, and deployed two all-in-one machines to achieve a high-availability architecture in active and standby mode.
At the same time, VIP drift is realized through Keepalived to achieve the effect of active and standby switching. That is to say, deploy the same JumpServer service on the active node and the standby node, and use a VIP address to provide external services. When the main server goes down, the Keepalived component will automatically drift the VIP to the standby server to ensure the normal operation of the service.
▲Figure 1 China University of Mining and Technology JumpServer deployment architecture
Use value of JumpServer
After the actual application of the JumpServer bastion host, the following value benefits have been brought to the school, and the school's operation and maintenance management ability has been greatly improved:
■ Unified access to IT assets
Through the JumpServer bastion machine, on-campus users can connect to a unified identity authentication system (based on the CAS protocol), and the accounts of off-campus engineers adopt a real-name system. In this way, the "one person, one account" mode of on-campus and off-campus IT asset operation and maintenance is realized, effectively avoiding the risk of account and password leakage. Users can access authorized servers by logging in to JumpServer, access all IT assets through a unified portal, and have a unified access to assets.
At the same time, the account password of the asset is uniformly hosted in JumpServer, and users can log in directly without entering the account password, which improves the efficiency of operation and maintenance management and avoids the occurrence of password loss;
■ Guarantee of safe and stable operation
At the national level, the emphasis on network security is constantly increasing, and relevant laws and regulations are becoming more and more perfect. The school has also put forward higher requirements for the operation and maintenance security audit and professional management of IT assets. By enabling the MFA multi-factor authentication function, the administrator has enhanced the reliability and security of "one person, one account" in IT asset operation and maintenance. At the same time, the JumpServer bastion machine conforms to the 4A specification and meets the requirements of the school's operation and maintenance security audit.
▲Figure 2 China University of Mining and Technology achieves secure login access through JumpServer
Expectations and Prospects
China University of Mining and Technology realized the unified operation and maintenance management of the school's IT assets through the JumpServer bastion machine, which met the school's basic needs of "clear business departments, managed by off-campus manufacturers, and visible to the information department".
Today, with the continuous deepening of localization of IT construction, I hope that JumpServer can increase support for domestic proprietary clouds commonly used by universities in the future, and continuously expand the management scope of assets on the cloud.