1. Springboard machine
As early as around 2000, some large and medium-sized enterprises would deploy a springboard machine in the computer room in order to centrally manage the remote login of operation and maintenance personnel. The springboard machine is actually a server with a Unix/windows operating system. All operation and maintenance personnel need to log in to the springboard machine remotely, and then log in to other servers from the springboard machine to perform operation and maintenance operations.
2. Why do you need a bastion host?
The bastion machine evolved from the concept of the springboard machine (also called the front-end machine).
The springboard machine does not realize the control and audit of the operation and maintenance personnel's operation behavior. In the process of using the springboard machine, there will still be operational accidents caused by misoperation and illegal operation. Once an operational accident occurs, it is difficult to quickly locate the cause and the responsible person .
In addition, the springboard machine has serious security risks. Once the springboard machine system is hacked, the risk of back-end resources will be completely exposed. At the same time, for individual resources (such as telnet), a certain amount of internal control can be completed through the springboard, but for more and more special resources (ftp, rdp, etc.), it seems powerless.
3. What is a bastion host?
A bastion host is a security device used to manage and control systems such as remote servers and network devices. It can finely manage and control the user's access traffic, and realize functions such as centralized control of user rights, session management, and audit trail, thereby improving system security and management efficiency.
A bastion host can be either a hardware device or a software .
Hardware equipment usually refers to a dedicated server pre-installed with bastion host software, which has higher stability and performance, while a bastion host in the form of software can be deployed in a virtualized environment.
However, the configuration, deployment and maintenance of the bastion host all require professional skills, and incorrect configuration may affect the security and stability of the system.
The difference between the bastion host and the springboard host mainly lies in the different functions: the springboard host is just a general remote login tool for remote login to the target machine, and can forward the local SSH connection to the controlled machine; while the bastion host has more For rich management and control functions, such as user authentication, authority authorization, session audit, operation and maintenance process control, unified management, etc., it helps enterprises realize security management and control and reduce risks.
Fourth, the role of the bastion machine
1) Core system operation and maintenance and security audit control;
2) Filter and intercept illegal access, malicious attacks, block illegal orders, audit monitoring, alarm, responsibility tracking;
3) Alarm, recording, analysis and processing;
5. The core functions of the bastion host
1 ) Single sign-on function
Supports automatic periodic password change for a series of authorized accounts such as X11, Linux, Unix, database, network equipment, security equipment, etc., simplifies password management, and allows users to automatically log in to the target device without having to memorize many system passwords, which is convenient and safe ;
2 ) Account management
The device supports a unified account management strategy, which can realize centralized management of all servers, network devices, security devices, etc.
Settings, such as: audit inspectors, operation and maintenance operators, equipment administrators and other customizations to meet audit requirements;
3 ) Identity authentication
The device provides a unified authentication interface to authenticate users, and supports identity authentication modes including dynamic passwords, static passwords, hardware keys, biometrics and other authentication methods. The device has flexible custom interfaces and can be directly combined with other third-party authentication servers ;
Safe authentication mode, which effectively improves the security and reliability of authentication;
4 ) Resource Authorization
The device provides fine-grained operation authorization based on elements such as user, target device, time, protocol type IP, behavior, etc., to maximize the security of user resources;
5 ) Access Control
The device supports the formulation of different policies for different users, and fine-grained access control can maximize
Protect the security of user resources and strictly prevent illegal and unauthorized access events;
6 ) Operational Audit
The device can conduct behavioral audits on security operations such as character strings, graphics, file transfers, and databases; monitor various operations performed by operation and maintenance personnel on operating systems, security devices, network devices, and databases through device video recording, and conduct incidents for violations. Central control; accurate search for terminal command information and precise positioning of video recording;