Zhejiang Tianyan Weizhen Network Technology Co., Ltd. (hereinafter referred to as "Tianyan Weizhen") was established in 2004 and is China's leading overall solution provider for rural revitalization digital services. As a pioneer in China's brand agricultural informatization services and the pioneer of China's agricultural product digital identification technology, Tianyan Weizhen's products have helped revitalize industries in 27 provinces and more than 300 counties across the country, empowering more than 20,000 brand agricultural enterprises, and serving There are more than 60 certification agencies, and the cumulative number of recoded products exceeds 1 billion.
In terms of IT operation and maintenance management, the traditional operation and maintenance audit platform originally used by Tianyan Weizhen's IT department faced problems such as old versions and slow function updates. It could not meet the company's current IT system operation and maintenance needs, so it needed to find A new bastion machine product. After many comparisons, the IT department of Tianyan Weizhen finally chose the JumpServer bastion machine.
Bastion machine selection ideas
When Tianyan Weizhen's IT department selects a bastion machine, the first thing they consider is that the bastion machine must be able to meet the security management needs of the enterprise and have powerful security measures and the ability to record and display security risks. Secondly, considering the size and business needs of the company's IT department, the performance of the selected bastion host equipment needs to be able to carry the company's rapidly growing IT asset scale. At the same time, considering the convenience of management and maintenance, ease of management and maintenance are also rigid requirements for bastion machine products.
The following are the main considerations for the IT department of Tianyan Weizhen when choosing a bastion host:
■ Security
The agricultural industry has very high security requirements, and companies need to protect customers' sensitive information and data. Therefore, security is a key point that the IT department of Tianyan Weizhen must consider when selecting a bastion machine;
■ Flexibility
The security management method of the agricultural industry is facing new demands. Different personnel need to configure different levels of permission control, such as upload/download permissions, the number of input times of high-risk commands, statistics of users who have not operated assets, and what each user can manage. assets, etc. Therefore, the bastion host needs to have flexible audit capabilities to meet the company's multi-dimensional security management needs;
■ Scalability
As the business scale of Tianyan Weizhen expands, the bastion host also needs to have corresponding scalability. In this way, the bastion host can easily support more users, systems and network devices, and new bastion host products need to support high availability and high load balancing.
As mentioned above, Tianyan Weizhen's IT department mainly selects bastion machines based on factors such as security, functionality, ease of use, flexibility and scalability.
JumpServer deployment architecture
At present, Tianyan Weizhen has multiple branches and the assets are relatively dispersed. The distributed deployment method supported by the JumpServer bastion machine can exactly meet the company's current needs for distributed asset management and business use.
Tianyan Weizhen deploys complete JumpServer core nodes and databases in the company's core computer room, deploys JumpServer sub-nodes in branch computer rooms, and registers the sub-nodes with the core nodes in the core computer room.
In this way, the audit videos of branches will be directly uploaded to the video storage pool of the core computer room. Users in each branch can access the JumpServer portal through their respective computer rooms, achieving nearby access to IT assets and saving unnecessary bandwidth consumption.
JumpServer usage practice
After a period of actual deployment and use, the IT department of Tianyan Weizhen summarized some experience and insights on the use of JumpServer bastion machines, which can be used as a reference for customers with similar application scenarios.
1. Permission management
JumpServer supports the management of many types of assets, including various mainstream assets (such as Windows, Linux, network equipment, etc.) and mainstream protocols (including SSH, RDP, VNC, etc.). The access permissions and access time of developers, testers and third-party suppliers to assets are not static and can be adjusted and changed according to factors such as system, position and organizational transfer. At this time, applicants need to submit their own application through email, ITSM , OA and other systems to submit permission applications.
In the previously used operation and maintenance security audit platform, specific permission activation required manual activation and confirmation by the bastion host administrator, which was cumbersome to operate. JumpServer Bastion Enterprise Edition has a built-in work order system. Users only need to submit a permission application work order to the administrator. After approval, JumpServer will automatically create the corresponding permissions and distribute them to users.
At the same time, JumpServer's built-in work order system provides API interface capabilities, which can be easily integrated and called with external systems.
▲ Figure 2 JumpServer permission management process
2. Security management
JumpServer provides security protection related functions, such as MFA multi-factor authentication, user login restrictions, black and white lists, etc. Administrators can set fine-grained access policies based on users, access hosts, access methods, etc. It also supports functions such as command black and white lists, time black and white lists, IP black and white lists, etc. to reject illegal logins and ensure system security.
At the same time, JumpServer ensures the principle of "minimization of permissions" through centralized and unified access control and fine-grained command-level authorization policies, effectively avoiding the risks of operation and maintenance operations.
▲ Figure 3 JumpServer security management
3. Operation and maintenance audit
JumpServer supports comprehensive operation and maintenance audit of assets, including video session recording, online monitoring, command review, operation and maintenance audit large screen, alarm and other functions. In response to potential operational risks that may exist during the operation and maintenance process, JumpServer supports automatic detection of security events such as unauthorized access and illegal operations that occur during daily operation and maintenance based on the set access control policy. The system can detect security events based on the type and type of security events. Automatically perform alarm or blocking processing based on level and other conditions to ensure normal operation of the system.
▲ Figure 4 JumpServer operation and maintenance audit
4. Multi-tenant organization management
Tianyan Weizhen's bastion machine needs to be used in a multi-computer room scenario. Under the premise of unified management, JumpServer's multi-tenant function can realize the delegation of management rights. In this way, administrators of each organization can manage the assets, users and permissions of their own departments, which improves the autonomy and flexibility of IT asset management of each branch.
▲ Figure 5 JumpServer multi-tenant organization management
JumpServer value gain
At present, JumpServer has become an essential component for Tianyan Weizhen to conduct operation and maintenance security audits under a distributed IT architecture. With JumpServer, IT departments can centrally manage heterogeneous IT assets and build a unified access portal to effectively control the operation and maintenance risks of IT systems.
As an operation and maintenance security audit system that complies with 4A specifications, JumpServer can provide strong support for enterprises to pass the MLA assessment and bring the following benefits to enterprises:
■ Security management: With the help of the password hosting and automatic password changing functions of the JumpServer bastion machine, the management specifications of enterprise IT account passwords can be effectively implemented, and the security risk of equipment password leakage due to personnel movement can be avoided;
■ Reliable auditing: JumpServer’s audit recording function can completely record the operation process of operation and maintenance personnel. When the system fails due to human operation, the cause of the failure and the person responsible can be quickly located, and repairs can be made in a timely manner;
■ Cost reduction and efficiency improvement: Multiple computer rooms in an enterprise can be managed in a unified manner. There is no need to purchase multiple bastion machines. Only one JumpServer bastion machine can meet the needs of distributed management, which greatly reduces the enterprise's IT construction costs.
Lei Jun: The official version of Xiaomi's new operating system ThePaper OS has been packaged. The pop-up window on the lottery page of Gome App insults its founder. Ubuntu 23.10 is officially released. You might as well take advantage of Friday to upgrade! Ubuntu 23.10 release episode: The ISO image was urgently "recalled" due to containing hate speech. A 23-year-old PhD student fixed the 22-year-old "ghost bug" in Firefox. RustDesk remote desktop 1.2.3 was released, enhanced Wayland to support TiDB 7.4 Release: Official Compatible with MySQL 8.0. After unplugging the Logitech USB receiver, the Linux kernel crashed. The master used Scratch to rub the RISC-V simulator and successfully ran the Linux kernel. JetBrains launched Writerside, a tool for creating technical documents.