当前位置:网站首页>What is a fortress machine? Why do we need fortress machines?

What is a fortress machine? Why do we need fortress machines?

2020-11-10 17:24:08 Migrant worker brother

What is a fortress machine

Fortress machine , That is, in a specific network environment , In order to protect the network and data from invasion and damage from external and internal users , And the use of various technical means to monitor and record the operation and maintenance personnel on the network server 、 Network devices 、 Safety equipment 、 Database and other equipment operation behavior , In order to call the police 、 Handle and audit in time .

In a word , The fortress machine is used to control who can log in which assets ( Prevention and control in advance ), And videotape what you do after you log in to the asset ( Trace back to the source )

Fortress machine is also called operation and maintenance audit system , Its core is controllable and auditing . Controllability means that the authority is controllable 、 Controlled behavior . The authority is controllable , For example, an engineer is going to leave or transfer his post . If there is no unified access to rights management , It's a nightmare . Controlled behavior , For example, we need to centrally disable a dangerous command , If there is no uniform entrance , The difficulty of operation can be imagined .

Why need fortress

Fort machine is from springboard machine ( Also called front end processor ) The concept has evolved from . As early as 2000 About years ago , In order to manage the remote login of operation and maintenance personnel in some medium and large enterprises , A springboard machine will be deployed in the machine room . The springboard machine is actually a unix/windows The server of the operating system , All operation and maintenance personnel need to log in to the springboard machine remotely first , Then log in to other servers from the springboard machine for operation and maintenance operation .

But the springboard machine does not realize the control and audit of operation and maintenance personnel's operation behavior , There will be misoperation in the process of using the springboard machine 、 Operation accidents caused by illegal operation , Once an operation accident occurs, it is difficult to quickly locate the cause and responsible person . Besides , There is a serious security risk for the springboard , Once the springboard system is attacked , The risk of back-end resources will be fully exposed . meanwhile , For individual resources ( Such as telnet) Can complete certain internal control through the springboard machine , But for more specific resources (ftp、rdp etc. ) It seems that we can't do it .

People gradually realize the shortage of springboard , And then it needs to be updated 、 Better security technology concept to achieve operation and maintenance management . We need a role management and authorization approval 、 Information resource access control 、 Operating records and auditing 、 System change and maintenance control requirements , And generate some statistical reports, with the management standards to continue to improve IT Internal control compliance products . Under the guidance of these ideas ,2005 Around the year , Bastion machine began to be widely deployed as a stand-alone product form , It effectively reduces the operational risk of operation and maintenance , Make operation and maintenance management easier 、 More secure .

The design concept of Fortress machine

Fortress machine mainly has 4A idea , The certification (Authen)、 to grant authorization (Authorize)、 account number (Account)、 Audit (Audit).

The target of the fortress is

The construction goal of Fortress aircraft can be summarized as 5W, Mainly to reduce the operation and maintenance risk . As follows :

  • Audit : What have you done? ?(What)
  • to grant authorization : What can you do ?(Which)
  • account number : Where are you going? ?(Where)
  • authentication : who are you ?(Who)
  • source : Access time ?(When)

The value of the fortress machine

  • centralized management
  • Centralized permission allocation
  • Unified certification
  • Centralized audit
  • Data security
  • Efficient operation and maintenance
  • O & M compliance
  • Risk management

The principle of Fortress machine

At present, the main functional architecture of Fortress machine is

Recommended to you : Hand in hand from 0 Start teaching you to build Jumpserver, For server security escort !

At present, the main functions of the common fortress machine are divided into the following modules :

1、 Operational platform

RDP/VNC Operation and maintenance ;SSH/Telnet Operation and maintenance ;SFTP/FTP Operation and maintenance ; Database operation and maintenance ;Web The system operational ; Remote application operation and maintenance ;

2、 Management platform

Separation of powers ; Identification ; The host management ; Password hosting ; Operation and maintenance monitoring ; Electronic work order ;

3、 Automation platform

Automatic password change ; Automatic operation and maintenance ; Automatic collection ; Automatic Authorization ; Automatic backup ; Automatic alarm ;

4、 Control platform

IP A firewall ; Command firewall ; Access control ; Transmission control ; Session blocking ; Operation and maintenance approval ;

5、 Audit platform

Command record ; A written record ;SQL Record ; file save ; Full text search ; Audit report ;

 explain : Separation of powers 
 The understanding of the three powers : To configure , to grant authorization , Audit 
 The understanding of the three members : System administrator , Security Administrator , Security auditors 
 Three rights of the three members : Abolish super Administrators ; Three are three roles, not three people ; The security administrator and auditor must not be the same person .

The identity of Fortress machine

Fortress machine is mainly for unified operation and maintenance entrance , So login fortress machine must support flexible authentication mode , such as :

1、 Local certification

  • Local account password authentication , Generally, strong password policy is supported

2、 Remote Authentication

  • Generally, it can support third parties AD/LDAP/Radius authentication

3、 Two factor authentication

  • UsbKey、 Dynamic token 、 SMS Gateway 、 mobile phone APP Token, etc

4、 Third party authentication system

  • OAuth2.0、CAS etc. .

Common operation and maintenance methods of Fortress machine

  • B/S Operation and maintenance : Through browser operation and maintenance .
  • C/S Operation and maintenance : Operation and maintenance through client software , such as Xshell,CRT etc. .
  • H5 Operation and maintenance : You can open a remote desktop directly on a web page , Operation and maintenance . No need to install local O & M tools , As long as there is a browser, you can operate the operation and maintenance of common protocols , Support ssh、telnet、rlogin、rdp、vnc agreement
  • Gateway operation and maintenance : use SSH Gateway mode , The agent can log in to the target host directly , It is applicable to operation and maintenance automation scenarios .

Other common functions of Fortress machine

  • File transfer : Usually log in to fortress , Transfer by fortress . Use RDP/SFTP/FTP/SCP/RZ/SZ Wait for the transport protocol to transmit .
  • Fine grained control : You can access users 、 command 、 Fine control of transmission etc .
  • Open support for API

How fortress is deployed

1、 Single deployment

Fortress machines are mainly by-pass deployment , Next to the switch , As long as you have access to all the devices .

Deployment specific :

  • Bypass deployment , Logical concatenation .
  • Does not affect the existing network structure .

2、HA Highly reliable deployment

Two fortress machines are deployed by bypass , Center jumper connection in the middle , Synchronous data . Provide a virtual IP.

Deployment features :

  • Two hardware fortress machines , A master one / Provide VIP.
  • When the host fails , Standby automatic take over service .

3、 Remote synchronous deployment

By deploying multiple fortress machines in multiple data centers . Automatic synchronization of configuration information between bastion machines .

Deployment features :

  • Deploy more , Remote configuration automatic synchronization
  • The operation and maintenance personnel visit the local fortress machine for management
  • Free from the Internet / Bandwidth impact , Pray for the purpose of disaster recovery

4、 Cluster deployment ( Distributed deployment )

When there is a lot of equipment to manage , Can be n Multiple fortress machines are deployed in clusters . Two fortress machines, one for operation and one for standby , other n-2 Fortress machine as cluster node , Upload synchronization data to the host , The whole cluster provides a virtual IP Address .

Deployment features :

  • Two hardware fortress machines , A master one 、 Provide VIP
  • When the host fails , Standby automatic take over service .

Open source fortress machine products

at present , Commonly used fortress machine has charge and open source two kinds . The charge is Xingyun housekeeper 、 Newshield fortress , Open source has jumpserver. Each of these has its own advantages and disadvantages , How to choose , You can judge according to the actual situation .

original text :https://www.toutiao.com/i6881...   author : Ape talk

image

版权声明
本文为[Migrant worker brother]所创,转载请带上原文链接,感谢