An analysis of the compliance of Kirin open-source bastion host on equal warranty

Information Security level protection includes grading, filing, security construction and rectification, information security level assessment, information safety inspection five stages.   

China's information security level protection is divided into five levels, the higher the level, the more stringent requirements.

The main standards of information security grade protection in China include the technical requirements for security design of grade protection for information Systems (GBT 25070-2010) and the basic requirements for information system security level protection (GBT 22239-2008).

According to the above two standards, the bastion machine can be found in the information security level protection, mainly in the identification, access control, security audit, Integrity , encryption check and other aspects to match, the following from the standard excerpt content described as follows:

1, user identification (level of protection three requirements compliance)

Two or more combination methods are required for authentication. Fortress machine with local authentication, ad domain authentication, RADIUS authentication, digital certificate authentication, provide external interface for fingerprint identification authentication, Ukey (mobile data Certificate) certification, to meet the design requirements of level three system.

Description: identification from the level of protection from the beginning, must be two factors, through two factors to identify the individual, and if the two factors (such as dynamic password) deployed to all production servers, the cost is very high and easy to produce accidents, the fortress machine on the line can be reasonable regulate this article, Kirin Open-source fortress built-in CA , dynamic password, fingerprint identification, Usbkey certificate and other strong authentication, in the case of the production system is a compliance identity identification.

2. Autonomous access control

should be within the control of the security policy, so that users have the appropriate access to the object they create, and can grant some or all of these permissions to other users. The granularity of the discretionary access control body is User level, and the granularity of the object is the file or database table level and/or record or field level.

Description: Fortress Machine by setting up a bastion machine account (master account) for each user, and assigning the device account number (from account) to the master account to complete the authorization, while authorization can bind the source IP limit, can run the command limit, can login time limit and other rules, can fully compliant access control requirements.

3, the standard Remember and mandatory access control

On the basis of identity authentication and authority control of security administrators, the security administrator should make the security mark of the subject and the object through the specific operation bounds, and control the operation of determining the object of the principal's access according to the security mark and mandatory access control rules.

Description: Kirin Open-source Fortress machine has administrator, group Administrator, auditor and other roles, the administrator can configure and mark the device, users, permissions, and all the configuration process will be recorded, the record can be audited by the auditor, therefore, the administrator must write strict access control rules as required to achieve this article of compliance.

4. System security Audit

The system's related security events should be logged. The audit record includes the subject, object, time, type and result of the security incident. Audit records should be provided for query, classification, analysis and storage protection, to ensure that specific security incidents are reported, and to ensure that audit records are not compromised or unauthorized access. The interface should be provided for the Security Administration Center.

Description: Kirin Open-source fortress Machine telnet/ftp/ssh/sftp/scp/rdp/vnc/x11/db Operation/http/https/Various CS procedures for audit; among them, the character protocol can recognize the command in addition to the recording phase, and the graphics protocol can recognize the keylogger in addition to recording phase.

Kirin open-source fortress machine as its own encrypted format, and storage in a dedicated space, you can effectively avoid the destruction of data or unauthorized access to delete, add, tamper, but also divided into administrators, auditors, password administrators for separation mutual domination, any operation of the administrator is audited by the auditor.

Kirin open-source fortress machine support to syslog, SMS, mail to the user-customized special events to alarm.

Therefore, through the above audit and separation, alarm function, Kirin Open source Fortress Machine This Ordinance compliance.

5, User data integrity protection, user data privacy protection, object security reuse, program credible execution protect the bastion host in the information Security level protection system research and application.

Kirin open-source fortress machine using HTTPS, RDP, SSH and other encryption protocols for communication link transmission, local video files through their own algorithm for the encryption of storage, not through the general software to play, important files have MD5 value records, therefore, Kirin open-source Fortress machine this Regulation compliance.

Kirin open-source fortress machine from the network security, host Security, application security to the data security of identity authentication, access control, security audit, data security all aspects of compliance, become a Level protection program must be picked equipment.

An analysis of the compliance of Kirin open-source bastion host on equal warranty