1 Preface
operation and Maintenance Fortress machine, the main function for certification, authorization, audit, and the manufacturers are slightly different, Kirin open-source Fortress machine is a set of Full The Open source bastion machine system , with all the functional modules of the general commercial fortress machine, easy to install, simple to use, Fully functional and ease of use with commercial hardware bastion machines completely The same.
2 concept and variety of the Fortress machine
Fortress machine from the use of the topology said, divided into two kinds.
2.1 Gateway Type Fortress Machine
generally choose two floorTransparentMing Bridge Method access network, General extension Park in front of the operation and maintenance users, operation and maintenance users do operations, traffic through the gateway Fortress machine, Fortress machine to the user's Operation audit. This fortress machineever Some manufacturers in foreign countries in the past year Design, domestic manufacturers rarely have suchDesign. Because this fortress machineto modifynetwork topology, anddifficult to achieveSSO, use of publishing and other functions, it is now very rare, market share less than 1%.
2.2 Audit Type Fortress Machine
Now universal Fortress machine for the bypass Access form, physical bypass, logical serial, users want to operation, it is necessary to go through the fortress machine to jump login. This kind of fortress machine is common form, because does not revise the network topology and can end SSO, uses the release and so on many functions, now becomes the domestic fortress machine the mainstream form.
Kirin Open-source bastion machine selected This form of development Design .
3 Unicorn Open-source Fortress machine work principle
3.1 Kylin Open source Fortress machine planning principle
Kirin Open-source fortress machine for operations operators equivalent to a Agent Server (proxyserver), which work the process is as follows:
650) this.width=650; "src=" Http://s1.51cto.com/wyfs02/M02/7F/47/wKioL1cYoujRm94XAAA0SBSuits404.png "title=" Picture 6.png "alt=" Wkiol1cyoujrm94xaaa0sbsuits404.png "/>
Figure 1: Fortress Machine work Process
1) operation and maintenance personnel in the process first toConnect to the fortress machine and then submit an operation pleading to the fortress machine;
2) the Requestafter the permission check of the Fortress machine, the use of the fortress machineGenerationConnect The replacement user to theTargetEquipmentComplete this operation, laterTargetthe equipment will operate the resultsreturnto the fortress machine, the final bastion machine will be operational resultsreturnto operations operators.
after this method, the Fortress machine logiconthe operation and maintenance personnel andTargetequipment, set up from the " operation and maintenance personnel -- Fortress Machine user account , authorization , TargetDevice Account Targetdevice " of Managementoperations rights control and practices audit questionsalso, and also deals with encryption protocols and graphics protocols that cannot be audited by a protocol restore .problem.
3.2 Kylin open source Fortress machine work principle
Kirin open-source fortress machine work
650) this.width=650; "src=" Http://s1.51cto.com/wyfs02/M02/7F/49/wKiom1cYogKQ87UCAABrZo4ek6k700.png "title=" Picture 7.png "alt=" Wkiom1cyogkq87ucaabrzo4ek6k700.png "/>
Figure 2: Fortress Machine work principle
in the actual use of the scene, the use of the fortress machine can be divided into Management personnel, operations operators, auditors, three types of users.
ManagementThe most important responsibility of the staff is to equip the bastion machine with the appropriate security strategy and operational Authority of the operator.PolicyA little. Fortress MachineManagementOn the fortress machine , and then inside the fortress machine," PolicyslightlyManagementthe component responsible forwith theManagementinteract with the operator andManagementsecurity entered by the operatorPolicystored in the Strategic equipment library inside the fortress machine.
The application agent component is the core of the Bastion machine, responsible for the operations of the user in the transport dimension and interacting with other components inside the bastion machine. The application agent component receives operations requests from operations personnel and invokes the policy Management component to verify the behavior of the operation, based on the policy configuration library that the administrator has configured, such that this operation does not conform to the security policy "Application Agent" component will reject the execution of the action behavior.
operational behavior of operations personnel through the verification of the "policy Management" component, the "Application Agent" component replaces the operations personnel Connection target device to complete the corresponding operation, and returns the result of the operation to the corresponding operations operator , at the same time, the operation process was submitted to the "Audit module" inside the fortress machine, and the operation process was recorded in the audit log database.
Finally, when it is necessary to investigate the operational records of operations personnel, the auditor logs in to the Fortress machine for querying, and then the audit module reads the corresponding log records from the audit log database and displays them on the auditor interaction interface.
Design principle of Kylin source Fortress machine