Original article: http://blog.csdn.net/itmes/article/details/6918578
Recently, the organization's audit project needs to develop the O & M security audit system, also known as the bastion host. during last year, this system was studied and tested for a period of time, here I want to write about its core technologies.
The "bastion host" is actually a hardware device on a network switch node through a bypass. It enables O & M personnel to remotely access and maintain servers, that is, physically connected in parallel and logically connected. Simply put, the server O & M administrator directly performs server maintenance and operations through remote access technology. During this period, some misoperations or unauthorized operations may occur, as a stepping stone for remote O & M, Bastion hosts allow O & M personnel to indirectly perform O & M operations on remote services through bastion hosts. For example, if you used Microsoft Remote Desktop RDP for remote O & M of Windows servers, you can access the bastion host before accessing the remote Windows server. During this period, all operations of O & M personnel are recorded and can be stored in the form of screen recordings and character operation logs for a long time. When a Server failure occurs, you can view any previous operations through the saved records.
The core technology of the bastion host is Microsoft's RDP protocol. By parsing the RDP protocol, it implements graphical audit of remote O & M operations.
Taking Windows Remote O & M as an example, the client accesses the "Bastion host" through the RDP protocol, and then the remote access client built in the bastion host accesses the remote Windows Server, that is, RDP + RDP.
How are operations on the graphic interface recorded? In fact, the bastion host is also a Windows operating system (not necessarily, sometimes windows + linux). After the RDP client reaches the bastion host, the new RDP is started again, in this case, the Windows desktop of the bastion host is the desktop that remotely accesses the remote server. You only need to record the desktop information.
Because Microsoft's RDP protocol has built-in remote access screen information, you only need to correctly parse the content of the RDP protocol, extract the video information contained in it, and then reorganize and compress it, the image Operation Audit is implemented.
For audit of character operations, such as FTP, the bastion host actually has an internal FTP ClientProgramAlso, the client host first RDP to the bastion host, and then the bastion host starts the FTP client program to access the remote server. In this way, the bastion host serves as the springboard to indirectly send FTP commands to the server, the server response information is fed back to the client host, and all the intermediate operations are recorded.
The remote video access protocol is also VNC, but because VNC is one-to-one access, that is, a client host can only access one remote server at a time, the RDP protocol allows multiple clients to access the same remote server at the same time. Therefore, generally, Bastion host vendors on the Market Perform O & M audits by parsing the RDP protocol.
After a rough description, the main meaning can also be indicated, with time to be updated.
In fact, the bastion host is: Single Sign-On + audit.