What Is a Bastion Host?

A bastion host is a computer that can be strengthened to defend against attacks. As a checkpoint for entering the internal network, the security problem of the entire network can be concentrated on one host, thereby saving time and effort, without having to consider the security of other hosts. the goal of. The bastion host is the most vulnerable host in the network, so the bastion host must also be the most well-protected host. A bastion host uses two network cards, each of which is connected to a different network. One network card is connected to your company's internal network for management, control, and protection, and the other is connected to another network, usually the public network, which is the Internet. Bastion hosts often configure gateway services. The gateway service is a process that provides special protocol routing from the public network to the private network and vice versa.

Bastion host

A bastion host is a computer that can be strengthened to defend against attacks. As a checkpoint for entering the internal network, the security problem of the entire network can be concentrated on one host, thereby saving time and effort, without having to consider the security of other hosts the goal of. The bastion host is the most vulnerable host in the network, so the bastion host must also be the most well-protected host. A bastion host uses two network cards, each of which is connected to a different network. One network card is connected to your company's internal network for management, control, and protection, and the other is connected to another network, usually the public network, which is the Internet. Fortress hosts are often configured

The bastion host is a host completely exposed to external network attacks. It doesn't have any

internal

Trend internal control bastion host with powerful input and output

The internal control bastion host is a computer that can be strengthened to defend against attacks and has strong security protection capabilities. The internal control bastion host plays the role of gatekeeper.

1 Information technology in the government industry

Electronic government affairs is a new trend in the development of government management in the information society, and it has become the focus of governments around the world.

With the continuous advancement of government informatization, the introduction and operation of business applications, office systems, and business platforms, information systems have fully penetrated the operations of enterprises. Use a larger number of server hosts to run key services, and provide services such as e-government, database applications, operation and maintenance management, ERP, and collaborative groupware. Due to the large number of servers and the pressure of system administrators, the possibility of human misoperations often occurs, which will have a significant impact on the reputation of the department or enterprise and seriously affect its economic operation efficiency. Hackers and malicious access may also gain system permissions, break into departments or corporate internal networks, and cause immeasurable losses. How to improve the system operation and maintenance management level, meet the requirements of relevant standards, prevent hackers from invading and malicious access, track user behavior on the server, reduce operation and maintenance costs, and provide control and audit evidence has become an issue that enterprises are increasingly concerned about. ^[1]

2 Operation and maintenance management needs of the government industry

2.1 Policy review to meet national level protection

1. User account permissions need to be strictly managed and controlled, and user account password security and login security need to be strengthened oversight;

2. Various access operation logs of the information system need to be comprehensively audited, including network, system, data, application and other aspects;

3. When the remote information system is operated, the communication link can be trusted and the communication data can be encrypted.

2.2 Meet the requirements of basic standards for enterprise internal control

In 2010, Article 12 of the Guidelines for the Application of Enterprise Internal Control No. 18-Information System issued by the Ministry of Finance, the Securities Regulatory Commission, the Audit Commission, the Banking Regulatory Commission and the Insurance Regulatory Commission clearly required that enterprises should establish user management systems and strengthen The system's access authority management, regularly review the system account, to avoid improper authorization or the existence of unauthorized accounts, and prohibit the cross-operation of incompatible job user accounts. "

2.3 Complex management and low work efficiency

1. The IT systems that support the business operations of an enterprise are mainly composed of a large number of network equipment, host systems and application systems. These devices and systems are divided into different business systems and departments from the application perspective. Network equipment and host systems are provided separately. Independent user management, authentication and authorization system and auditing system.

2. Various systems are maintained and managed by different system administrators. When faced with these systems, the maintenance staff's complexity increases exponentially, and frequent login and logout are required, which affects work efficiency.

2.4 Network security risks such as account sharing and simple passwords are inevitable

1. In order to reduce the complexity and difficulty of management, some accounts are shared by multiple people, the proliferation of these accounts is not easy to control, the account and password information is easy to leak, and security incidents often occur due to such account sharing;

2. For maintenance personnel, frequent system switching requires entering user names and passwords of different systems to log in. In order to facilitate memory, maintenance personnel often use a simpler password or multiple systems use the same password. In emergency situations It is also possible to share your username and password with others, which poses a great threat to the security of the entire system.

2.5 Centralized and incomplete audits of systems and network equipment

1. Due to the independent operation of each system, the system operation log and maintenance personnel operation audit can only be performed independently for each system. When the system fails, you must troubleshoot the problem one by one. You cannot perform unified and centralized troubleshooting, which greatly reduces work Efficiency also creates the possibility of increased losses;

2. Real-name auditing cannot be performed. Only account numbers can be audited, and natural persons cannot be associated.

3 Government industry bastion host product technology solutions

Based on the Tianrongxin Fortress Host (TA-SAG) government industry technology solution, it is based on the 4A unified network security management platform concept. It uses the centralized account management, authentication mechanism, authorization mechanism, and user operation behavior audit to resolve Servers, databases, switches, routers (firewalls) and other network equipment in the enterprise perform effective control and unified management, as well as full operation audits.

According to the current status and needs of the government industry, Tianrongxin uses the TA-SAG platform to propose targeted solutions. The plan mainly focuses on the following six points.

3.1 Standards and Norms to Follow and Reference

1. National Security Standard BMZ2-2001 "Guidelines for the Design of Security and Confidentiality of Computer Information Systems Concerning State Secrets"

2. National Security Standard BMZ1-2000, "Technical Requirements for Security of Computer Information Systems Concerning State Secrets

3. National Security Standard "Interim Provisions on the Security Management of Computer Information Systems" (Guo Baofa {1998} No. 1)

4. National Standard GB17859-1999, "Guidelines for Classification of Computer Information System Security Protection Levels"

5. National Standard GB / T18336.2-2001, "Information Technology Security Technology Information Technology Security Evaluation Guidelines Part 2: Security Function Requirements"

6. ISO27001 / ISO17799: 2005 / BS7799, "Technical Specifications for Information Security Management".

3.2 Unified account management

1. The administrator maintains the entire life cycle of the master account through the master account information management interface, and adds, modifies, deletes, locks, and unlocks the master account. At the same time, it sets the password usage policy and user level definition for the master account.

2. Master account users can manage their account information through self-service functions, and modify personal information such as mobile phones, emails, and passwords.

3. Associate the resource account with the master account, and also meet the needs of real-name audit.

3.3 Unified deployment of multiple authentication methods

1. The user logs in to the Tianrongxin TA-SAG (fortress host) management platform through the username and password, selects the asset from the account, and directly logs in to the target asset.

2. The user logs in to the management unit through digital certificates, dynamic tokens, etc., and the management unit issues a one-time password to the execution unit to log in to the target asset.

3.4 SSO single sign-on

1. After logging in to the Tianrongxin TA-SAG (bastion host) management platform, the user can see the authorized resource list, directly select the target asset and the slave account, and the bastion host completes the account and password substitution for automatic login. .

2. At the same time, the tediousness of frequent login and logout of the server is reduced, and the work efficiency is improved.

3.5 More comprehensive and centralized log audit

1. The bastion host will conduct a comprehensive log audit of the operation of its resources for each natural person account.

2. Log auditing supports querying through server query, natural person query, login address and other custom conditions.

3.6 Supports dual-system hot backup, safe and stable operation

The bastion host supports dual-system hot standby and has perfect high availability, which can ensure long-term and reliable operation of the system.

IN OTHER LANGUAGES

• English
• Čeština
• Dansk
• Deutsch
• Svenska
• Français
• Italiano
• Nederlands
• Norsk
• Polski
• Português
• Español
• 日本語
• 한국어