Editor's note: At the "2022 JumpServer Open Source Bastion Host City Meet · Wuhan Station" event held on August 20, 2022, Cai Yang, Senior Information Security Engineer of Dongfeng Cummins, delivered a keynote speech titled "JumpServer Practice in Dongfeng Cummins". The following content is compiled from this presentation.
Dongfeng Cummins Engine Co., Ltd. (hereinafter referred to as Dongfeng Cummins) is located in Xiangyang City, Hubei Province, and is a representative manufacturing enterprise in Hubei Province. The company is a joint venture established by Dongfeng Motor Corporation and American Cummins Inc., each holding 50% of the shares, with diesel engine manufacturing as its main business.
Senior Information Security Engineer of Dongfeng Cummins, Cai Yang
Under the influence of Industry 4.0, manufacturing enterprises, including Dongfeng Cummins, have begun digital transformation. "Digitalization" simply means connecting various systems, breaking down data silos, achieving real-time connection between systems, and finally establishing a unified data lake and application system.
"Digitalization" has very high requirements for IT asset connectivity, especially for smart manufacturing enterprises, as many industrial devices need to be connected to the network. The information security risks involved cannot be ignored, so management and operation maintenance need to be considered from multiple aspects.
Pain Points in Asset Management
For Dongfeng Cummins, standardized management and secure operation of IT and industrial equipment during digital transformation is a crucial task. In practical work, unified operation and maintenance of IT assets and industrial equipment has always faced challenges, mainly in the following aspects:
1. Asset Fragmentation, Heavy O&M Workload
Dongfeng Cummins currently has over 300 virtual servers, more than 50 physical machines, and various industrial equipment distributed across different workshops. The wide distribution of assets and infrastructure leads to a very large daily audit and maintenance workload. If these tasks are handled by different service providers, the work becomes scattered and difficult to control, while also posing significant security risks. Therefore, the company urgently needs a unified asset management and operation maintenance audit platform to handle these complex tasks.
2. Difficult Supervision
As a smart manufacturing enterprise, Dongfeng Cummins needs to interface with many external suppliers, including many foreign manufacturers. In this situation, without a security audit platform, user access and operations would be at risk. Without a strict access control system, data loss can easily occur, and system failures cannot be effectively traced. Therefore, strengthening the security monitoring of information systems is an urgent problem to solve.
3. Need for Professional Support Services
To reduce learning costs and quickly troubleshoot problems, Dongfeng Cummins hopes that this unified operation and maintenance security management platform can provide professional daily support services, allowing timely consultation with technical professionals for any issues that arise during use.
Why Choose JumpServer?
After examining and testing mainstream bastion hosts in the market, Dongfeng Cummins finally chose to deploy the JumpServer Enterprise Edition. Compared to traditional bastion hosts, JumpServer has the following advantages:
1. Open Source
JumpServer is open-source software. Open-source software has great advantages in connecting with Dongfeng Cummins' OA system (i.e., the work order system). After users initiate permission approval in the OA system, we can automatically grant permissions through JumpServer after approval, without requiring manual operation by maintenance personnel.
Additionally, JumpServer is open-source software that updates monthly, adding many new features we need during version updates, continuously improving our bastion host user experience.
2. Security
Under the requirements of the Level Protection 2.0 specification, enterprises have increasingly strict requirements for network security protection. In fact, whether it's operation and maintenance security audit or professional server management, enterprises face higher requirements, and "managing multiple types of IT assets through a unified platform" has become a necessity. JumpServer meets 4A specifications and can meet the actual requirements of enterprise operation and maintenance security audit.
3. Easy to Use
JumpServer is very user-friendly, with its design well-suited to Chinese users' habits. Furthermore, JumpServer provides diverse deployment methods and can synchronously manage cloud hosts and local virtualization platform hosts, effectively reducing the cost of managing multi-cloud assets.
4. Professional Service Support
JumpServer Enterprise Edition provides four major service supports: First, professional training to help us systematically learn how to use JumpServer correctly and avoid detours; Second, original manufacturer service to quickly solve technical problems and reduce problem investigation and location time; Third, providing solutions for enterprise internal asset management needs; Fourth, quick response to our questions and needs with prompt feedback and solutions.
JumpServer Application Scenarios in Dongfeng Cummins
1. Deployment Mode
Currently, Dongfeng Cummins mainly uses JumpServer to manage private cloud assets, so we ultimately adopted a primary-backup architecture deployment method, with separate deployment of MySQL and Redis databases, where MySQL uses master-master synchronization and Redis uses master-slave synchronization. Video storage is connected to the NFS server.
2. Work Order Management
External suppliers must apply through work orders for access authorization to company resources, and login and asset connection operations require administrator approval. After administrator approval, JumpServer automatically allocates corresponding server resources and permissions to accounts without requiring manual authorization.
3. WeChat Work Integration
JumpServer supports integration with WeChat Work. Administrators can log into the JumpServer backend without password, eliminating the need to log into the OA system, and can directly process work order approvals using mobile devices in WeChat Work, greatly reducing maintenance workload.
4. Batch Password Change
Before using JumpServer, password modifications required manual operation by administrators of various systems. This not only involved a large workload but also had low password security, often resulting in weak passwords. JumpServer's batch password change function helped us solve this problem.
After using JumpServer for regular batch password changes, password settings meet compliance requirements while effectively solving the problem of repetitive work caused by multiple asset types and quantities.
5. Syslog Integration with Log System
Based on JumpServer, Dongfeng Cummins integrates with the log system through Syslog, achieving unified log management. This allows recording of operation audits, high-risk commands, operation audit file uploads/downloads, and other commands.
6. Database Proxy Direct Connection Audit
For the company's developers and DBAs who prefer using client forms for database connections and operations, JumpServer's Magnus component supports database proxy direct connection auditing, maintaining users' previous operating habits while completing database audit operations.
Summary
For Dongfeng Cummins, through JumpServer bastion host, we have achieved unified management of servers and other assets, established a single path for maintenance operations, and met our internal requirements for secure operations and maintenance. In terms of permission control, based on JumpServer's work order management, login control, and command filtering functions, we have effectively implemented permission control for external suppliers, eliminating concerns about permission confusion affecting IT operations.
Additionally, JumpServer supports primary-backup high-availability deployment, providing disaster recovery backup capabilities, allowing quick activation of backup systems in emergencies to ensure sustainable system security operation and maintenance capabilities.