Editor's note: This article is authored by Stian from MOONTON.
Shanghai MOONTON Technology Co., Ltd. (MOONTON) was established in 2014, with headquarters in Shanghai and overseas branches in Indonesia, Singapore, and other locations. Shanghai MOONTON Technology Co., Ltd. (hereinafter referred to as MOONTON) focuses on global game development and publishing, having successfully launched multiple mobile game products with high recognition overseas, making it one of the Chinese gaming companies with the largest overseas player base.
Currently, MOONTON has established long-term partnerships with government institutions, esports associations, and professional teams in over 30 countries worldwide. The company's Mobile Legends has become the largest MOBA (Multiplayer Online Battle Arena) game overseas. MOONTON possesses numerous data center resources globally, and many of its projects operate on independent networks. As a result, multiple game projects face various challenges in terms of security operations and maintenance.
Pain Points in Security Operations
The rapid business growth of MOONTON has brought many issues and challenges to its daily operations management, which can be summarized in the following aspects:
1. Network Isolation Management Issues for Multiple Projects
Gaming companies typically have multiple projects, each with independent and isolated networks. In such situations, operations work requires each project to manage its own bastion host separately. This leads to scattered management permissions and difficulties in unified management;
2. Multi-IDC Login Acceleration Issues
With multiple projects and globally distributed IDCs for each project, if bastion hosts are centrally deployed at a single node, there can be high latency when logging into certain IDCs, resulting in poor daily operations experience;
3. Live Network User Operation Audit Issues
Previously, the company was unable to trace user actions, and each year there were incidents of system failures caused by user misoperations. When failures occurred, the company couldn't immediately determine whether they were caused by user misoperations or server performance issues, making it difficult to quickly investigate and fix problems. Therefore, user behavior traceability was one of the company's most urgent issues to resolve;
4. Live Network Database Access Audit Issues
The company's game projects use a global logical database. During routine maintenance, certain tables frequently need to be viewed and modified. The previous approach was to establish office network connectivity through reverse proxy and then use database management software to view and operate on tables. This process was cumbersome and posed certain security risks;
5. Live Network File Upload Audit Issues
The company's game project release packages, configuration files, and other materials need to be transmitted through the office network, primarily using Rsync for uploads. This resulted in issues with file auditing and user operation restrictions.
Bastion Host Selection Approach
After conducting a series of market research and evaluations, and performing internal testing of JumpServer, MOONTON's operations center found that its core functions could meet the enterprise's essential requirements for a bastion host. The main advantageous features include:
■ Organization Management
JumpServer Enterprise Edition supports organization management functionality, enabling multi-tenant management and permission isolation. This allows each company project to set up an organization, configure all users, assets, and authorizations with finer granularity, effectively solving the issue of inconsistent multi-project management;
■ Log Audit and Session Management
JumpServer supports log audit and session management functions. When operational incidents occur or issues need investigation, problems can be quickly located, determining whether they were caused by human error or other failures, effectively preventing similar issues from recurring. This resolves the user behavior audit and tracing requirements, meeting the company's security compliance needs;
■ Remote Applications and Database Management
JumpServer Enterprise Edition supports remote applications (RemoteApp) and database management functions. It supports both command-line and GUI access methods for online databases, while the remote application functionality maintains compatibility with database management software that operations personnel are accustomed to using, thus solving database permission control and application operation audit issues;
■ File Transfer and Management
JumpServer supports file transfer and management functions. Users can upload and download files through the Web terminal, and it supports FTP-API, facilitating script-based file uploads and downloads, while providing audit capabilities.
JumpServer Bastion Host Deployment Architecture
Based on the above core functions and the characteristics of gaming companies with multiple projects and multi-location data centers, MOONTON ultimately chose a distributed architecture deployment approach.
When deploying JumpServer to the production environment, they first deployed a central node at a global IDC, separating the Web Server and DB Server, using two virtual IPs for the frontend, and implementing high availability based on Keepalived. This concurrent mechanism can achieve automatic switching within 5 seconds if one of the services experiences issues.
Then, based on the company's business requirements, JumpServer slave nodes were deployed at selected IDCs worldwide. These slave nodes contain only partial components and authenticate with the central node through Auth API, with each slave node typically also implementing high availability. As a result, during daily operations, users can log into the nearest bastion host based on different businesses and data centers.
JumpServer Bastion Host Feature Highlights
In practical use, we discovered that JumpServer has other feature highlights that effectively enhance enterprise security operations audit capabilities in actual usage scenarios:
■ Password Change Plan
JumpServer Enterprise Edition supports periodic batch password changes for assets and databases, can generate random passwords, and allows users to freely choose from multiple password strategies based on specific needs. This feature effectively resolves the need for periodic bastion host password changes and greatly improves system security, meeting the company's security compliance requirements;
■ Multi-Cloud Asset Management
JumpServer Enterprise Edition supports automated unified management of private and public cloud assets. With numerous assets deployed in multi-cloud environments, JumpServer enables unified management of IT assets across clouds, greatly improving the company's asset management efficiency;
■ Web Terminal Operations
The Web terminal operation method allows many lightweight users to meet basic daily operations and server management needs without installing command-line tools like XShell, making operations simple and convenient to use.