Help Center/ Cloud Bastion Host/ Service Overview/ Features
Updated on 2024-06-28 GMT+08:00
View PDF
Share

Features

CBH enables common authentication, authorization, account, and audit (AAAA) management. Users can obtain O&M permissions by submitting tickets and can invite O&M engineers to perform collaborative O&M.

Credential Authentication

CBH uses multi-factor authentication and remote authentication technologies to enhance O&M security.

  • Multi-factor authentication: CBH authenticates users by mobile one-time passwords (OTPs), SMS messages, USB keys, and/or OTP tokens. This allows you to mitigate O&M risks caused by leaked credentials.
  • Remote authentication: CBH interconnects with third-party authentication services or platforms to perform remote account authentication, prevent credential leakage, and ensure secure O&M. Currently, Active Directory (AD), Remote Authentication Dial-In User Service (RADIUS), Lightweight Directory Access Protocol (LDAP), and Azure AD remote authentication are available. CBH allows you to synchronize users from the AD domain server without modifying the original user directory structure.

Account Management

With a CBH system, you can centrally manage system user accounts and managed resource accounts, and establish a visible, controllable, and manageable O&M system that covers the entire account lifecycle.

Table 1 Account management

Feature

Description

System user accounts

CBH enables you to grant a unique account with specific permissions to each system user based on their responsibilities. This eliminates security risks resulting from the use of shared accounts, temporary accounts, or privilege escalation.

  • Batch importing

    CBH enables you to synchronize users from a third-party server or import users in batches, eliminating the need to create users repeatedly.

  • User groups

    CBH allows you to add users of the same type in a group and assign permissions by user group.

  • Batch management

    CBH enables you to manage user accounts in batches, including deleting, enabling, and disabling user accounts, resetting user passwords, and modifying basic user configurations.

Managed resource accounts

With a CBH system, you can centrally manage accounts of resources managed in the CBH system through the entire account lifecycle, log in to managed resources by using SSO portal, and seamlessly switch between resource management and O&M.

  • Resource types

    CBH supports management of a wide range of resource types, including host (such as Windows and Linux hosts), Windows application, and database (such as MySQL and Oracle) resources.

    • Host resources of the client-server architecture, including hosts configured with the Secure Shell (SSH), Remote Desktop Protocol (RDP), Virtual Network Computing (VNC), Telnet, File Transfer Protocol (FTP), SSH File Transfer Protocol (SFTP), DB2, MySQL, SQL Server, Oracle, Secure Copy Protocol (SCP), or Rlogin protocol.
    • Application resources of the browser-server architecture or the client-server architecture, including more than 12 types of browser- and client-side Windows applications, such as Microsoft Edge, Google Chrome, and Oracle tools.
  • Resource management
    • Batch importing

      CBH enables quick auto-discovery, synchronization, and batch importing of cloud resources, such as Elastic Cloud Server (ECS) and Relational Database Server (RDS) DB instances on the cloud for centralized O&M.

    • Account group management

      CBH manages resource accounts by group. By placing resource accounts of the same attribute in the same group, you can assign permissions on a group basis and let accounts inherit the permissions directly from the group to which they belong.

    • Password autofill

      CBH uses the Advanced Encryption Standard (AES) 256-bit encryption technology to encrypt managed resource accounts and uses the password auto-filling technology to encrypt shared accounts, preventing data leakage.

    • Automatic password change of managed resource accounts

      CBH supports password change policies so that you can periodically change account passwords to keep managed accounts secure.

    • Automatic synchronization of managed resource accounts

      CBH allows you to configure account synchronization policies so that you can periodically check and synchronize account information between the CBH system and the managed host resources. When you create, modify, or delete an account on a host, the same operation is performed in CBH.

    • Batch management

      CBH allows you to batch manage information and accounts of managed resources, including deleting a resource, adding a resource label, modifying resource information, verifying a managed account, and deleting a managed account.

Permissions Management

CBH supports fine-grained permission management so that you have complete control over which user can access the CBH system and which managed resources can be accessed by a specific system user, enabling you to safeguard both the CBH system and managed resources.

Table 2 Permissions management

Function

Description

CBH system access permission

You can assign permissions to a system user to log in to a CBH system and use different functional modules in the CBH system according to the user's responsibilities.

  • System user roles

    CBH supports role-based and module-based permission management so that you can allow a system user to access specific functional modules based on the user's responsibilities.

    You can use default user roles or create custom roles by adding various functional modules.

  • Departments

    CBH enables department-based system user management, allowing you to specify departments of different levels for each system user. There are no limits on the number of department levels.

  • Login restrictions

    CBH controls system user logins from many dimensions, including login validity period, login duration, multi-factor verification, IP addresses, and MAC addresses.

Managed resource access permission

You can assign permissions for resources by user, user group, account, and account group.

  • Access control

    You can control resource access by resource access validity period, access duration, and IP address. CBH also allows you to assign permissions to users for uploading and downloading files, transferring files, and using the clipboard. When an O&M initiates an O&M session, the watermark indicating their identity will be displayed in the background of the session window.

  • Two-person authorization

    You can configure multi-level authorization for users, allowing them to access to a specific resource, and thereby safeguard sensitive and mission-critical resources.

  • Command interception

    You can set command control policies or database control policies to forcibly block sensitive or high-risk operations on servers or databases, generate alarms, and review such operations. This gives you more control over key operations.

  • Batch authorization

    You can grant permissions for multiple resources to multiple users by user group or account group.

Operation Audit

In a CBH system, each system user has a unique identifier. After a system user logs in to the CBH system, the CBH system logs their operations and monitors and audits their operations on managed resources based on the unique identifier so that any security events can be discovered and reported in real time.

Table 3 Operation audit description

Function

Description

System operation audit

All operations in a CBH system are recorded, and alarms are reported for misoperations, malicious operations, and unauthorized operations.

  • System logon logs

    Details about a login, including the login mode, system user, source IP address, and login time, are recorded. System login logs can be exported with just a few clicks.

  • System operation logs

    All system operation actions are recorded. System operation logs can be exported with just a few clicks.

  • System reports

    CBH displays all operation details of users in one place, including user statuses, user and resource creation, login methods, abnormal logins, and session controls.

    System reports can be exported with just a few clicks and periodically reported by email.

  • Alarm notification

    You can configure different alarm reporting methods and alarm severity levels for system operation and your application environment so that the CBH system sends alarm notifications by email or system messages as soon as it determines system exceptions and abnormal user operations.

Resource O&M audit

A CBH system records user operations throughout the entire O&M process and supports multiple O&M auditing techniques. It audits user operations, identifies O&M risks, and provides the basis for tracing and analyzing security events.

  • Auditing techniques
    • Linux command audits

      For command operations through character-oriented protocols (such as SSH and Telnet), a CBH system records the entire O&M process, parses operation commands, reproduces operation commands, and quickly locates and replays operations using keywords in input and output results.

    • Windows operation audits

      For operations on terminals and applications through graphics protocol (such as RDP and VNC), the CBH system records all remote desktop operations, including keyboard actions, function key operations, mouse operations, window instructions, window switchover, and clipboard copy.

    • Database command audit

      For command operations through database protocols (such as DB2, MySQL, Oracle, and SQL Server), the CBH system records the entire process from single sign-on (SSO) to database command operations, parses database operation instructions, and reproduces all operating instructions.

    • File transfer audits

      For file transfer operations through file transfer protocols (such as FTP, SFTP, and SCP), the CBH system audits the entire file transfer process on web browsers or clients, and records the names and destination paths of transferred files.

  • O&M audit methods
    • Real-time monitoring

      Ongoing O&M sessions can be monitored, viewed, and terminated.

    • History logs

      All O&M operations are recorded and history session logs can be exported with just a few clicks.

    • Session videos

      Linux commands and Windows operations can be recorded by video.

      Video files can be downloaded with just a few clicks.

    • Operation reports

      CBH uses various reports to display O&M statistics in one place, including O&M action distribution over time, resource access times, session duration, two-person authorization, command interception, number of commands, and number of transferred files.

      Operation reports can be exported with just a few clicks and periodically sent by email.

    • Log backup

      CBH allows you to back up history session logs to a remote Syslog server, FTP/SFTP server, and OBS bucket for disaster recovery.

O&M Functions

CBH supports multiple architectures, tools, and methods to manage a wide range of resources.

Table 4 Efficient O&M functions

Function

Description

O&M using a web browser

By leveraging HTML5 for remote logins, O&M engineers can implement O&M operations such as real-time operation monitoring and file uploading and downloading, without installing a client.

  • One-stop O&M

    O&M engineers can complete remote O&M anytime anywhere through Microsoft Edge, Google Chrome, or Mozilla Firefox browsers on Windows, Linux, Android, and iOS operating systems without installing plug-ins.

  • Batch login

    CBH supports one-click login to multiple authorized resources, enabling O&M engineers to manage the resources on the same tab page of a browser.

  • Collaborative session

    Allows multiple O&M engineers to perform O&M through a shared O&M session. The user who initiates the O&M session can invite other O&M personnel or experts to join the on-going session and locate problems. This greatly improves O&M efficiency when multiple O&M engineers work together.

  • File transmission

    CBH uses the WSS-based file management technology to upload, download, and manage files online, enabling file sharing among several hosts.

  • Command group-sending

    CBH supports the group sending function for multiple Linux resources. With this function enabled, when a command is executed in a session window, the same operation is performed in other session windows.

Third-party client O&M

CBH enables one-click interconnection with multiple O&M tools, enabling you to perform O&M without changing client usage habits.

  • O&M tools

    SecureCRT, Xshell, Xftp, WinSCP, Navicat, and Toad for Oracle

  • SSH clients

    For host resources with character protocols configured, O&M engineers can log in to them through SSH clients.

  • Database clients

    For database-deployed host resources, O&M engineers can log in to databases using configured SSO tools.

  • File transfer clients

    For host resources with file transfer protocols configured, O&M engineers can log in to them through FTP or SFTP client.

Automatic O&M

CBH enables automated O&M to simplify online complex operations, eliminating repetitive manual effort and improving efficiency.

  • Script management

    CBH manages offline scripts, including Shell and Python scripts.

  • O&M tasks

    CBH automatically executes one or more preset O&M tasks, such as command execution, script execution, and file transfer tasks.

O&M Ticket Application

During the O&M, if a system user does not have the required permissions for a certain resource, they can submit a ticket to apply for the permissions.

  • O&M personnel can:
    • Manually or automatically trigger the ticket system and submit access approval tickets, command approval tickets, and database approval tickets.
    • Submit, query, cancel, and delete tickets.
  • System administrators can:
    • Customize approval processes, including multi-level approval processes.
    • Approve one or more tickets at a time, as well as reject, cancel, query, and delete tickets.