With the gradual deepening of campus digitization and information construction, the integration of various information resources on campus has entered the stage of comprehensive planning and implementation, such as campus one card in combination with the ongoing construction of identity authentication, personnel, student and engineering MIS and application systems. Through the common identity authentication mechanism, realize the integration and sharing of data management, and make the Campus All-in-one Card system an organic part of campus information construction. Through this organic combination, it lays a foundation for resource sharing among systems.

The high concentration of information makes the security of data more and more valued. As an education industry related to the rise and fall of the country, once the data is leaked, it will have a negative impact on the society and become a hot issue concerned by public opinion and the media. Driven by the huge commercial interests, the database of the education industry has to face the double folder of internal and external threats, especially the illegal "invasion" for the purpose of business, which not only has a serious impact on the public image and authority trust of the school, but also divulges personal information, damages the personal interests of students, and adds disharmony to the cause of education.

Combined with the current security situation faced by the informatization development of colleges and universities, there are mainly the following risks in operation and maintenance management:  

1. Management status: the IT system supporting the operation of the university industry is mainly composed of a large number of network equipment, host system and application system. These equipment and systems belong to different departments from the perspective of application. The network equipment and host system have independent user management, authentication and authorization and audit systems respectively, Different system administrators are responsible for the maintenance and management. When facing these systems, the work of maintenance personnel is very complex;

2. Unclear authorization: in this university industry system, the principle of user minimum authority allocation in the best practice of it operation and maintenance cannot be strictly implemented due to the separate authorization of each system. At the same time, with the increase of business systems and users, the user authorization management becomes quite complex and the system security is threatened;

3. Hidden dangers of shared accounts: in order to reduce the complexity and difficulty of management, some accounts are shared by multiple people, the proliferation of these accounts is not easy to control, and security accidents often occur due to such account sharing;

4. Hidden danger of simple password: for maintenance personnel, frequent system switching requires entering user names and passwords of different systems for login. In order to facilitate memory, maintenance personnel often use relatively simple passwords or multiple systems use the same password. In case of emergency, they may also share their user names and passwords with others, These all pose a great threat to the security of the whole system;

5. Lack of centralized log audit: due to the independent operation of each system, the system operation log and operation audit of maintenance personnel can only be carried out independently by system. In case of system failure, the problems must be investigated system by system, and unified and centralized problem investigation cannot be carried out, which greatly reduces the work efficiency and leads to the possibility of loss expansion.

As the most advanced, core and comprehensive technology trend of intranet security, fortress machine technology provides the most core monitoring and protection for the core server, database, switch and other equipment resources of University Information Center.

Centralized account management

Improve the management effectiveness and establish a new user system to completely replace the user system independently managed by the original systems. The front-end users directly correspond to the maintenance personnel and the back-end users directly correspond to the original system users, providing a centralized real name user management mechanism. Through the unified user information maintenance portal, ensure the uniqueness and synchronous update of user account information of each system;  

Centralized authentication and access control

Improve the operation and maintenance security centralized authentication, realize the centralization and unification of the authentication entrance for users to access the information system, and adopt high-intensity authentication mode to make the login and authentication behavior of the whole information system controllable and manageable, so as to improve business continuity and system security. Centralized access control provides unified system and equipment access for maintenance personnel, provides access control function, effectively solves the operation problems of operation and maintenance personnel, and reduces the security risks of relevant information systems;

Centralized operation audit

Improve the traceability and positioning ability, and be able to capture the user operation data flow dynamically and in real time. The centralized audit module logically reorganizes the audited data packets, restores and restores the user's remote access operation process, and automatically records it in session mode; The log audit center provides a powerful search engine to enable users to query time, login address, host address, host account, user operation commands and other rich query conditions, quickly locate the session log that meets the monitoring rules and restore the operation site. Centralized authorization provides unified information system authorization management, standardizes the authorization of all managed information resources, and fine permission allocation strategy ensures that administrators can grant appropriate permissions to different users, which conforms to the principle of minimum permission allocation to the greatest extent, and protects the security of information support system resources to a great extent. Centralized security audit provides centralized log audit, which can correlate user's operation behavior, quickly discover, analyze, locate and respond to illegal login and illegal operation, and provide basis for security audit and tracking.

Deployment mode

Program advantages

Mature and stable

After more than ten years of market verification and technology accumulation, a large number of successful cases have been deployed in complex application production environment, and there are many cases in the education industry, including famous universities such as Shanghai Jiaotong University, Shanghai University of Finance and economics, Wuhan University, Huazhong University of science and technology, Xi'an Jiaotong University and so on.

Safe and reliable

At the same time, two sets of unified operation and maintenance platforms with independent applications and complete functions are provided. The device HA can achieve real-time synchronization of configuration and audit log;

Strong adaptability to network environment, realize green deployment, do not change the original network topology, support cluster deployment and cross network segment deployment;

The system development and update shall follow the safety software development life cycle process to realize version management, and each iterative upgrade shall ensure that the best practices are met.

modern techniques

Support local authentication, ad domain authentication, radius authentication, fingerprint authentication, wechat authentication, SMS authentication, etc., with the most complete identity authentication methods in the industry;

The system login strategy of users can be set, including limiting login IP, login time period, port, account, etc., to ensure that new users can access the background resources they have permissions and realize controllable operation and maintenance;

Support the alarm and blocking of high-risk commands, and effectively control the risks caused by misoperation and high-risk operation in operation and maintenance;

Unified management of in band and out of band operation and maintenance, the only mainstream KVM over IP products in the industry that simultaneously support Avocent, Raritan, aten, etc;

The original database operation and maintenance audit platform covers mainstream commercial database enterprise applications and operation and maintenance operations.

1. Realize core data assets, virtualization equipment, scientific research system and data, network center assets including business support system, business delivery system, campus "all-in-one card", intranet core network equipment, host equipment and database assets, and realize account number, authentication and Centralized control and management of authorization and audit.

2.

Realize centralized identity authentication and access portal, realize centralized access authorization, access control and role authorization management based on centralized control security policy, and ensure that various business delivery systems in the network center provide 7x24 hours of uninterrupted operation and maintenance.