This topic describes the features supported by Bastionhost Basic Edition and Bastionhost Enterprise Edition and the feature differences between the editions.
Background information
The following section describes the scenarios in which the Basic and Enterprise editions are used and the advantages of different editions:
Bastionhost Basic Edition is suitable for small and medium-sized enterprises that own 50 to 500 different types of assets and require professional O&M. This edition provides fine-grained O&M capabilities, such as client-based O&M, fine-grained access control and authorization for O&M users, automatic high-risk command blocking, and real-time O&M session monitoring and blocking. Resource Access Management (RAM) users, Active Directory (AD)-authenticated users, and Lightweight Directory Access Protocol (LDAP)-authenticated users can be added to Bastionhost Basic Edition for management. Bastionhost Basic Edition can help small and medium-sized enterprises ensure basic O&M security.
Bastionhost Enterprise Edition is suitable for large-sized enterprises and enterprises in sectors that have high requirements for O&M security, such as public service, finance, gaming, online education, and information technology sectors. Bastionhost Enterprise Edition supports the O&M features provided by Bastionhost Basic Edition. Bastionhost Enterprise Edition also provides the following features to meet higher requirements for O&M security. Bastionhost Enterprise Edition provides the following advantages:
Database O&M: O&M and authorization management is supported for ApsaraDB RDS instances, and self-managed databases and third-party databases that run MySQL, SQL Server, PostgreSQL, and Oracle.
Hybrid O&M: centralized O&M is supported in scenarios that involve different types of assets, such as assets in data centers, assets in third-party clouds, and cross-account assets.
Higher business stability: Bastionhost Enterprise Edition uses a dual-engine architecture. Both engines are active, which offers a Service Level Agreement (SLA) of 99.95%.
Other value-added capabilities: O&M portal-based O&M is supported. Automatic password change is supported for Linux assets, which improves password security.
Bastionhost features
The following table describes the features supported by Bastionhost Basic Edition and Bastionhost Enterprise Edition, and the differences in features between the editions.
In the following table, a cross (
) indicates that a feature is not supported. A check (
) indicates that a feature is supported.
Feature | Description | Basic Edition | Enterprise Edition | References |
Architecture | Uses a dual-engine and high-availability architecture to ensure stability of business and monitoring operations. | Cloud architecture. | Cloud-based dual-engine architecture. | |
Elastic scaling | You can upgrade bastion host configurations such as the number of assets, storage, and bandwidth. |
|
| |
Internationalization |
|
|
| Which countries and regions support the SMS-based two-factor authentication feature of Bastionhost? |
User management | Multiple user roles are supported, including administrators, O&M engineers, and auditors. |
|
| |
You can add a single user or import multiple users at a time by using a file. |
|
| ||
Users from RAM, AD, and LDAP can be automatically synchronized. |
|
| ||
You can import users from multiple authentication sources as Bastionhost users, such as Identity as a Service (IDaaS) users, DingTalk users, and Microsoft Azure AD users. |
|
| ||
You can change the status of user accounts. The states include expired, locked, and inactive. |
|
| ||
You can configure settings such as account lockout and the password validity period. |
|
| ||
Asset management |
|
|
| |
You can perform O&M and audit operations on ApsaraDB RDS for MySQL instances, ApsaraDB RDS for SQL Server instances, ApsaraDB RDS for PostgreSQL instances, and self-managed databases. |
|
| ||
You can manually add assets and import Alibaba Cloud and third-party cloud assets with a few clicks. |
|
| ||
The logon information of assets, such as passwords and keys, can be managed on bastion hosts. This way, O&M engineers can access and perform O&M operations on assets without entering the asset passwords. |
|
| ||
You can check the status of Elastic Compute Service (ECS) and ApsaraDB RDS instances and the network connectivity of assets. You can configure regular checking or manually check the status. |
|
| ||
Security Center can be used to monitor asset risks and notify you of the status and number of risks, including alerts, vulnerabilities, and baseline risks. You can quickly go to Security Center to handle the risks. |
|
| ||
You can perform centralized O&M operations on different types of assets. For example, you can manage assets in third-party clouds, assets on Alibaba Cloud, and assets in on-premises data centers in a centralized manner. |
|
| ||
Network domain proxies are supported. A bastion host can use proxy servers to connect to assets over the internal network. |
|
| ||
You can manually or periodically change the passwords of Linux servers. |
|
| ||
O&M management | Two-factor authentication can be performed based on text messages, emails, Time-Based One-Time Passwords (TOTPs), and DingTalk. |
|
| |
Client tools such as Microsoft Terminal Services Client (MSTSC), Xshell, SecureCRT, and PuTTY can be used to log on to bastion hosts and access hosts. |
|
| ||
WinSCP, Xftp, SecureFX, and other Secure File Transfer Protocol (SFTP) client tools on your computer can be used to log on to bastion hosts for file transfer. |
|
| ||
An independent O&M portal is provided. |
|
| ||
You can access hosts from a web browser. |
|
| ||
O&M sessions can be monitored in real time and can be interrupted at any time. |
|
| ||
You can control operations during RDP-based O&M, such as uploading or downloading files from the clipboard and disk mapping. |
|
| ||
During SSH-based O&M, you can configure whitelists or blacklists to control commands and configure command approval policies. This helps you control the execution of high-risk and sensitive commands. |
|
| ||
This feature controls the following operations when you perform O&M operations: uploading, downloading, deleting, and renaming files and creating and deleting folders. |
|
| ||
The O&M applicant review feature is supported. After the feature is enabled, an O&M engineer can log on to the assets only after the Bastionhost administrator approves the O&M application submitted by the O&M engineer. |
|
| ||
You can configure the users, source IP addresses, and time periods that are approved for logging on to a bastion host. |
|
| ||
You can configure the maximum duration of an idle O&M session and the maximum total duration of O&M sessions. |
|
| ||
O&M audit | You can audit all O&M operations based on logs and videos. Video playback of O&M operations is supported. |
|
| |
This feature allows you to audit the file transfer. |
|
| ||
O&M reports can be generated. You can export reports in PDF, HTML, and Word formats. |
|
| View the O&M information on the O&M Reports page and export an O&M report | |
Audit logs of O&M sessions can be transferred to Simple Log Service and downloaded to your computer by using the log backup feature. |
|
| ||
API operations | This feature allows you to call API operations. |
|
|