This topic describes the basic concepts of Cloud Firewall.
Security Group and ECS Firewall
A security group is a distributed virtual ECS firewall provided by Elastic Compute Service (ECS). It supports port status monitoring and packet filtering. You can use a security group to control access to ECS instances. A security group is a group of ECS instances in the same region. These instances have the same security requirements and trust each other. When you create an ECS instance, you must specify at least one security group for this instance.
An ECS firewall implements the security group feature at the underlying layer. You can configure policies on the ECS firewall tab of the Access Control page in the Cloud Firewall console or configure security groups in the ECS console. The configurations are automatically synchronized.
Outbound Connection
An outbound connection occurs when an Alibaba Cloud host actively accesses an external IP address. You can analyze outbound connection traffic to discover suspicious hosts.
Internet Exposure
Internet Exposure means that applications and services in the cloud are publicly accessible from the Internet.
Breach Detection
Breach Detection is a feature that monitors network transmissions and checks for suspicious activities. It sends alerts or takes proactive measures when suspicious events are detected. Cloud Firewall integrates the detection and defense capabilities that Alibaba Cloud has accumulated over the past decade. It analyzes and collects statistics about the traffic that passes through Cloud Firewall in real time to discover compromised hosts and block abnormal network activities.
Exposed Application, Exposed Port, and Exposed Public IP
An exposed application is an application that is exposed on the Internet, such as HTTP or Secure Shell (SSH).
An exposed port is a port that is exposed on the Internet, such as port 80 or 22.
An exposed public IP is the public IP address of an asset that is exposed on the Internet.
Application Group
In the east-west business visualization module, an application group is a collection of applications that provide the same or similar services. For example, you can add all ECS instances that are deployed with MySQL to a database application group.
An application is the smallest unit of east-west business visualization in Cloud Firewall. By default, an application serves as a collection of all exposed ports on an ECS instance. You can create an application by cloning the application of a specific port.
Business Zone
In the east-west business visualization module, a business zone contains all application groups related to specific business. For example, a web portal business zone contains web application groups and database application groups.
High-risk Application Group and High-risk Business Zone
A high-risk application group is a collection of applications that have open high-risk ports, such as port 445. Each high-risk port corresponds to a high-risk application group.
A high-risk business zone is a collection of high-risk application groups.
You can use high-risk business zones and application groups to identify the ECS instances that have open high-risk ports or have accessed high-risk ports.
Cloud Firewall automatically creates high-risk business zones and adds high-risk business to the groups.
First Seen Traffic
first seen traffic is the first occurrence of access traffic from a source IP address to a destination IP address within a statistical period. You can investigate the cause based on information such as the time, source IP address, and destination IP address. Typically, first seen traffic is caused by new services that are published or by intrusions.
Address Book
Cloud Firewall lets you create address books of IP addresses or port numbers. This lets you implement flexible access control based on IP addresses or ports. When you configure an access control policy, you can use an address book to specify all the IP addresses or ports in the address book at a time.
Cloud Firewall supports the following types of address books:
IP address book: lets you specify a set of IP addresses.
Port address book: lets you specify a set of ports.
Domain name address book: lets you specify a set of domain names.
Cloud address book: lets you specify a set of IP addresses or domain names.
The following rules apply to address books:
Cloud Firewall has built-in global address books. You cannot modify or delete these address books.
One IP address or port number can be added to multiple address books.
If you change the IP addresses or port numbers in an address book, the changes automatically take effect for access control policies.