All Products
Search
Document Center

Cloud Firewall:Overview

Last Updated:Sep 23, 2024

The default intrusion prevention system (IPS) of Cloud Firewall proactively detects and blocks malicious traffic that is generated by attacks, vulnerability exploits, brute-force attacks, worms, mining programs, trojans, and DoS attacks in real time. This protects enterprise information systems and network architectures on the cloud against attacks, prevents unauthorized access or data leaks, and prevents damage or failures of your business systems and applications.

Why IPS?

Common cyber attacks on the cloud

Enterprises deploy their important business systems on the cloud to provide Internet-facing and internal-facing services. The business systems include those deployed for the development environment, production environment, and data mid-end. In this scenario, enterprises may encounter intrusions and unauthorized access. This poses threats such as data leaks, server resource exhaustion, and service interruptions. In conclusion, networks are the primary channels to spread attacks. The following list describes common attack methods:

  • Malware attack: Malware includes viruses, worms, and trojans. If you accidentally download malware to your cloud server, the server may be attacked.

  • Port scanning and brute-force attack: Attackers deploy scanning systems to scan open ports that are used by specific servers around the world and attempt to guess usernames and passwords by using brute-force attacks to implement unauthorized access. Attackers may also insert trojans into victim machines and install mining programs or ransomware on the machines.

  • Web vulnerability attack: SQL injections, cross-site scripting (XSS) attacks, Cross-Site Request Forgery (CSRF) attacks, and remote code execution (RCE) vulnerabilities are included. Attackers exploit vulnerabilities in applications or websites to implement unauthorized access to specific systems, tamper with data, or steal information.

  • Layer-4 vulnerability attack: The attacks that are initiated by exploiting Layer-4 protocol vulnerabilities are included.

  • Database attack: The attacks on databases such as Redis and MySQL databases are included.

  • Command execution and reverse shell: Attackers use malicious commands and reverse shells to implement unauthorized access.

To prevent the preceding attacks, enterprises must adopt security measures and protection policies, such as deploying Cloud Firewall, strengthening network security configurations, and fixing vulnerabilities at the earliest opportunity. This ensures the security and stability of business systems.

IPS of Cloud Firewall

The IPS of Cloud Firewall blocks malicious traffic, provides virtual patches, denies malicious outbound traffic, uses shared threat intelligence, and builds intelligent models based on machine learning to provide comprehensive and efficient protection for cloud services of enterprises.

  • The IPS of Cloud Firewall provides more than 5,000 basic protection items and virtual patches, which can be used to efficiently block vulnerability exploits and shorten the attack exposure window.

    If a vulnerability exists in the cloud business system of an enterprise, a patch needs to be installed to fix the vulnerability. In most cases, fixing of a vulnerability requires a long period of time, and the installation of specific patches may require a service restart. However, if Cloud Firewall is used, blocking of high-risk vulnerabilities and zero-day vulnerabilities requires only 3 hours, which allows a period of time for fixing vulnerabilities. Cloud Firewall efficiently protects your services from exploits without the need to manually install patches or restart your server.

  • The IPS of Cloud Firewall also detects and protects against malicious outbound traffic at the earliest opportunity. For example, the IPS detects malicious outbound traffic from compromised business systems to command and control servers and detects unusual outbound connections. The IPS generates alerts and denies malicious traffic when malicious traffic is detected. This reduces the risks of data leaks and attack propagation.

  • The IPS of Cloud Firewall can use the massive amount of threat intelligence of Alibaba Cloud to precisely detect malicious IP addresses, domain names, IP addresses of command and control (C&C) servers, scanners, and crackers in real time.

  • Cloud Firewall uses a large amount of attack data and attack methods that are accumulated by Alibaba Cloud to build an intelligent model that helps you effectively defend against unknown threats.

image.png

Implementation of the Cloud Firewall IPS

Cloud Firewall is deployed in the cloud network in series mode. It protects the traffic from and to the Internet, the traffic passing through NAT gateways, the traffic between virtual private clouds (VPCs) in internal networks, and the traffic between the cloud and on-premises data centers. The following figure shows the network architecture.

image

Cloud Firewall monitors all network traffic that passes through Cloud Firewall, filters the traffic by using the IPS engine and ACL engine of Cloud Firewall, and then forwards normal traffic.

Cloud Firewall uses the Deep Packet Inspection (DPI) engine to detect and identify network traffic. It can identify protocols of network traffic and parse packets. Cloud Firewall also filters traffic and packets to identify IPS attacks and threat intelligence. If the rules of the threat detection engine in different modes, such as Monitor Mode, Block Mode - Loose, Block Mode - Medium, or Block Mode - Strict and IPS rules are hit, the attack packets are discarded or allowed. This way, alerts are generated and attacks are blocked in real time.

image.png

Types of attacks supported by Cloud Firewall

Note

For more information about how to configure the mode of the threat detection engine, see IPS configuration.

Attack type

Attack hazard

Suggestion

Suspicious connection

Attackers may use scanners to scan open ports on a server. If the server has unauthorized database ports or services that have weak passwords, data loss or data leaks may occur. For example, unauthorized access to Redis is a common risk. If the security settings of a Redis database are not properly configured, attackers can obtain sensitive data or damage the database by implementing unauthorized access.

If you have a number of non-web applications, such as MySQL and SQL Server applications for which ports 80, 443, or 8080 are enabled, take note of whether the rules for behaviors such as shellcode and sensitive operations are hit. The rules are also the attack methods that are intended for non-web applications.

If you do not have the preceding non-web applications, we recommend that you enable Block Mode - Strict.

Command execution

If an attacker executes malicious commands, serious consequences may occur. For example, the control permissions of a server may be obtained, sensitive data may be leaked, and other systems may be attacked. For example, attackers may exploit the Log4j vulnerability to execute malicious commands, which poses security threats.

You can use the Block Mode - Loose mode to protect most web applications against common and non-common RCE attacks. This mode also meets your daily protection requirements. RCE attacks are the most harmful among various attacks. If you use the Block Mode - Medium mode to protect against RCE attacks, you must take note of the hit details of rules for each module.

If your business is complex and involves a number of non-web applications, we recommend that you enable Block Mode - Strict.

Scanning

If machines or network devices are overloaded by network scanning, service interruptions or stability issues may occur. As a result, the system may stop responding or the service may become unavailable.

We recommend that you check whether Server Message Block (SMB) named pipes are enabled in your business. SMB named pipes are used for features such as file sharing. If you do not need to use SMB named pipes in your business, we recommend that you disable SMB named pipes to reduce potential security risks.

If you need to use SMB named pipes, we recommend that you enable Block Mode - Medium or Block Mode - Strict.

Information leakage

Information leakage may lead to the violation of personal privacy rights, and unauthorized use of sensitive information, such as ID card numbers, contact information, and financial information.

The definition of information leakage may vary based on your business. Take note of the hit details of rules in Block Mode - Medium and Block Mode - Strict.

We recommend that you enable Monitor Mode to monitor the hit details of rules and check whether false positives are reported within a business cycle, such as 24 hours, a week, or a month. If no false positives is reported in Monitor Mode, normal traffic is not identified as a threat. In this case, you can enable Block Mode - Medium or Block Mode - Strict.

DoS attack

If machines or network devices are overloaded by DoS attacks, service interruptions or stability issues may occur. As a result, the system may stop responding or the service may become unavailable.

DoS attacks are less harmful. You can check whether your service is interrupted or suspended due to unknown causes. If your service is not affected, you can retain the Block Mode - Loose setting.

If your business requires a high level of service uptime, you can select Block Mode - Medium or Block Mode - Strict.

Overflow attack

If machines or network devices are overloaded by overflow attacks, service interruptions or stability issues may occur. As a result, the system may stop responding or the service may become unavailable.

Overflow attacks occur when input points in the binary representation are not strictly controlled. In this case, out-of-bounds access occurs during parameter configuration, and other attacks such as command execution and information leakage are initiated. When you protect against overflow attacks, take note of the hit details of non-web application attacks.

If your business mainly involves web applications, you can select Block Mode - Loose. If your business involves a number of non-web applications, we recommend that you select Block Mode - Medium or Block Mode - Strict.

Web attack

Web attacks are serious security threats. Attackers can obtain control permissions on specific servers and steal sensitive data by initiating web attacks. This may cause service interruptions.

Common web attacks include SQL injections, XSS attacks, and arbitrary files that are listed in Open Web Application Security Project (OWASP) Top 10. To prevent these attacks, we recommend that you perform strict testing during the canary release and official release of the rules. We also recommend that you enable Block Mode - Medium or Block Mode - Strict during routine O&M.

Trojan

A trojan is a type of malware that can provide continuous unauthorized access to a victim machine. Attackers may access the system again even if system vulnerabilities are fixed. Attackers can monitor the compromised system for a long period of time and steal sensitive data by using a trojan. Systems that are compromised by trojans may lead to legal liabilities, lawsuits, fines, and reputation damage.

In most cases, encryption, obfuscation, and encoding are used in trojan communication to bypass protection measures. In Block Mode - Strict mode, weak features are usually used for detection and blocking. In daily operations, we recommend that you enable the Block Mode - Medium mode.

In most cases, encryption, obfuscation, and encoding are used in trojan communication to bypass protection measures. In Block Mode - Strict mode, weak features are usually used for detection and blocking.

We recommend that you enable Block Mode - Medium or Block Mode - Strict during routine O&M.

Worm

A worm is a type of persistent malware that provides continuous unauthorized access to a victim machine. Attackers may access the system again even if system vulnerabilities are fixed. Attackers can monitor the compromised system for a long period of time and steal sensitive data by using a worm. At the same time, systems that are compromised by worms may lead to legal liabilities, lawsuits, fines, and reputation damage.

In most cases, this type of attack compromises hosts. If a rule is hit in Monitor Mode, you must use the traceability analysis feature to identify the source of the attack and take appropriate countermeasures. If no rules are hit, the host is securely running. In this case, we recommend that you enable Block Mode - Medium.

Mining

Mining is a malicious behavior that occupies bandwidth resources and computing power of machines, which causes system stuttering and affects the system performance. As a result, issues occur, such as slow application running and response latency, which adversely affect efficiency and experience.

In most cases, this type of attack compromises hosts. If a rule is hit in Monitor Mode, you must use the traceability analysis feature to identify the source of the attack and take appropriate countermeasures. If no rules are hit, the host is securely running. In this case, we recommend that you enable Block Mode - Medium.

Reverse shell

Reverse shells are attack tools that provide continuous unauthorized access to a victim machine. Attackers may access the system again even if system vulnerabilities are fixed. Attackers can monitor the compromised system for a long period of time and steal sensitive data by using a reverse shell. At the same time, systems that are compromised by reverse shells may lead to legal liabilities, lawsuits, fines, and reputation damage.

In most cases, this type of attack compromises hosts. If a rule is hit in Monitor Mode, you must use the traceability analysis feature to identify the source of the attack and take appropriate countermeasures. If no rules are hit, the host is securely running. In this case, we recommend that you enable Block Mode - Medium.

Others

Attacks that are used for illegal outbound connections and attacks that are caused by outbound connections are included. Attacks that cannot be classified are also included.

  • If no outbound connections exist in your business, you can select Block Mode - Loose.

  • If various browsers and applications are installed on your host, and the outbound connections are not managed, attackers may easily initiate attacks by using outbound download and C2 communication. This is because the attacks over inbound traffic are relatively hard to initiate. To defend against the preceding attacks, we recommend that you enable Block Mode - Strict.

Modes of the threat detection engine

The modes of the threat detection engine are the Monitor mode and Block mode. The action of basic protection policies and virtual patching policies varies based on the mode of the threat detection engine. For example, if you set the threat detection engine to the Block - Strict mode, the action of basic protection policies and virtual patching policies is Block. The following list describes the modes of the threat detection engine.

Category

Scenario

Description

Example

Monitor

Protection is not supported.

In Monitor mode, the system only records attacks and generates alerts for the attacks. However, the system intercepts attacks in Block mode.

Remote DoS vulnerability in Apache Tomcat (CVE-2014-0075), Atlassian Jira SSRF vulnerability (CVE-2019-16097), and Godlua backdoor software communication

Block

Loose

The system blocks attacks in a loose manner by using rules that prevent a high rate of false positives. This level is suitable for business that requires the rate of false positives to be minimized.

In this level, the system detects keywords and key parameters of vulnerability exploits in attack packets and behavior. No false positives can be generated.

RCE vulnerability in Apache Struts 2 (CVE-2018-11776), unauthorized access to Spark REST API (CVE-2018-11770), and Jenkins RCE vulnerability (CVE-2018-1000861)

Medium

The system blocks attacks in a standard manner. This level is suitable for daily O&M.

In this level, the system uses common rules to detect various types of attacks in a comprehensive manner based on different types of detection methods for vulnerability exploits. This level provides a lower rate of false positives than the Loose level.

RCE vulnerability in Oracle WebLogic Server (CVE-2020-2551), RCE vulnerability in Microsoft WindowsRDP Client (CVE-2020-1374), and SMBv1 DoS attack (CVE-2020-1301)

Strict

The system blocks attacks in a strict manner by using all rules. This level is suitable for business that requires the rate of false negatives to be minimized. This level may cause a higher rate of false positives than the Medium level.

In this level, the system detects high-risk vulnerabilities, such as stack overflow and buffer overflow, most of which are Layer-4 protocol vulnerabilities. The system identifies attacks based on various methods such as protocol analysis, keyword matching, multiple redirects, and keyword offset.

Buffer overflow in Squid Proxy HTTP Request Processing (CVE-2020-8450), DoS attack in NGINX 0-Length Headers Leak (CVE-2019-9516), and command injection in Oracle WebLogic rda_tfa_ref_date (CVE-2018-2615).

Best practices of Cloud Firewall IPS