Cloud Firewall provides a built-in threat detection engine to defend against intrusions and common attacks in real time. Cloud Firewall also provides the virtual patching feature to defend against threats. You can use the prevention configuration feature of Cloud Firewall to configure the mode of the threat detection engine. You can also configure the threat intelligence, basic protection, intelligent defense, and virtual patching features to effectively identify and block intrusion attempts. This topic describes the modes of the threat detection engine, how to block different types of attacks, and how to configure the mode.
Configure IPS-based capabilities on the Internet boundary
Modes of the threat detection engine
After Cloud Firewall is purchased, the Block mode is automatically enabled for the threat detection engine. Cloud Firewall automatically determines the appropriate level based on your traffic conditions. The threat intelligence, basic protection, and virtual patching features block threats only after the Block mode is enabled. If the Block mode is disabled, these features only monitor threats and malicious traffic.
For more information about the modes of the threat detection engine, see Overview of IPS.
Log on to the Cloud Firewall console. In the left-side navigation pane, choose .
In the Threat Engine Mode section of the Internet Border tab, select a mode for the threat detection engine.
The threat detection engine supports the following modes:
Monitor: If you select this mode, Cloud Firewall records attacks and generates alerts for the attacks, but does not intercept attacks. In this mode, the action of threat intelligence policies, basic protection policies, and virtual patching policies is set to Monitor.
Block: If you select this mode, Cloud Firewall blocks malicious traffic and intrusion attempts.
You can also select one of the following levels for this mode based on your business requirements:
Loose: blocks attacks in a loose manner by using rules that prevent a high rate of false positives. This level is suitable for business that requires the rate of false positives to be minimized.
Medium: blocks attacks in a standard manner by using common rules. This level is suitable for daily O&M and provides a lower rate of false positives than the Strict level.
Strict: blocks attacks in a strict manner by using all rules. This level is suitable for business that requires the rate of false negatives to be minimized. This level may cause a higher rate of false positives than the Medium level.
Threat Intelligence
By default, Threat Intelligence is turned on, and Cloud Firewall scans for threat intelligence and blocks malicious behavior that is initiated from central control systems based on the threat intelligence. The threat intelligence feature synchronizes malicious IP addresses that are detected across Alibaba Cloud to Cloud Firewall, and then performs precise intrusion prevention. The malicious IP addresses are used to initiate malicious access, scans, or brute-force attacks.
We recommend that you enable the threat intelligence feature. If you no longer require the threat intelligence feature, you can turn off Threat Intelligence in the Advanced Settings section.
Basic Protection
By default, Basic Rules is turned on, and Cloud Firewall detects common threats. The basic protection feature protects your assets against common intrusions, such as attacks that exploit command execution vulnerabilities. The feature also manages connections from compromised hosts to a command-and-control (C&C) server and provides basic protection for your assets.
We recommend that you enable the basic protection feature. If you no longer require the basic protection feature, you can turn off Basic Rules in the Advanced Settings section.
If you want to view the details of basic protection policies or the default settings of the policies do not meet your business requirements, you can click Configure on the right side of the Basic Protection section to modify the Current Action parameter for one or more basic protection policies. If you modify the Current Action parameter for a policy, the policy is marked as Custom. You can also disable the policies. After a policy is disabled, it does not take effect. The policies that are enabled and marked as Custom have a higher priority than policies that use the default actions.
Virtual Patching
By default, Virtual Patching is turned on, and Cloud Firewall protects your assets against common high-risk vulnerabilities and urgent vulnerabilities in real time. The virtual patching feature provides hot patches at the network layer to protect your business against high-risk vulnerabilities and urgent vulnerabilities that can be remotely exploited. This helps intercept vulnerability exploits in real time and prevents business interruption when vulnerabilities are being fixed. You do not need to install virtual patches on your server. If the feature is disabled, Cloud Firewall cannot automatically update patches for your assets.
We recommend that you enable the virtual patching feature. If you no longer require the virtual patching feature, you can turn off Virtual Patching in the Advanced Settings section.
If you want to view the details of virtual patching policies or the default settings of the policies do not meet your business requirements, you can click Configure on the right side of the Virtual Patching section to modify the Current Action parameter for one or more virtual patching policies. If you modify the Current Action parameter for a policy, the policy is marked as Custom. You can also disable the policies. After a policy is disabled, it does not take effect. The policies that are enabled and marked as Custom have a higher priority than policies that use the default actions.
Intelligent Defense
By default, Intelligent Defense is turned on, and Cloud Firewall learns from a large amount of data about attacks in the cloud to improve the accuracy of threat detection and attack detection.
The intelligent defense feature is available only when the threat detection engine is set to the Monitor mode. We recommend that you enable the intelligent defense feature. If you no longer require the intelligent defense feature, you can turn off Intelligent Defense in the Advanced Settings section.
Data Leak Detection
To allow Cloud Firewall to detect sensitive data in the outbound connections of your cloud assets and identify related risks, you must enable the data leak detection feature for the assets. An outbound connection refers to the connection from your asset to the Internet. To enable the data leak detection feature for your assets, click Configure Assets. In the Asset Configuration panel, find the public IP address that you want to manage and click Enable Data Leak Detection in the Operation column.
You can also click View Supported Sensitive Data Types to view the types of sensitive data that can be identified by Cloud Firewall. You can enable or disable the data leak detection feature for a data type based on your business requirements.
You can view the data leak dashboard on the Data Leak Detection page. This helps you obtain assets related to data leaks, data leak events, and risk payloads in an accurate manner.
Whitelists
You can add trusted source IPv4 and IPv6 addresses to an inbound whitelist or add trusted destination IPv4 and IPv6 addresses to an outbound whitelist. After you add IP addresses to a whitelist, the basic protection, intelligent defense, and virtual patching features allow traffic of the IP addresses. You can add up to 50 IP addresses to a destination IP address whitelist or a source IP address whitelist.
To add IP addresses to a whitelist, click Whitelist in the Advanced Settings section.
The whitelists that you configure take effect only for the basic protection, intelligent defense, and virtual patching features. If you want the threat intelligence feature to allow traffic of IP addresses, you must configure access control policies. For more information, see Create inbound and outbound access control policies for the Internet firewall and What are the priorities of rules that are used by Cloud Firewall to protect traffic?
IPS-based capabilities on the VPC boundary
You must enable a virtual private cloud (VPC) firewall before you can configure intrusion prevention system (IPS) capabilities for the VPC firewall. For more information, see VPC Firewall.
IPS modes
The following IPS modes are supported:
Monitor: If you select this mode, Cloud Firewall records attacks and generates alerts for the attacks, but does not intercept attacks. In this mode, the action of threat intelligence policies, basic protection policies, and virtual patching policies is set to Monitor.
Block: If you select this mode, Cloud Firewall blocks malicious traffic and intrusion attempts.
You can also select one of the following levels for this mode based on your business requirements:
Loose: blocks attacks in a loose manner by using rules that prevent a high rate of false positives. This level is suitable for business that requires the rate of false positives to be minimized.
Medium: blocks attacks in a standard manner by using common rules. This level is suitable for daily O&M and provides a lower rate of false positives than the Strict level.
Strict: blocks attacks in a strict manner by using all rules. This level is suitable for business that requires the rate of false negatives to be minimized. This level may cause a higher rate of false positives than the Medium level.
Basic protection
The basic protection feature protects your assets against common intrusions, such as attacks that exploit command execution vulnerabilities. The feature also manages connections from compromised hosts to a command-and-control (C&C) server and provides basic protection for your assets.
We recommend that you enable the basic protection feature. If you no longer require the basic protection feature for a Cloud Enterprise Network (CEN) instance or a firewall that is created for an Express Connect circuit, you can go to the VPC Border tab of the IPS Configuration page, find the instance or the firewall, and then click Configure IPS Capabilities to disable the feature.
If you want to view the details of basic protection policies or the default settings of the policies do not meet your business requirements, you can click View Basic Protection Policies on the IPS Configuration page to modify the Current Action parameter for one or more basic protection policies. If you modify the Current Action parameter for a policy, the policy is marked as Custom. You can also disable the policies. After a policy is disabled, it does not take effect. The policies that are enabled and marked as Custom have a higher priority than policies that use the default actions. The modified settings take effect on all of your VPC firewalls.
Virtual patching
After you enable the virtual patching feature, Cloud Firewall protects your assets against common high-risk vulnerabilities and urgent vulnerabilities in real time. The virtual patching feature provides hot patches at the network layer to protect your business against high-risk vulnerabilities and urgent vulnerabilities that can be remotely exploited. This helps intercept vulnerability exploits in real time and prevents business interruption when vulnerabilities are being fixed. You do not need to install virtual patches on your server. If the feature is disabled, Cloud Firewall cannot automatically update patches for your assets.
We recommend that you enable the virtual patching feature. If you no longer require the virtual patching feature for a CEN instance or a firewall that is created for an Express Connect circuit, you can go to the VPC Border tab of the IPS Configuration page, find the instance or the firewall, and then click Configure IPS Capabilities to disable the feature.
If you want to view the details of virtual patching policies or the default settings of the policies do not meet your business requirements, you can click View Virtual Patching Policies on the IPS Configuration page to modify the Current Action parameter for one or more virtual patching policies. If you modify the Current Action parameter for a policy, the policy is marked as Custom. You can also disable the policies. After a policy is disabled, it does not take effect. The policies that are enabled and marked as Custom have a higher priority than policies that use the default actions. The modified settings take effect on all of your VPC firewalls.
IPS whitelists
You can add trusted source IP addresses to an inbound whitelist or add trusted destination IP addresses to an outbound whitelist. After you add IP addresses to a whitelist, the basic protection, intelligent defense, and virtual patching features allow traffic of the IP addresses. You can add up to 50 IP addresses to a destination IP address whitelist or a source IP address whitelist.
To add an IP address to a whitelist, go to the VPC Border tab of the IP Configuration page, find the required CEN instance or firewall that is created for an Express Connect circuit, and then click Configure IPS Whitelist in the Actions column.
What to do next
After you turn on Basic Protection, you can view malicious traffic that is blocked by Cloud Firewall on the Intrusion Prevention page. The traffic includes inbound and outbound traffic and traffic between VPCs. For more information, see Implementation of intrusion prevention and Intrusion prevention.
On the Vulnerability Prevention page, you can view information about the vulnerabilities that can be exploited by cyberattacks. The vulnerabilities are automatically detected by Security Center and synchronized to Cloud Firewall. On this page, you can enable the firewalls of Cloud Firewall and configure protection rules of the IPS to prevent the vulnerabilities from being exploited. For more information, see Vulnerability prevention.
On the Breach Awareness page, you can view intrusion events that are detected by the IPS and the details of the intrusion events. For more information, see Breach awareness.
FAQ: