This topic provides answers to frequently asked questions about the application protection feature of Security Center.
What are the differences between application protection and WAF?
You can use the application protection feature that adopts the Runtime Application Self-Protection (RASP) technology and Web Application Firewall (WAF) to protect applications. The feature can defend against zero-day vulnerabilities and encrypted traffic that target servers. WAF effectively mitigates volumetric attacks at the network ingress. To achieve comprehensive protection, we recommend that you use the feature together with WAF. For more information about the differences, see the following table.
Item | Application protection | WAF |
Focus | Ensures the security of applications, regardless of the traffic source. | Filters out and protects against attack traffic at the network layer. |
General protection scope | Provides defense against common web vulnerabilities such as SQL injection, remote code execution, file inclusion, and webshells. | |
Specialized protection scope | Provides defense against zero-day vulnerabilities, complex encoded or encrypted traffic, in-memory webshells, non-HTTP protocols, and horizontal penetration over internal networks. | Provides defense against DoS attacks such as HTTP flood attacks, crawler attacks, scan attacks, and attacks related to access control and API security. |
Detection method | Detects attacks. | Matches and filters out attack traffic based on traffic characteristics. |
Deployment location | Deployed on servers and injected into applications. | Deployed on a border gateway or before servers. WAF does not interfere with applications. |
Performance | Consumes server resources. | Consumes the resources of WAF and has no impacts on applications and origin servers. |
Vulnerability fixing | Uses virtual patches to fix vulnerabilities and locates the execution code that exploits the vulnerabilities. | Uses virtual patches to fix vulnerabilities and reports only the exploitable traits of the vulnerabilities. |
Zero-day vulnerability prevention | Supported by default. | Mitigates zero-day vulnerabilities by using the rules that are created based on vulnerability exploit methods. |
Is application protection feature available for the internal network servers?
Yes. To enable protection, servers must first connect to Security Center using a proxy connection by installing the Security Center agent and the RASP agent.
If your internal network cannot provide a server with Internet access or establish connectivity with virtual private cloud (VPC), you will be unable to use the protection capabilities of Security Center and its application protection feature.
Limits
The proxy connection supports only Java applications in container environments.
Ensure one or more servers with Internet access or established connectivity with Alibaba Cloud VPC are available as proxy servers.
Procedure for proxy connection
When connecting to application protection, on the Access Management panel, in the tab, select Custom Installation, choose the appropriate proxy cluster, and complete the RASP agent installation.
For detailed instructions, see Manual access (Java applications).
What types of applications can be added to the application protection feature?
The application protection feature is available only for Java and PHP applications, and their runtime environments must meet certain restrictions. For more information, see Limits.
Does it support protecting Python, Go, .NET applications?
No. The application protection feature currently supports only Java and PHP applications.
Are application processes of the shutdown servers displayed in the resource statistics?
The process data is retained for 7 days and automatically cleared thereafter. If a server is scanned for resource statistics before shutting down, its application process data will not be collected in subsequent scans post-shutdown, and the collected data will remain until the 7-day retention period expires.
How to determine if an application is added to application protection?
Log on to the Security Center console. In the top navigation bar, select the region of the assets that you want to manage. You can select China or Outside China.
In the left-side navigation pane, choose .
On the Application Protection page, in the Application Configurations tab, click the number under the Online Instances column for the target application group.
In the panel that appears, review the applications added to the application protection feature.
If the PID of the application process you want to protect is listed, the application is secured by the application protection feature.
Does the application protection feature affect the running of applications?
The application protection feature is carefully designed to control its impact on system performance, compatibility, and stability to minimize interference with application running. Tests have proven that after the application protection feature is enabled for a server, the excess CPU utilization of the server does not exceed 1%, the excess memory usage is less than 50 MB, and the excess application latency or response time is less than 1 millisecond.
The feature also provides emergency measures, such as the soft fuse escape mechanism, to minimize interference with applications. For more information, see Automatic access resource usage threshold.
How to choose the application protection mode?
The application protection feature detects attacks that pose actual security threats. The feature provides a lower false positive rate than traditional traffic-based detection technologies. Therefore, we recommend that you attach importance to the attacks that are detected by this feature. After you add an application to the application protection feature, the feature protects the application in Monitor mode, which is the default protection mode. After the application stably runs for a period of time, you can change the protection mode from Monitor to Block.
What is the role of the manager.key parameter when I add a containerized Java application to the application protection feature?
The manager.key parameter in the startup command is used to associate applications with the application protection feature. The vulnerability management feature of Security Center marks the application in which vulnerabilities are detected. If the RASP agent is installed on an asset that is associated with the detected vulnerability, the asset must be marked as protected. Security Center can associate the applications with the application protection feature by using the manager.key parameter.
Can I leave the manager.key parameter empty when I add a containerized Java application to the application protection feature?
No, you cannot leave the manager.key parameter empty.
When you manually add a container application to the application protection feature, you must configure the manager.key parameter. When you manually add a Java host applications to the application protection feature, you can leave the manager.key parameter empty. The host application can be directly associated with the corresponding asset.
Why is there no attack data on the Attack Statistics page?
This issue may be caused by the following reasons:
The application is not added to the application protection feature. You can re-add your application process to the application protection feature. For more information, see Use the application protection feature.
No real attacks are detected. Compared with traditional firewalls, the application protection feature records only real attacks. Traditional firewalls report attacks when the presence of malicious attack characteristics in packets is detected. However, the presence of malicious attack characteristics does not indicate real attacks. For example, the attack requests that exploit PHP vulnerabilities are ineffective in the Java environment. If a real attack is detected, the attacker has broken through the outer defense and can enter the internal environment of the application to perform risky operations. An application may not receive a large number of real attacks. However, you must intercept attacks or fix vulnerabilities at the earliest opportunity when real attacks are detected.
What is the difference between the weakness detection feature and the weak password baseline check?
The weakness detection feature is used to detect risks based on the application behavior and memory status during application runtime. The weak password baseline check is mainly used to scan system configurations, including the baseline check based on the internationally agreed best practices, classified protection compliance check, and static file detection.
Why did I fail to add my application to the application protection feature?
This issue may be caused by the following reasons:
Anti-virus software is installed on your server. The software may block the RASP agent or the Security Center agent. You can view related information in the blocking results of the software.
The password of the root user in the Linux system expires.
How do I identify a blocked threat?
If you find a runtime exception named AliCloudRaspSecurityException in your business logs, it means the application protection feature has detected exceptions or potential security threats and has blocked the access attempts of the related processes. To prevent the feature from blocking this process behavior, you can add the process to the whitelist. For more information, see Create whitelist rules.