- 1. WAF
- 2. Distributed denial of service (DDoS) protection service
- 3. Feature comparison
- 4. Mobile security
- 5. Server guard
This article discusses the main differences and similarities between AWS and Alibaba Cloud security services. It covers the following products:
|Web Application Firewall (WAF)||AWS WAF||Alibaba Cloud WAF|
|Certificate Service||AWS Certificate Manager||Alibaba Cloud SSL Certificates Service|
|Mobile Security||N/A||Mobile Security|
|Server Security||N/A||Server Guard (Server Security)|
1. WAFAlibaba Cloud WAF is a web application firewall that can protect web applications from vulnerability attacks such as SQL injections, XSS, and malicious bot attacks. Alibaba Cloud WAF shares many similar functionalities and technologies with AWS WAF, but it also boasts unique advantages in its defense capabilities.
1.1 Service mode comparison
AWS WAF can be deployed on the AWS CloudFront (CDN), a web server, or a load balancer of a Web server. Alibaba Cloud WAF is deployed by configuring the domain name resolution service.
1.2 Access control
Before deploying AWS WAF, you neet to create a Web ACL and define rules. Alibaba Cloud WAF allows ACL rule configuration after a domain name is configured and supports the combination of different HTTP fields, such as IP, URL, Referer, and User-Agent to implement precise access control. The access control policies can be applied to scenarios such as anti-leeching and website management background protection.
1.3 Web attack defense
AWS WAF provides simple Web application protection policies to defend against SQL attacks and cross-site scripting attacks. Alibaba Cloud WAF protects against TOP 10 common threats such as OWASP, provides high/medium/low policies according to different website businesses for GET, POST and other common HTTP requests, includes website stealth that avoids site addresses being exposed to attackers, and implements regular patch updates for zero-day vulnerabilities and global patch updates.
1.4 Business risk control
Data risk control is a Big Data capability of WAF based on Alibaba Cloud, and is implemented for specific business scenarios using an industry leading risk engine and man/machine identification techniques. Alibaba Cloud WAF’s Big Data ability is developed through our experience in providing world-class security to customers. This includes hosting more than 37% of China-based websites, maintaining the most popular accessed IP database in China, and mitigating more than 800 million attacks every day.
Generally, data risk control can effectively protect key businesses against spoofing behaviors, including but not limited to spam registration, SMS verification code flooding attacks, library hitting and brute force password cracking, malicious buying, robotic ticket buying, and junk email.
1.5 Console configuration
Like AWS WAF Management Console, Alibaba Cloud WAF console supports domain name configuration and combination of different policies to implement access control, which is as precise as that of AWS WAF.
Alibaba Cloud WAF also provides robust and friendly visualized console for attacks analysis and monitoring, including business analysis and security overview. Business analysis looks at recent access to different domain names. Security overview provides a general score which is obtained based on the severity of recent attacks, attacker threat, and protection rules and policies. Recent web attacks and CC attacks are displayed graphically, and common attack risks are warned in advance and are reported.
AWS WAF pricing is c based on the number of web access control lists (web ACLs) that you create, the number of rules that you add per web ACL, and the number of web requests that you receive. There are no upfront commitments for AWS WAF. Alibaba Cloud WAF pricing is based on a monthly subscription that comes in different packages with different feature specifications. Learn more about Alibaba Cloud WAF Pricing.
1.7 Feature comparison
The comparison of AWS and Alibaba Cloud WAF services can be summarized as follows:
|Feature||AWS WAF||Alibaba Cloud WAF|
|Deployment Modes||Deploy on AWS CloudFront or ELB in front of the Web server||Deployed between the client CDN and load balancer and configured with domain name resolution service to facilitate connection|
|Configure Web ACL Policy||Supported||Supported|
|Types of Web Attacks||SQL detection and prevention, SQL injection, cross site scripting (XSS), and other common attacks||Common OWASP vulnerabilities, including SQL injection, XSS, Webshell uploading, backdoor isolation, command injection, illegal HTTP protocol requests, common Web server vulnerability attacks, unauthorized access to core files, path traversing, and scan protection.|
|HTTP Flood Protection||Supported||Supported|
|Risk Warning||Not Supported||Supported|
|Business Analysis||Not Supported||Supported|
2. Distributed denial of service (DDoS) protection service
To safeguard data and applications from DDoS attacks, Alibaba Cloud and AWS both provide cloud-based anti-DDoS services to ensure the application availability and performance of properties on the cloud. In this section, we discuss the Amazon Shield and Alibaba Cloud Anti-DDoS security services.
2.1 Service model comparison
Like AWS Shield Standard and Advanced, Alibaba Cloud provides free and enterprise-level DDoS protection services that fall under two tiers: Anti-DDoS Basic and Anti-DDoS Pro.
|Tier||AWS Shield||Alibaba Cloud Security|
|Basic||AWS Shield Standard||Alibaba Cloud Anti-DDoS Basic|
|Advanced||AWS Shield Advanced||Alibaba Cloud Anti-DDoS Pro|
AWS Shield Standard and Alibaba Cloud Anti-DDoS Basic, both with no additional costs, provide protection in the face of network layer (layer 3) and transport layer (layer 4) DDoS attacks. As for web application protection, users can subscribe to Alibaba Cloud WAF service to minimize web attacks such as HTTP/HTTPS flood and DDoS attacks.
Similar to AWS Shield, Alibaba Anti-DDoS Pro provides protection for layer 3/layer 4/layer 7 DDoS attacks. However, the two services differ in their technology.
AWS Shield Advanced employs routing techniques to distribute attacks to different AWS nodes to protect against large DDoS attacks.
Alibaba Cloud Anti-DDoS Basic supports redirection technologies. The primary protection method is automatic cleaning, supplemented by active mitigation. The service hosts the complete attack protection operation on behalf of a user.
Unlike AWS Shield Advanced, Alibaba Cloud Anti-DDoS Pro users need to resolve the domain name to the Anti-DDoS Pro IP address for non-web services. Anti-DDoS Pro then directs all public network traffic to the Anti-DDoS server room. The user access traffic is forwarded to the source station IP by protocol based port forwarding. Meanwhile, the malicious attack traffic is cleaned and filtered through the Anti-DDoS Pro service, and normal traffic is returned to the source station IP.
2.2 Black hole policies
Alibaba Cloud Anti-DDoS has a specific concept termed black hole. Black hole refers to the restriction of server access when the attack traffic to a server exceeds a specified threshold. Users can configure the black hole threshold for the server, and Alibaba Cloud will block external network access to the server.
For Alibaba Cloud Anti-DDoS Basic, default threshold settings apply to ECS, Sever Loader Balancer, and EIP. Besides the default black hole threshold, Anti-DDoS Pro provides a higher capacity for DDoS mitigation.
2.3 Large DDoS defense
Like AWS Shield Advanced, Alibaba Cloud Anti-DDoS Pro has large DDoS mitigation capability. Alibaba Cloud Security provides up to 300 Gbps (Mainland China) and 100 Gbps (Hong Kong and Singapore) DDoS mitigation, which can mitigate SYN flood, ACK flood, ICMP flood, UDP flood, NTP flood, SSDP flood, DNS flood, HTTP flood, and CC attacks.
2.4 Monitoring & Reporting
Monitoring and reporting are important parts of security services. Both AWS Shield and Alibaba Cloud Anti-DDoS provides network flow monitoring, which inspects abnormal traffic packets automatically.
In Alibaba Cloud Anti-DDoS Pro, the network traffic is monitored in real time. It also provides a detailed security report of past attacks.
2.5 Deployment architecture
AWS Shield Advanced can be deployed on Amazon CloudFront and Amazon Route 53 edge sites. By deploying on Amazon CloudFront, web application security can be ensured.
The deployment architecture of the Anti-DDoS Pro is as follows:
Network traffic route: Anti-DDoS Pro (entry-level anti-DDoS) —> CDN (static resource acceleration) —> WAF (middle layer and application layer protection) —> Source Station (ECS/SLB/VPC/IDC…).This architecture will remain unchanged even if any product is removed.
Like AWS Shield Standard, Anti-DDoS Basic provides protection for DDoS attacks at no additional costs.
AWS Shield Advanced requires a 1-year subscription commitment and charges a monthly fee, plus a usage fee based on data transfer out from Amazon CloudFront, Elastic Load Balancing (ELB), and Amazon Elastic Compute (EC2).
Anti-DDoS Pro is a paid service with a usage fee based on the protection capacity and carrier network. It provides two kinds of payment method: Pre-paid, Post-paid. Learn more about Anti-DDoS billing methods.
2.7 Feature comparison
AWS Shield features and terminology map to those of Alibaba Cloud Anti-DDoS as follows:
|Feature||AWS Shield||Alibaba Cloud Anti-DDoS|
|Type of DDoS Attacks||UDP reflection attacks, SYN flood, DNS query flood, HTTP flood/cache-busting (layer 7) attacks||SYN flood, UDP flood, ACK flood, ICMP flood, DNS query flood, NTP reply flood, HTTP flood attack, and Web application attacks|
|Application Layer Protection||Supported (combined with AWS WAF)||Supported|
|Large DDoS Mitigation Capability||Supported (AWS Shield Advanced)||Supported (Anti-DDoS Pro)|
|Protection Capacity||Capacity do not disclosed||Anti-DDoS Basic provide 500Mbps ~ 5Gbps capacity for different regions Anti-DDoS Pro can defend against up to 300Gbps capacity|
|Technical Architecture||Routing techniques (Shield Advanced)||Defense room (Anti-DDoS Pro)|
|Service Integration||EC2, ELB, CloudFront, Route53||Supports services inside and outside of the cloud|
3. Certificate service
Similar to AWS Certificate Manager (ACM), Alibaba Cloud SSL Certificates Service allows users to purchase, provision, and manage SSL/TSL certificates on Alibaba Cloud.
3.1 Service model
Alibaba Cloud SSL Certificates Service provides certificate purchasing, deploying, and revocation. After the certificate is issued, users can deploy digital certificates with a single click to other Alibaba Cloud services.
3.2 Services integration
AWS users cannot use AWS Certificate Manager (ACM) to directly install ACM Certificate on the AWS based website or application. ACM is integrated with following services to deploy ACM Certificates on the cloud: Elastic Load Balancing, Amazon CloudFront, AWS Elastic Beanstalk, Amazon API Gateway, and CloudFormation. For example, to serve secure content on CloudFront over SSL/TLS, you need to install SSL/TLS certificates on either the CloudFront distribution or on the backend content source.
Like ACM, if you have purchased Alibaba Cloud’s CDN, Anti-DDoS Pro IP, WAF, or Server Load Balance, you need to enable HTTPS-secured visiting to these cloud products in advance. Then use the Alibaba Cloud SSL Certificates Service to deploy your purchased digital certificates to these products through one-click deployment.
ACM attempts to automatically renew ACM Certificates before they expire except for certificates associated with Route 53 private hosted zones. If ACM is unable to automatically renew the certificate, it will send notifications to users to require manual renewal.
You need to renew certificates manually on Alibaba Cloud Certificates Service. After renewal and review are complete, a new certificate will be issued. You can install this new certificate on your server to replace the expiring certificate.
SSL/TLS certificates provisioned through AWS Certificate Manager are free. You pay only for the AWS resources you create to run your application.
Alibaba Cloud Certificates Service not only provides free, trusted certificates, but also provide purchasing highly-secure certificates straight from the Alibaba Cloud platform.
3.5 Feature comparison
AWS ACM features and terminologies maps to that of Alibaba Cloud SSL Certificates Service as follows:
|Feature||AWS Certificate Manager (ACM)||Alibaba Cloud SSL Certificate|
|Using Existing Certificate||Supported||Supported|
|Import Third-Party Certificates||Supported||Supported|
|Paid Certificates||Not Supported||Supported|
|Integrated Services||AWS Elastic Beanstalk, CloudFormation, CloudFront, APIs on API Gateway||Alibaba Cloud CDN, Anti-DDoS Pro, WAF, and Server Load Balancer|
|Management||Management console, ACM API, SDK, CLI||Console|
4. Mobile security
AWS does not provide security services specifically for mobile applications. Alibaba Cloud’s Mobile Security provides security services for the full lifecycle of mobile app delivery, including risk detection, security protection, and threat intelligence.
4.1 Risk detection
Risk detection is implemented by uploading an APK package to scan for malicious codes and vulnerabilities. The scan result includes details of vulnerabilities, such as vulnerability quantity, names, types, and repair suggestions.
4.2 Security protection
Security protection is meant to harden apps and connect security components. Apps are hardened to provide SO shelling, and DEX files are shelled to prevent against different types of analysis tools. This feature adds security components and applies ongoing components to newly uploaded apps to prevent attacks, client information leakage, and forged requests.
4.3 Threat intelligence
Threat intelligence detects forgery and risks of network-wide apps based on big data, and keeps an eye on network disks of forums to implement multidimensional forgery detection.
Alibaba Cloud Mobile Security Service is available in two versions: Basic Edition (Free Trial) and Professional Edition (Paid Version). For Professional Edition, Mobile Security service fee is based on two types of services: Vulnerability Scan and Application Hardening.
5. Server guard
At present, AWS has not launched a security product that covers host security. Alibaba Cloud’s Server Guard is a lightweight agent installed on a server. Server Guard associates with cloud threat intelligence to implement vulnerability management, baseline detection, exception detection, and asset management, thereby creating an in-depth defense system.
5.1 Vulnerability management
Detect system software CVE vulnerabilities, Windows vulnerabilities, Web-CMS vulnerabilities and other high-risk vulnerabilities.
5.2 Baseline detection
Baseline detection checks for account security, weak passwords, and configuration risks.
5.3 Intrusion detection
By analysis of user behavior, intrusion detection detects off-site login and transaction information, brute force password cracking, and website backdoors.
The basic version of Server Guard is currently available free of charge. When you purchase an ECS instance, you simply need to agree to our license agreement, before logging in to the Server Security Management Console. The advanced version of Server Guard, which offers additional features for enterprises, will be available in mid-2018 and will be a paid service.