- 1. WAF
- 2. Distributed denial of service (DDoS) protection service
- 3. Feature comparison
- 4. Mobile security
- 5. Server guard
This article discusses the main differences and similarities between Azure and Alibaba Cloud security services. It covers the following products:
|Web Application Firewall||Application Gateway (Web Application Firewall)||Alibaba Cloud WAF|
|Anti-DDoS||Azure DDos Protection（Azure Marketplace||Anti-DDoS|
|Certificate Service||Application service certificate available on the Por||Alibaba Cloud SSL Certificates Service|
|Mobile Security||N/A||Mobile Security|
|Server Security||N/A||Server Guard (Server Security)|
1. WAFAlibaba Cloud WAF is a web application firewall that can protect web applications from vulnerability attacks such as SQL injections, XSS, and malicious bot attacks. Alibaba Cloud WAF shares many similar functionalities and technologies with Azure WAF, but it also boasts unique advantages in its defense capabilities.
1.1 Service mode comparison
The Azure Web application firewall (WAF) is integrated in the application gateway to provide services. Alibaba Cloud WAF is deployed by configuring the domain name resolution service.
1.2 Access control
Auzre WAF users can add corresponding rules in access control (identification and access management) after creating an application gateway. Alibaba Cloud WAF allows ACL rule configuration after a domain name is configured and supports the combination of different HTTP fields, such as IP, URL, Referer, and User-Agent to implement precise access control. The access control policies can be applied to scenarios such as anti-leeching and website management background protection.
1.3 Web attack defense
Azure WAF provides common web attack protection such as SQL attacks, cross-site scripting attacks, HTTP response splitting, and remote file package attacks. Alibaba Cloud WAF protects against TOP 10 common threats such as OWASP, provides high/medium/low policies according to different website businesses for GET, POST and other common HTTP requests, includes website stealth that avoids site addresses being exposed to attackers, and implements regular patch updates for zero-day vulnerabilities and global patch updates.
1.4 Business risk control
Data risk control is a Big Data capability of WAF based on Alibaba Cloud, and is implemented for specific business scenarios using an industry leading risk engine and man/machine identification techniques. Alibaba Cloud WAF’s Big Data ability is developed through our experience in providing world-class security to customers. This includes hosting more than 37% of China-based websites, maintaining the most popular accessed IP database in China, and mitigating more than 800 million attacks every day.
Generally, data risk control can effectively protect key businesses against spoofing behaviors, including but not limited to spam registration, SMS verification code flooding attacks, library hitting and brute force password cracking, malicious buying, robotic ticket buying, and junk email.
1.5 Console configuration
Azure WAF settings can be configured in the application gateway console, Alibaba Cloud WAF console supports domain name configuration and combination of different policies to implement access control.
Alibaba Cloud WAF also provides robust and friendly visualized console for attacks analysis and monitoring, including business analysis and security overview. Business analysis looks at recent access to different domain names. Security overview provides a general score which is obtained based on the severity of recent attacks, attacker threat, and protection rules and policies. Recent web attacks and CC attacks are displayed graphically, and common attack risks are warned in advance and are reported.
The Azure Web application firewall is provided in the new WAF SKU, priced on the basis of hourly gateway instance fees and data processing fees. The hourly gateway pricing for WAF SKUs is different from the standard SKU fee, see Application Gateway Pricing Details. Alibaba Cloud WAF pricing is based on a monthly subscription that comes in different packages with different feature specifications. Learn more about Alibaba Cloud WAF Pricing.
1.7 Feature comparison
The comparison of Azure and Alibaba Cloud WAF services can be summarized as follows:
|Feature||Azure WAF||Alibaba Cloud WAF|
|Deployment Modes||Integrated deployment in the application network||Deployed between the client CDN and load balancer and configured with domain name resolution service to facilitate connection|
|Configure Web ACL Policy||Supported||Supported|
|Types of Web Attacks||SQL injection, cross-site scripting (XSS), HTTP protocol anomalous behavior, prevention of automated programs, crawlers and scanners, and other common attacks||Common OWASP vulnerabilities, including SQL injection, XSS, Webshell uploading, backdoor isolation, command injection, illegal HTTP protocol requests, common Web server vulnerability attacks, unauthorized access to core files, path traversing, and scan protection.|
|HTTP Flood Protection||Supported||Supported|
|Business Analysis||Not Supported||Supported|
2. Distributed denial of service (DDoS) protection service
To safeguard data and applications from DDoS attacks, Alibaba Cloud and Azure both provide cloud-based anti-DDoS services to ensure the application availability and performance of properties on the cloud. In this section, we discuss the Azure DDos protection and Alibaba Cloud Anti-DDoS security services.
2.1 Service model comparison
Similar to Azure DDos protection and Azure Marketplace, Alibaba Cloud provides free and enterprise-level DDoS protection services that fall under two tiers: Anti-DDoS Basic and Anti-DDoS Pro.
|Tier||Azure DDos||Alibaba Cloud Security|
|Basic||Azure DDos Basic||Alibaba Cloud Anti-DDoS Basic|
|Advanced||N/A(Rely on the ecological market)||Alibaba Cloud Anti-DDoS Pro|
Azure DDos protection Basic and Alibaba Cloud Anti-DDoS Basic, both with no additional costs, provide protection in the face of network layer (layer 3) and transport layer (layer 4) DDoS attacks. For web application protection, Azure users can add application layer protection through the Azure Application Gateway web application firewall. Alibaba Cloud users can subscribe to the Alibaba Cloud WAF service to minimize web attacks such as HTTP/HTTPS flooding and DDoS attacks.
Azure professional protection mainly depends on Azure’s eco market. There is no professional anti attack product similar to Alibaba Anti-DDoS Pro. Alibaba Anti-DDoS Pro provides protection for layer 3/layer 4/layer 7 DDoS attacks. However, the two services differ in their technology.
Azure DDoS basic protection will prevent attack traffic and transfer the surplus to the intended destination.
Alibaba Cloud Anti-DDoS Basic supports redirection technologies. The primary protection method is automatic cleaning, supplemented by active mitigation. The service hosts the complete attack protection operation on behalf of a user.
Alibaba Cloud Anti-DDoS Pro users need to resolve the domain name to the Anti-DDoS Pro IP address for non-web services. Anti-DDoS Pro then directs all public network traffic to the Anti-DDoS server room. The user access traffic is forwarded to the source station IP by protocol based port forwarding. Meanwhile, the malicious attack traffic is cleaned and filtered through the Anti-DDoS Pro service, and normal traffic is returned to the source station IP.
2.2 Black hole policies
Azure DDoS Protection and Alibaba Cloud Anti-DDoS has a concept termed black hole. Black hole refers to the restriction of server access when the attack traffic to a server exceeds a specified threshold. Users can configure the black hole threshold for the server, and Alibaba Cloud will block external network access to the server.
The Azure DDoS Protection black hole will not be released and the user will not be notified. Alibaba Cloud black hole release time is 25 minutes — 30 days, of which 99.9% is 40 minutes to lift.
For Alibaba Cloud Anti-DDoS Basic, default threshold settings apply to ECS, Sever Loader Balancer, and EIP. Besides the default black hole threshold, Anti-DDoS Pro provides a higher capacity for DDoS mitigation.
2.3 Large DDoS defense
Alibaba Cloud Anti-DDoS Pro has large DDoS mitigation capability. Alibaba Cloud Security provides up to 300 Gbps (Mainland China) and 100 Gbps (Hong Kong and Singapore) DDoS mitigation, which can mitigate SYN flood, ACK flood, ICMP flood, UDP flood, NTP flood, SSDP flood, DNS flood, HTTP flood, and CC attacks.
2.4 Monitoring & Reporting
Monitoring and reporting are important parts of security services. Both Azure DDoS Protection and Alibaba Cloud Anti-DDoS provides network flow monitoring, which inspects abnormal traffic packets automatically.
In Alibaba Cloud Anti-DDoS Pro, the network traffic is monitored in real time. It also provides a detailed security report of past attacks.
2.5 product architecture
The Azure DDoS protection standard monitors the actual traffic utilization rate and compares it with the threshold defined in the DDoS policy. When the traffic threshold is exceeded, the DDoS mitigation will automatically start. When traffic is below the threshold, the mitigation will be removed.
Ali cloud’s DDoS foundation protection supports BGP and DNS two schemes in drainage technology.
Incoming traffic is diverted to Alibaba Cloud Anti-DDoS scrubbing centers through updating DNS resolution settings (web) or replacing the original website IP with an Anti-DDoS IP provided by Alibaba Cloud. As traffic passes through the Anti-DDoS service, malicious attacks can be immediately identified and mitigated. The service then forwards clean traffic to the server and ensures comprehensive DDoS protection for your infrastructure.
Azure DDoS Protection Standard, Anti-DDoS Basic provides protection for DDoS attacks at no additional costs.
Anti-DDoS Pro is a paid service with a usage fee based on the protection capacity and carrier network. It provides two kinds of payment method: Pre-paid, Post-paid. Learn more about Anti-DDoS billing methods.
2.7 Feature comparison
Azure DDoS Protection features and terminology map to those of Alibaba Cloud Anti-DDoS as follows:
|Feature||Azure DDoS Protection||Alibaba Cloud Anti-DDoS|
|Type of DDoS Attacks||UDP reflection attacks, SYN flood, DNS query flood, HTTP flood/cache-busting (layer 7) attacks||SYN flood, UDP flood, ACK flood, ICMP flood, DNS query flood, NTP reply flood, HTTP flood attack, and Web application attacks|
|Application Layer Protection||Supported||Supported|
|Large DDoS Mitigation Capability||N/A(Rely on the ecological market)||Supported (Anti-DDoS Pro)|
|Protection Capacity||Capacity do not disclosed||Anti-DDoS Basic provide 500Mbps ~ 5Gbps capacity for different regions Anti-DDoS Pro can defend against up to 300Gbps capacity|
|Technical Architecture||Routing techniques (Shield Advanced)||Defense room (Anti-DDoS Pro)|
|Service Integration||Vm,ELB, Azure DNS Traffic Manager and so on||Supports services inside and outside of the cloud|
3. Certificate service
Similar to Azure Application service certificate, Alibaba Cloud SSL Certificates Service allows users to purchase, provision, and manage SSL/TSL certificates on Alibaba Cloud.
3.1 Service model
Alibaba Cloud SSL Certificates Service provides certificate purchasing, deploying, and revocation. After the certificate is issued, users can deploy digital certificates with a single click to other Alibaba Cloud services.
The Azure Application Service Certificate is used in Azure for cloud services (service certificates) and for authentication via the management API (management certificates).
3.2 Services integration
Azure App Service certificates are available for any Azure or non-Azure service and are not limited to application services.
if you have purchased Alibaba Cloud’s CDN, Anti-DDoS Pro IP, WAF, or Server Load Balance, you need to enable HTTPS-secured visiting to these cloud products in advance. Then use the Alibaba Cloud SSL Certificates Service to deploy your purchased digital certificates to these products through one-click deployment.
Azure App Service certificates can be set up for automatic renewal and manual renewal of certificates. Whether it is manual renewal or automatic renewal, the renewed certificate will not be automatically bound to the application.
You need to renew certificates manually on Alibaba Cloud Certificates Service. After renewal and review are complete, a new certificate will be issued. You can install this new certificate on your server to replace the expiring certificate.
The Auzre Application Service Certificate S1 Standard Edition is USD/69.99 (estimated), W1 wildcard certificate USD/299.99 (estimated).
Alibaba Cloud Certificates Service not only provides free, trusted certificates, but also provide purchasing highly-secure certificates straight from the Alibaba Cloud platform.
3.5 Feature comparison
Azure features and terminologies maps to that of Alibaba Cloud SSL Certificates Service as follows:
|Feature||Azure Application service certificate||Alibaba Cloud SSL Certificate|
|Using Existing Certificate||Supported||Supported|
|Import Third-Party Certificates||Supported||Supported|
|Integrated Services||Certificates are available for any Azure or non-Azure service and are not limited to application services||Alibaba Cloud CDN, Anti-DDoS Pro, WAF, and Server Load Balancer|
4. Mobile security
Azure does not provide security services specifically for mobile applications. Alibaba Cloud’s Mobile Security provides security services for the full lifecycle of mobile app delivery, including risk detection, security protection, and threat intelligence.
4.1 Risk detection
Risk detection is implemented by uploading an APK package to scan for malicious codes and vulnerabilities. The scan result includes details of vulnerabilities, such as vulnerability quantity, names, types, and repair suggestions.
4.2 Security protection
Security protection is meant to harden apps and connect security components. Apps are hardened to provide SO shelling, and DEX files are shelled to prevent against different types of analysis tools. This feature adds security components and applies ongoing components to newly uploaded apps to prevent attacks, client information leakage, and forged requests.
4.3 Threat intelligence
Threat intelligence detects forgery and risks of network-wide apps based on big data, and keeps an eye on network disks of forums to implement multidimensional forgery detection.
Alibaba Cloud Mobile Security Service is available in two versions: Basic Edition (Free Trial) and Professional Edition (Paid Version). For Professional Edition, Mobile Security service fee is based on two types of services: Vulnerability Scan and Application Hardening.
5. Server guard
At present, Azure has not launched a security product that covers host security. Alibaba Cloud’s Server Guard is a lightweight agent installed on a server. Server Guard associates with cloud threat intelligence to implement vulnerability management, baseline detection, exception detection, and asset management, thereby creating an in-depth defense system.
5.1 Vulnerability management
Detect system software CVE vulnerabilities, Windows vulnerabilities, Web-CMS vulnerabilities and other high-risk vulnerabilities.
5.2 Baseline detection
Baseline detection checks for account security, weak passwords, and configuration risks.
5.3 Intrusion detection
By analysis of user behavior, intrusion detection detects off-site login and transaction information, brute force password cracking, and website backdoors.
The basic version of Server Guard is currently available free of charge. When you purchase an ECS instance, you simply need to agree to our license agreement, before logging in to the Server Security Management Console. The advanced version of Server Guard, which offers additional features for enterprises, will be available in mid-2018 and will be a paid service.