This topic describes the basic concepts of Cloud Firewall.
security group and internal firewall
A security group is a distributed virtual internal firewall provided by Elastic Compute Service (ECS). It supports port status monitoring and packet filtering. You can use a security group to control access to ECS instances. A security group is a group of ECS instances in the same region. These instances have the same security requirements and trust each other. When you create an ECS instance, you must specify at least one security group for this instance.
An internal firewall implements the security group feature at the underlying layer. You can configure policies on the Internal Firewall tab of the Access Control page in the Cloud Firewall console or configure security groups in the ECS console. The configurations are automatically synchronized.
outbound connection
An outbound connection occurs when an Alibaba Cloud host actively accesses an external IP address. You can analyze outbound connection traffic to discover suspicious hosts.
Internet Exposure
Internet Exposure means that applications and services in the cloud are publicly accessible from the Internet.
breach awareness
Breach awareness is a feature that monitors network transmissions and checks for suspicious activities. It sends alerts or takes proactive measures when suspicious events are detected. Cloud Firewall integrates the detection and defense capabilities that Alibaba Cloud has accumulated over the past decade. It analyzes and collects statistics about the traffic that passes through Cloud Firewall in real time to discover compromised hosts and block abnormal network activities.
open application, open port, and open public IP address
An open application is an application that is exposed on the Internet, such as HTTP or Secure Shell (SSH).
An open port is a port that is exposed on the Internet, such as port 80 or 22.
An open public IP address is the public IP address of an asset that is exposed on the Internet.
application group
In the east-west business visualization module, an application group is a collection of applications that provide the same or similar services. For example, you can add all ECS instances that are deployed with MySQL to a database application group.
An application is the smallest unit of east-west business visualization in Cloud Firewall. By default, an application serves as a collection of all open ports on an ECS instance. You can create an application by cloning the application of a specific port.
business group
In the east-west business visualization module, a business group contains all application groups related to specific business. For example, a web portal business group contains web application groups and database application groups.
vulnerable application group and vulnerable business group
A vulnerable application group is a collection of applications that have open vulnerable ports, such as port 445. Each vulnerable port corresponds to a vulnerable application group.
A vulnerable business group is a collection of vulnerable application groups.
You can use vulnerable business groups and application groups to identify the ECS instances that have open vulnerable ports or have accessed vulnerable ports.
Cloud Firewall automatically creates vulnerable business groups and adds vulnerable business to the groups.
first visit traffic
First visit traffic is the first occurrence of access traffic from a source IP address to a destination IP address within a statistical period. You can investigate the cause based on information such as the time, source IP address, and destination IP address. Typically, first visit traffic is caused by new services that are published or by intrusions.
address book
Cloud Firewall lets you create address books of IP addresses or port numbers. This lets you implement flexible access control based on IP addresses or ports. When you configure an access control policy, you can use an address book to specify all the IP addresses or ports in the address book at a time.
Cloud Firewall supports the following types of address books:
IP address book: lets you specify a set of IP addresses.
Port address book: lets you specify a set of ports.
Domain name address book: lets you specify a set of domain names.
Cloud address book: lets you specify a set of IP addresses or domain names.
The following rules apply to address books:
Cloud Firewall has built-in global address books. You cannot modify or delete these address books.
One IP address or port number can be added to multiple address books.
If you change the IP addresses or port numbers in an address book, the changes automatically take effect for access control policies.