This solution integrates the detection results of the intrusion prevention system (IPS) private IP tracing feature provided by Cloud Firewall with the session logs of NAT Gateway to identify at-risk private IP addresses and trace and analyze cyberattacks.
Business risks
In most cases, enterprises deploy Internet NAT gateways for resources in virtual private clouds (VPCs) to translate and hide the private IP addresses of the resources. This prevents the private IP addresses from being directly exposed and builds a secure and isolated Internet ingress and egress for traffic. Enterprises also deploy security devices, such as firewalls, at the Internet ingress and egress to filter inbound and outbound Internet traffic of NAT gateways. After Internet cyberattacks or illegal outbound connections occur, only the elastic IP addresses (EIPs) of at-risk NAT gateways can be identified. The private IP addresses of assets such as Elastic Compute Service (ECS) instances cannot be quickly identified. This makes if difficult to trace the attack sources or promptly handle the risks.
Solution
To resolve this issue, Cloud Firewall and NAT Gateway jointly launch the IPS private IP tracing feature. Cloud Firewall automatically associates the detection results of the feature with NAT session logs for analysis and displays the private IP addresses of attacked assets. This helps enterprises quickly and accurately identify attacked assets and take effective measures.
IPS private IP tracing: The IPS engine of Cloud Firewall detects and prevents inbound and outbound attack traffic over the Internet. Cloud Firewall monitors all network traffic that passes through Cloud Firewall, filters traffic by using the IPS engine, and then forwards normal traffic. Cloud Firewall uses the Deep Packet Inspection (DPI) engine to identify protocols of network traffic and parse packets. Cloud Firewall also performs traffic filtering and packet filtering by using the IPS engine and threat intelligence. If the rules of the threat detection engine in different modes and IPS rules are matched, attack packets are discarded, alerts are generated, and attacks are blocked in real time. Cloud Firewall also records logs of IPS attacks.
NAT session log: NAT Gateway provides the session log feature. If you create an SNAT entry for your NAT gateway and traffic flows through the NAT gateway, SNAT sessions are recorded as logs to facilitate tracing and monitoring. SNAT sessions are sent and written to Simple Log Service (SLS) as logs. Each session log records a five-tuple network flow captured within a specific time window. You can also use port mapping to identify specific private IP addresses of DNAT inbound traffic.
Private IP address tracing of outbound traffic attacks
Private IP address tracing of inbound traffic attacks
Sample scenario
The e-mall of a medium-sized new retail enterprise is used as an example. To ensure business stability and security, the enterprise deploys a NAT gateway in a demilitarized zone (DMZ) VPC as the egress and ingress of all Internet traffic to reduce exposure risks. The enterprise also uses Cloud Firewall and enables the Internet firewall to filter and protect the traffic of the elastic IP address (EIP) associated with the NAT gateway. One night, the security O&M team received an alert about unusual traffic. A machine was suspected of being intruded by an attacker by exploiting a vulnerability. The machine was embedded with a trojan to initiate malicious access traffic, access an IP address outside China, download bash scripts, and inject CoinMiner family trojans. The security O&M team must quickly identify the abnormal backend server that is being attacked.
In this case, the enterprise can enable the IPS private IP tracing feature of Cloud Firewall. After this feature is enabled, the system automatically associates the session logs of NAT Gateway with the IPS attack logs of Cloud Firewall for analysis, and then associates a five-tuple network flow captured in a specific time window of each NAT session log with each IPS event log recorded by Cloud Firewall. This allows the enterprise to identify at-risk private IP addresses in minutes. Then, security O&M engineers can quickly identify the at-risk private network server and configure access control policies to block outbound traffic of the attacked server and remove the trojans. This minimizes losses and prevents the spread of risks at the earliest opportunity.
Usage notes
Cloud Firewall that uses the subscription and pay-as-you-go billing methods supports this solution. Internet NAT gateways that are billed based on capacity units (CUs) support this solution. You cannot enable the session log feature for pay-by-specification NAT gateways.
If you enable the IPS private IP tracing feature, you are not charged for the feature. However, the system creates indexes on the session logs of your NAT gateways to allow you to query the logs. You are charged for the indexes and query operations. For more information, see the documentation about the billing rules of SLS.
If indexing is disabled for the session logs of NAT gateways or the required fields for source tracing do not exist after the feature is enabled, the system automatically rebuilds indexes or creates indexes for the required fields.
Procedure
Log on to the Cloud Firewall console. In the left-side navigation pane, choose . In the Advanced Settings section, click View Configurations next to IPS Private IP Tracing.
On the IPS Private IP Tracing page, you can view all Internet-facing assets for which you can enable the IPS private IP tracing feature. You can enable the IPS private IP tracing feature for an asset only if the values in the Internet Firewall Status and Session Log for NAT Gateway columns of the asset are Enabled. Turn on the switch in the Operation column and perform the required operations as prompted. For more information, see the following topics:
For more information, see IPS private IP tracing.
View the tracing results
The IPS private IP tracing feature correlates with the session log feature. NAT session logs are collected and delivered after a short latency. Therefore, you can query the tracing results only after approximately 20 minutes.
After you enable the IPS private IP tracing feature, you can view the tracing results on the following pages:
List
Details page
List
Details page
tab
References
For more information about the IPS configuration of Cloud Firewall, see IPS configuration.
For more information about how to protect outbound traffic of private networks by using NAT gateways and NAT firewalls, see Protect outbound traffic of private networks by using NAT gateways and NAT firewalls.