This topic describes the risks in outbound connections initiated by internal-facing assets, the solutions to resolve the risks, and the solutions for typical business scenarios. This topic also describes the deployment and O&M procedures.
Security challenges of outbound traffic
As network attacks become more sophisticated, the security development of enterprises faces more difficult challenges. In most cases, the cloud workloads of enterprises involve inbound traffic from the Internet and outbound traffic initiated by their assets. When the security O&M teams of most enterprises consider how to protect network security, inbound traffic is prioritized and relatively complete security measures are implemented. As a result, enterprises may be vulnerable to risks in outbound network traffic. For example, when inbound protection measures are bypassed, attacks penetrate into the internal networks. This results in data theft, malicious software download and installation, or outbound command and control (C&C) connections. Internal personnel may also access external networks without authorization or malicious website applications due to the negligence of security management measures in enterprises. This results in risks such as sensitive data leaks.
Enterprises must pay attention to the following potential security risks in outbound traffic:
Malware attack risk
When attackers bypass security measures for inbound traffic protection and compromise the internal workloads of an enterprise, they often initiate outbound C&C connections, such as calling back for ransomware downloads. In an attack chain, malware infection is one of the initial stages of volumetric attacks. A large amount of malware needs to communicate with C&C servers, establish connections, obtain updates, initiate requests, and send the stolen data to the C&C servers. Specific types of ransomware, botnets, and mining programs require outbound callbacks. In this case, alerting and prevention against malicious outbound connections are required to prevent further damage to items such as the IT infrastructure, digital assets, and development systems of the enterprise.
Data leak risk
Attackers aim to steal high-value data of enterprises. If an enterprise is attacked, the attacker can obtain high-value data of the enterprise, such as financial data, passwords, emails, and personal identity information. Then, the attacker can spread the data over the Internet for malicious activities such as illegal transaction, financial fraud, and identity theft. Attackers may also use the obtained information to perform privilege escalation or access sensitive data systems of the enterprise, which brings more critical risks to the enterprise.
Internal personnel-based risk
Internal personnel of an enterprise may call and access insecure web services, geographic locations, or IP addresses during business system development or O&M due to insufficient security awareness or negligence of security management measures. Internal personnel may intentionally upload sensitive data to an open source platform such as GitHub. This may cause risks of attacks and sensitive data leaks to the enterprise. The preceding risks must be monitored, alerts must be triggered, and the risks must be blocked at the earliest opportunity. Auditing and tracing are also required.
Supply chain risk
If the security system of an enterprise is complete but the business of the enterprise involves third-party systems, or the enterprise needs to communicate with the systems of suppliers or subsidiaries, and the systems of the suppliers or subsidiaries are attacked and compromised due to insufficient security measures, the system of the enterprise is also affected and malicious outbound connections may also be initiated. This requires the enterprise to monitor and audit the traffic from the supply chain, and trace and handle the detected risks at the earliest opportunity.
Compliance risks of outbound traffic
Specific industry regulators and internal security audit teams state clear and strict regulatory requirements for outbound traffic to improve system security. For example, the 1.3.2 requirement of Payment Card Industry Data Security Standard (PCI DSS) v4.0 requires control on outbound traffic from the cardholder data environment (CDE). For more information, visit PCI DSS v4.0. In the requirement, only outbound traffic that is considered necessary is allowed. All other outbound traffic must be blocked. This requirement is designed to prevent malicious individuals and compromised system components within the physical network from communicating with untrusted external hosts. Therefore, enterprises also need to perform strict security management and audit for outbound traffic.
Solutions
To ensure the security of outbound traffic, enterprises can use the NAT gateway plus NAT firewall solution to monitor and protect outbound traffic in an efficient manner.
A NAT gateway allows you to create SNAT and DNAT entries for your cloud servers to access the Internet. After you configure SNAT entries for a NAT gateway, when an Elastic Compute Service (ECS) instance initiates an outbound connection, the ECS instance accesses the Internet by using an elastic IP address (EIP) in the SNAT address pool. This prevents the private network from being directly exposed on the Internet and improves asset security.
The NAT Firewall is provided by Cloud Firewall. A NAT firewall can protect network traffic at Layer 4 to Layer 7 from resources such as ECS instances and elastic container instances in a virtual private cloud (VPC) to the Internet over a NAT gateway. The NAT firewall can audit and intercept unauthorized traffic to reduce security risks such as unauthorized access, data leaks, and network traffic attacks. Compared with the SNAT rules of NAT Gateway, an access control policy of Cloud Firewall can control the specified destination IP address, destination domain name, destination region, protocol, port, and application in a finer-grained manner.
Solution architectures
Scenario 1: Protect outbound traffic across multiple VPCs
An enterprise focuses on data center systems in the cloud. The enterprise has two VPCs, including a production VPC and a test VPC. External software calls are required for the two VPCs in the routine development environment, such as Java Archive (JAR) package startup updates. Employees of the enterprise can access only normal services, and cannot initiate unauthorized outbound connections. This prevents security risks.
Deployment method
Deploy a NAT gateway in each VPC. Configure SNAT entries for a NAT gateway and allow ECS instances in private networks to access the Internet by using the EIP of the NAT gateway.
Deploy a NAT firewall on each NAT gateway, and configure access control policies for each NAT firewall to block access to unauthorized IP addresses and domain names.
Scenario 2: Protect outbound traffic of a DMZ VPC
A financial institution is mainly engaged in securities and insurance services in the cloud, and has multiple business VPCs, including mid-end VPCs, third-party system VPCs, and quotation VPCs. All VPCs access the Internet by using demilitarized zones (DMZs). In the routine environment, the institution needs to access external payment services, external quotation services, and regulatory services. Access to normal services must be allowed and unauthorized outbound connections must be blocked. Unauthorized outbound connections may cause security risks. The institution must monitor and audit all outbound traffic in real time to detect unusual traffic and attacks at the earliest opportunity.
Deployment method
Deploy a NAT gateway in a DMZ VPC. You can create SNAT entries for the NAT gateway and allow ECS instances in private networks to access the Internet by using the EIP of the NAT gateway. Other VPCs can access the DMZ VPC by using a Cloud Enterprise Network (CEN) instance.
Create a NAT firewall for the NAT gateway deployed in the DMZ VPC, and configure access control policies for the NAT firewall to block traffic of unauthorized IP addresses and domain names.
Scenario 3: Protect outbound traffic of multiple vSwitches in a VPC
The access traffic of a single VPC in a large-sized multinational organization is complex and a large number of external-facing systems is deployed in the VPC. Therefore, security protection must be implemented for different assets and security policies in a finer-grained manner are required.
Deployment method
NAT gateways are deployed in a business VPC based on different vSwitches. Multiple EIPs are associated with one of the NAT gateways. Configure SNAT entries for the NAT gateway to allow ECS instances in private networks to access the Internet by associating a NAT EIP.
A NAT firewall is deployed on each NAT gateway. Create access control policies for each NAT firewall to block traffic of unauthorized IP addresses and domain names.
Deployment guidance
Step 1: Deploy a NAT gateway
Log on to the NAT Gateway console and create an Internet NAT gateway for your VPC. For more information, see Create an Internet NAT gateway.
Associate an EIP with the created Internet NAT gateway. For more information, see Create and manage an Internet NAT gateway.
ImportantAn Internet NAT gateway works as expected only after you associate it with an EIP.
Create an SNAT entry for the Internet NAT gateway to allow ECS instances without public IP addresses to access the Internet. For more information, see Create and manage SNAT entries.
The NAT Firewall feature of Cloud Firewall supports only NAT gateways for which SNAT entries are configured and does not contain DNAT entries. Otherwise, a NAT firewall cannot be enabled.
Step 2: Create and enable a NAT firewall
Prerequisites
Cloud Firewall is activated, and a sufficient quota for NAT firewalls is purchased. For more information, see Purchase Cloud Firewall.
An Internet NAT gateway is created. For more information, see Create and manage a VPC.
ImportantThe NAT Firewall feature supports only Internet NAT gateways.
The Internet NAT gateway must meet the following requirements:
The Internet NAT gateway resides in the region where the NAT Firewall feature is available. For more information about the regions where the NAT Firewall feature is available, see Supported regions.
At least 1 EIP is associated with the Internet NAT gateway, and the number of EIPs associated with the NAT gateway is no more than 10. For more information, see Create and manage an Internet NAT gateway.
An SNAT entry is created, and no DNAT entries exist on the Internet NAT gateway. For more information, see Create and manage SNAT entries.
If a DNAT entry exists on the Internet NAT gateway, you must delete the DNAT entry before you can enable a NAT firewall. For more information, see Create and manage DNAT entries.
A 0.0.0.0 route that points to the Internet NAT gateway is added for the VPC of the Internet NAT gateway. For more information, see Create and manage a route table.
The subnet mask of the CIDR block that is allocated to the VPC of the Internet NAT gateway is at least 28 bits in length.
Procedure
If the created NAT gateway is not displayed in the NAT gateway list, you can click Synchronize Assets in the upper-right corner of the NAT Firewall tab to synchronize the information about the NAT gateway. The system requires 5 to 10 minutes to synchronize the information about the NAT gateway.
Log on to the Cloud Firewall console. In the left-side navigation pane, click Firewall Settings.
Click the NAT Firewall tab. On the NAT Firewall tab, find the required NAT gateway and click Create in the Actions column.
In the Create NAT Firewall panel, create and enable a NAT firewall. For more information, see NAT Firewall.
After the NAT firewall is created, find the NAT firewall and turn on the switch in the Switch column.
Step 3: Configure an access control policy
Log on to the Cloud Firewall console.
In the left-side navigation pane, choose .
On the NAT Border page, find the NAT gateway for which you want to create an access control policy and click Create Policy.
The NAT gateways within the current Alibaba Cloud account are automatically synchronized to Cloud Firewall.
In the Create Policy - NAT Border panel, configure the parameters and click OK. For more information, see Create an access control policy for a NAT firewall.
Step 4: Check whether the NAT firewall takes effect
Log on to an ECS instance in your VPC and run a curl command, such as curl www.test.com, to simulate access to the Internet. For more information about how to log on to an ECS instance, see Connection method overview.
Log on to the Cloud Firewall console.
In the left-side navigation pane, choose .
On the tab, set the Source IP Address parameter to the internal-facing IP address of the ECS instance to search for traffic logs. If the created access control policy is in effect, the NAT firewall protects the outbound traffic of the NAT gateway.
O&M guidance
Analysis of unusual traffic
Step 1: Check whether excess traffic exists at the NAT boundary
Log on to the Cloud Firewall console. In the left-side navigation pane, click Overview.
On the Overview page, view the traffic trend and check whether an unusual traffic peak exists at a specific point in time.
NoteIf a traffic peak exceeds the purchased protection bandwidth for NAT gateways, the purchased protection bandwidth is displayed on the trend chart. This allows you to identify the amount of traffic that exceeds the purchased protection bandwidth.
If an unusual traffic peak is identified, you must view the details of assets that initiate outbound connections to locate the abnormal IP address. For more information, see Step 2.
Step 2: Locate the abnormal IP address based on the details of assets that initiate outbound connections
Log on to the Cloud Firewall console.
In the left-side navigation pane, choose .
On the tab, sort IP addresses based on access traffic, and check the IP addresses that have excessive access traffic to determine whether unusual access exists.
If an IP address generates unusual access traffic, you can further check details based on the log audit data. For more information, see Step 3.
Step 3: Check whether the unusual traffic is required in your workloads based on the log audit data
Log on to the Cloud Firewall console.
In the left-side navigation pane, choose .
On the tab, set the Source IP Address parameter to the internal-facing IP address of the ECS instance to search for traffic logs, and view the values of the Source IP Address, Source Port, and Destination Port parameters to determine whether the unusual traffic is required in your workloads.
O&M suggestions
If you identify unusual peak traffic and determine that the traffic is required in your workloads, you can perform O&M based on the following suggestions:
Increase the protected bandwidth of Cloud Firewall
For more information, see Renewal.
Optimize business deployment
For example, if your service needs to access Alibaba Cloud Object Storage Service (OSS) or Simple Log Service, we recommend that you use internal endpoints to reduce traffic over the Internet. For more information, see Regions and endpoints and Endpoints.
Disable firewalls for IP addresses that you no longer want to protect
For more information, see Disable a NAT firewall.