If your cloud resources communicate with the Internet, you can deploy Cloud Firewall at your Internet egress to control network access and protect traffic. This is recommended even if your resources only access the Internet and do not provide services.
Security risks
If your ECS server is connected to the Internet, it is exposed to both inbound and outbound security threats:
Inbound threats: These are active attacks that originate from the Internet. Attackers constantly scan public IP addresses. If they find an open port, such as port 22 for Secure Shell Protocol (SSH), port 3306 for databases, or port 3389 for remote desktop, they attempt to intrude using the following methods:
Exploits: Attackers target known vulnerabilities in your applications or system software, such as Log4j and Fastjson. They then launch arbitrary code execution attacks to obtain direct control of your server.
Brute-force attacks: Attackers continuously guess passwords for services such as SSH, RDP, and databases. If a weak password is used, the server is easily compromised.
Web attacks: These are attacks against web services, such as SQL injection, cross-site scripting (XSS), and Webshell uploads.
DDoS attacks: Attackers use malformed packets or traffic floods to exhaust your server resources and cause service disruptions.
Outbound threats: If your server is compromised, it becomes a springboard in an attacker's network. The server then generates malicious outbound traffic, which can lead to serious consequences:
C&C communication (Command and Control): Implanted trojans or botnet programs actively connect to an external control center to receive instructions and send data.
Data breach: Hackers steal sensitive data from the server and transfer it to an external location.
Lateral movement: Attackers use your server as a base to attack other servers within the VPC or launch external network attacks, such as sending spam or participating in DDoS attacks. This can cause your IP address to be blocked globally and damage your business reputation.
Cloud Firewall filters inbound and outbound traffic using deep packet inspection (DPI) traffic analysis, intrusion prevention system (IPS) rules, threat intelligence, virtual patching, and access control policies. It determines whether traffic is allowed and effectively blocks illegal access attempts. This secures the traffic between your public assets and the Internet.
Deep packet inspection (DPI): Cloud Firewall inspects the content of network traffic, not just the IP addresses and ports.
Intrusion prevention system (IPS): Based on DPI, Cloud Firewall uses a built-in library of thousands of attack signature rules to accurately detect and block malicious traffic, such as exploits, brute-force attacks, mining trojans, and Webshells. This protection is effective even if the traffic targets ports that you have intentionally opened.
Threat intelligence integration: Cloud Firewall integrates in real time with Alibaba Cloud's global threat intelligence database of malicious IP addresses and domain names. It automatically blocks connection requests from known malicious IP addresses and botnet C&C servers.
Virtual patching: Before an official application or system patch is released, Cloud Firewall provides a temporary virtual patch by updating its IPS rules. This blocks 0-day exploits before attackers can use them.
Best practices
Enable the Internet firewall and protect public assets
Enable asset protection.
Log on to the Cloud Firewall console.
In the left navigation pane, click Firewall Settings.
On the Internet Firewall tab, click the IPv4 or IPv6 tab to manually enable protection for your public assets.
If an asset you want to protect does not appear in the public asset list, click Synchronize Assets in the upper-right corner of the list to sync assets from your Alibaba Cloud account and its member accounts. The sync process takes 1 to 2 minutes.
Enable protection for a single asset
In the list of public assets, find the asset that you want to protect. In the Actions column for that asset, click Enable Protection.
Enable protection for multiple assets
In the public asset list, select one or more public assets and click Enable Protection below the list.
Alternatively, click Enable Protection in the data statistics area to enable Internet Border protection for all public assets at once. The assets are organized by dimensions such as public IP, region, and asset type.
Use the firewall for access control
Deny access from regions outside China: Statistics show that many attacks originate from IP addresses outside China. You can restrict access from these IP addresses to reduce attacks. For more information, see Configure an access control policy to deny traffic from regions outside China to a server.
Restrict domains that ECS instances can access: Access from internal hosts to the Internet should typically be restricted. For example, if a server only needs to download images or installation packages from external sites, you can allow the server to access the Internet only using web protocols. For more information, see Configure access control policies to allow traffic from an Internet-facing server only to a specific domain name and Configure access control policies to allow traffic from an internal-facing server only to a specific domain name.
For more information, see Access control best practices.
Use the firewall to defend against common attacks
Defend against database attacks: The main threats to databases include brute-force attacks, database application vulnerabilities, malicious file reads and writes, command execution, information theft, and data exfiltration. Alibaba Cloud provides in-depth stream analysis, threat detection, and blocking capabilities for mainstream database software. For more information, see Best practices for database security defense.
Defend against worms: Worms exploit service vulnerabilities to actively spread across networks. They can cause service disruptions, information theft, regulatory blocks, and ransomware attacks. Cloud Firewall provides a layered defense against the worm attack chain. It detects and blocks various worms and their variants. Based on the cloud risk posture, Cloud Firewall also updates and expands its detection and blocking capabilities for the latest worms in real time. This disrupts the entire worm attack and propagation chain. For more information, see Best practices to defend against worms.
Defend against system security threats: System security risks include improper configurations, such as incorrectly opened ports, weak passwords, and weak security policies, and system vulnerabilities, such as command execution, denial-of-service, and information disclosure vulnerabilities. The Cloud Firewall IPS module monitors the global attack landscape. It blocks scanning and intrusion behaviors, intercepts access that exploits high-risk vulnerabilities, and blocks behaviors such as reverse shells and system file leaks. For more information, see Best practices for system security defense.
Defend against mining programs: The Cloud Firewall IPS module uses vulnerability intelligence and virtual patching to track and defend against network exploits used by most mining worms, which blocks virus propagation. Cloud Firewall also uses its breach awareness feature to detect mining worms, identify infected servers, and enable prompt remediation. For more information, see Best practices to defend against mining programs.