If your cloud resources communicate with the Internet, even for outbound access only, you should deploy Cloud Firewall at your Internet egress point. This allows you to control network access and protect traffic.
Security risks
An ECS instance connected to the Internet is exposed to both inbound and outbound security threats:
-
Inbound threats: These are active attacks that originate from the Internet. Attackers continuously scan public IP addresses. When they find open ports, such as port 22 for SSH, 3306 for databases, or 3389 for remote desktop, they may intrude using the following methods:
-
Exploits: Attackers launch remote code execution attacks against known vulnerabilities in your applications or system software, such as Log4j or Fastjson, to gain direct control of the instance.
-
Brute-force attacks: Attackers persistently try to guess passwords for services like SSH, RDP, and databases. If a weak password is used, the instance can be easily compromised.
-
Web attacks: These include attacks that target web services, such as SQL injection, cross-site scripting (XSS), and webshell uploads.
-
DDoS attacks: Attackers use malformed packets or traffic floods to exhaust your instance resources and cause service disruptions.
-
-
Outbound threats: If your instance is compromised, it can become a launchpad within an attacker's network. This can lead to malicious outbound connections with serious consequences:
-
Command and control (C&C) communication: Implanted trojans or botnet programs connect to external C&C servers to receive instructions and send back data.
-
Data breaches: Attackers steal sensitive data from your instance and transfer it to an external server.
-
Lateral movement: By using your compromised instance as a base, attackers can target other instances within your VPC or launch external attacks, such as sending spam or participating in DDoS attacks. This activity can get your IP address blocklisted globally and damage your business reputation.
-
Cloud Firewall uses technologies such as deep packet inspection (DPI), intrusion prevention system (IPS) rules, threat intelligence, virtual patching, and access control policies to filter inbound and outbound traffic. It determines whether traffic should be allowed, effectively blocking unauthorized access and securing traffic between your public assets and the Internet.
-
Deep packet inspection (DPI): Cloud Firewall inspects the content of network traffic, not just IP addresses and ports.
-
Intrusion prevention system (IPS): Built on DPI, the IPS uses a library of thousands of attack signature rules to accurately identify and block malicious traffic, including exploits, brute-force attacks, mining trojans, and webshells, even if the traffic uses ports that you have intentionally opened.
-
Threat intelligence integration: Cloud Firewall integrates in real time with Alibaba Cloud's network-wide database of malicious IP addresses and domains. It automatically blocks connection attempts from known malicious IPs and botnet command and control (C&C) servers.
-
Virtual patching: Before an official software or system patch is released, Cloud Firewall can update its IPS rules to provide a temporary "virtual patch." This helps block exploits for zero-day vulnerabilities before attackers can exploit them.
Best practices
Enable the Internet Firewall and protect public assets
-
Enable protection for your assets.
-
Log on to the Cloud Firewall console.
-
In the left-side navigation pane, click Firewall.
-
On the Internet Firewall tab, click the IPv4 or IPv6 tab to manually enable protection for a public asset.
If the asset that you want to protect does not appear in the public asset list, click Synchronize Assets in the upper-right corner. This action synchronizes assets from your current Alibaba Cloud account and its member accounts. The synchronization process takes about 1 to 2 minutes.
-
Enable protection for a single asset
In the public asset list, find the asset that you want to protect and click Enable Protection in the Actions column.
-
Enable protection for multiple assets
In the public asset list, select the assets to protect, and then click Enable Protection below the list.
You can also click Enable Protection in the statistics area to enable Internet Firewall protection for all public assets at once, grouped by dimensions such as public IP, region, and asset type.
-
-
Use the firewall for access control
-
Deny access from foreign regions: Statistics show that many attacks originate from foreign IP addresses. Restricting access from these locations helps reduce your attack surface. For more information, see Configure a policy to deny host access from foreign regions.
-
Restrict domains that an ECS instance can access: Outbound Internet access from internal hosts should generally be restricted. For example, if an instance only needs to download images or installation packages from external sites, you should only allow web protocols for Internet access. For more information, see Configure a policy to allow a public instance to access a specific domain and Configure a policy to allow a private instance to access a specific domain.
For more best practices, see Access control best practices.
Defend against common attacks
-
Defend against database attacks: Major threats to databases include brute-force attacks, application vulnerabilities, malicious file read/write operations, command execution, information theft, and data dumping. Cloud Firewall provides deep traffic analysis, threat detection, and blocking capabilities for mainstream database software. For more information, see Best practices for database defense.
-
Defend against worms: Worms spread actively across networks by exploiting service vulnerabilities. They can cause service disruptions, information theft, regulatory blocks, and ransomware attacks. Cloud Firewall provides layered defense against the entire worm attack chain by detecting and blocking various worms and their variants. It continuously updates these capabilities based on the evolving security landscape to stop worm propagation. For more information, see Best practices to defend against worms.
-
Defend against system security threats: System security risks include improper configurations (such as unnecessary open ports, weak passwords, and weak security policies) and system vulnerabilities (such as remote code execution, denial-of-service, and information disclosure vulnerabilities). The Cloud Firewall IPS module monitors network-wide attack trends, proactively blocks scanning and intrusion attempts, intercepts high-risk exploits, and stops reverse shells and system file leaks. For more information, see Best practices for system security defense.
-
Defend against mining programs: The Cloud Firewall IPS module uses threat intelligence and virtual patching to track and defend against network exploits used by mining worms, thereby blocking their propagation. Additionally, the breach awareness feature in Cloud Firewall can detect mining worms, identify infected instances, and enable timely remediation. For more information, see Best practices to defend against mining programs.