ENS provides widely distributed global edge infrastructure, elastic computing power, and high-quality network for customers to expand business. ENS relies on the security capabilities of the central cloud to meet security requirements. This topic describes how to build a security system in the edge cloud by using Security Center, network security capabilities of the edge cloud, Bastionhost, and Anti-DDoS Proxy. For more information, see What is Security Center?, Bastionhost, and What is Anti-DDoS Proxy?
I. Host security (Security Center)
Alibaba Cloud Security Center is a multifunctional security service that leverages cloud-native technology, years of cloud security and defense experience, and cutting-edge technology. Security Center provides various features such as cloud asset management, baseline check, proactive defense, security hardening, configuration assessment, and security status visualization. Security Center can detect risks in real time such as configuration risks, compliance risks, vulnerabilities, AccessKey pair leaks, and identity and permission management risks. Security Center can also defend against malicious behavior such as ransomware, mining viruses, trojans, and webshells, and attacks such as web page tampering. For more information about Security Center, see Product Overview.
Security capabilities of Security Center supported by ENS
Category | Entry point in the left-side navigation pane | Feature |
Assets | Assets > Overview | View information about all your assets. |
Assets > Host | Synchronize the information about the most recent assets. | |
Add multi-cloud assets to Security Center. | ||
Perform security check. | ||
Troubleshoot client issues. | ||
Collect information about assets. | ||
Perform batch O&M and cloud monitoring, which requires Cloud Assistant. | ||
Enable or disable protection. | ||
Remove from Security Center. | ||
Check asset fingerprints. | ||
Risk Governance | Risk Governance > Vulnerabilities | Detect and fix Linux software vulnerabilities. |
Detect and fix Windows system vulnerabilities. | ||
Detect and fix Web-CMS vulnerabilities. | ||
Detect emergency vulnerabilities. | ||
Scan applications for vulnerabilities. | ||
Risk Governance > Baseline Check | Detect and fix baseline risks. | |
Risk Governance > Cloud Honeypot | Use cloud honeypot for hosts. | |
Risk Governance > SDK for Malicious File Detection | Use the SDK for malicious file detection. | |
Risk Governance > Log Analysis | View host logs. | |
View security logs. | ||
Detection and Response | Detection and Response > Alert | Customize web directories. |
Configure alert handling rules. | ||
Archive data. | ||
View and restore quarantined files. | ||
Detection and Response > Attack Analysis | Analyze attacks. | |
Protection Configuration | Protection Configuration > Host Protection > Anti-ransomware | Protect against ransomware. |
Protection Configuration > Host Protection > Virus Detection and Removal | Detect and remove viruses. | |
Protection Configuration > Host Protection > Web Tamper Proofing | Protect from web tampering. | |
Protection Configuration > Host Protection > Host-specific Rule Management | Protect from malicious behavior. | |
Manage common logons | ||
Protection Configuration > Container Protection > Container Image Scan | Scan images for system vulnerabilities. | |
Scan images for application vulnerabilities. | ||
Scan images for baselines. | ||
Scan for malicious image samples | ||
Fix system vulnerabilities of images | ||
Fix image application vulnerabilities | ||
Fix malicious image samples | ||
Protection Configuration > Container Protection > Proactive Defense for Containers | Perform proactive defense for containers | |
Protection Configuration > Container Protection > Container File Protection | Use the container firewall | |
Protection Configuration > Application Protection | Protect applications | |
System Configuration | System Configuration > Security Report | View security reports |
System Configuration > Feature Settings | Configure features | |
System Configuration > Notification Settings | Configure notifications |
Activate and deploy Security Center
Purchase Security Center:
You can purchase Security Center on the Security Center buy page of the Alibaba Cloud official website. Security Center provides multiple editions of basic protection services and value-added services to meet your security requirements in different scenarios. You can purchase the suitable edition and value-added services based on your security requirements. For more information, see Purchase Security Center.
Install the Security Center agent on the ENS instance:
Security Center can protect your Edge Node Service only after you install the Security Center agent on your ENS instance. The Security Center agent is a software component that can be installed on instances to collect and analyze logs and data, and monitor and detect threats on the instances.
Before you install the Security Center agent, make sure that your Edge Node Service instance can access the Internet.
Log on to the ENS instance and run the agent installation command as the administrator or root user.
Installation command for Linux
wget "https://aegis.alicdn.com/download/install/2.0/linux/AliAqsInstall.sh" && chmod +x AliAqsInstall.sh && ./AliAqsInstall.sh -k=v342lkInstallation command for Command Prompt in Windows
powershell -executionpolicy bypass -c "(New-Object Net.WebClient).DownloadFile('http://aegis.alicdn.com/download/install/2.0/windows/AliAqsInstall.exe',$ExecutionContext.SessionState.Path.GetUnresolvedProviderPathFromPSPath('.\AliAqsInstall.exe'))"; "./AliAqsInstall.exe -k=Az481e"
Check whether the Security Center agent is installed.
After you install the Security Center agent on an instance, Security Center downloads the agent-related files to the instance and starts the processes of the Security Center agent. You can view the status of the Security Center agent in the Security Center console or the status of the processes to check whether the Security Center agent is installed.
As shown in the following figure, the Edge Node Service instance is displayed on the Host page in the Security Center console.
NoteThe computing power of the edge cloud is distributed to edge nodes outside the central cloud. Therefore, the instance is displayed as a Server Outside Cloud in the Security Center console.
II. Network security within an edge node
1. Security group
A security group acts as a virtual firewall provided by Edge Node Service on edge nodes, which controls inbound and outbound traffic for ENS instances. You can configure inbound rules for a security group to control traffic to ENS instances in the group and outbound rules to control traffic from the ENS instances.
The following figure shows the workflow of a security group.
Create a security group:
Creating a security group in the edge cloud is different from creating one in the central cloud. You only need to specify the security group name when you create a security group in the edge cloud. Such security group does not belong to any edge node or virtual private cloud (VPC). The security group and its rules apply to all edge nodes and VPCs.
Add security group rules:
Security group rules control inbound and outbound traffic for ENS instances. You can use security group rules in various scenarios, such as to allow or deny specific network traffic, close ports, restrict traffic of specific protocols, and configure access permissions on applications.
You can add security group rules when you create a security group or later.
Add an ENS instance to a security group:
When you create an ENS instance, you can specify only one security group for the instance. After that, you can add the ENS instance to more security groups on the Instances page in the ENS console. For an ENS instance that is associated with multiple security groups, all security group rules of the security groups are automatically sorted and work together with the default access control rules of the security groups to control traffic for the ENS instance. The security group rules are processed in a specific order. The processing continues until a rule is matched.
Manage security group rules:
Improper configurations of security group rules can result in serious security risks. You can manage rules in a security group based on your business requirements to ensure network security of ENS instances in the security group.
You can modify the inbound and outbound rules of a security group on the details page of the security group. After you modify a security group rule, the modification applies to all ENS instances that are added to the security group on all edge nodes.
2. ACL
A network access control list (ACL) allows you to manage network access in a VPC. You can create network ACL rules and associate a network ACL with a VPC. This allows you to control inbound and outbound traffic of ENS instances in the VPC.
ACLs and security groups are both used to control inbound and outbound traffic. However, an ACL applies to the entire VPC and ACL rules control the inbound and outbound traffic of all ENS instances in the VPC. A security group applies to specific ENS instances and only control the inbound and outbound traffic of ENS instances added to the security group.
If your services deployed in a VPC use the same rules for Internet access, you can configure ACLs to control the traffic for all ENS instances. If your services deployed in a VPC use different rules, you can use finer-grained security groups to control traffic for specific ENS instances.
III. Security O&M (Bastionhost)
Bastionhost is a system O&M and security audit platform that is provided by Alibaba Cloud. Bastionhost allows you to manage O&M permissions and operations and play back recordings of O&M operations in a centralized manner. This way, you can identify the users who perform specific O&M operations, manage permissions, and audit O&M operations. Bastionhost makes asset management efficient, O&M responsibilities clear, and O&M events traceable, and helps enterprises meet the requirements for classified protection. For more information about Bastionhost, see Product Overview.
Capabilities of Bastionhost supported by ENS
The O&M of Edge Node Service resources requires the Enterprise Dual-engine Edition of Bastionhost to implement unified management of edge cloud assets based on the proxy mode of the network domain feature.
Feature | Description |
User management | Multiple user roles are supported, including administrators, O&M engineers, and auditors. |
You can add a single user or import multiple users at a time by using a file. | |
Users from RAM, AD, and LDAP can be automatically synchronized. | |
You can import users from multiple authentication sources as Bastionhost users, such as Identity as a Service (IDaaS) users, DingTalk users, and Microsoft Azure AD users. | |
You can change the status of user accounts. The states include expired, locked, and inactive. | |
You can configure settings such as account lockout and the password validity period. | |
Asset management |
|
You can perform O&M and audit operations on ApsaraDB RDS for MySQL instances, ApsaraDB RDS for SQL Server instances, ApsaraDB RDS for PostgreSQL instances, and self-managed databases. | |
You can manually add assets and import Alibaba Cloud and third-party cloud assets with a few clicks. | |
The logon information of assets, such as passwords and keys, can be managed on bastion hosts. This way, O&M engineers can access and perform O&M operations on assets without entering the asset passwords. | |
You can check the status of Elastic Compute Service (ECS) and ApsaraDB RDS instances and the network connectivity of assets. You can configure regular checking or manually check the status. | |
Security Center can be used to monitor asset risks and notify you of the status and number of risks, including alerts, vulnerabilities, and baseline risks. You can quickly go to Security Center to handle the risks. | |
You can perform centralized O&M operations on different types of assets. For example, you can manage assets in third-party clouds, assets on Alibaba Cloud, and assets in on-premises data centers in a centralized manner. | |
Network domain proxies are supported. A bastion host can use proxy servers to connect to assets over the internal network. | |
You can manually or periodically change the passwords of Linux servers. | |
O&M control | Two-factor authentication can be performed based on text messages, emails, Time-Based One-Time Passwords (TOTPs), and DingTalk. |
Client tools such as Microsoft Terminal Services Client (MSTSC), Xshell, SecureCRT, and PuTTY can be used to log on to bastion hosts and access hosts. | |
WinSCP, Xftp, SecureFX, and other Secure File Transfer Protocol (SFTP) client tools on your computer can be used to log on to bastion hosts for file transfer. | |
An independent O&M portal is provided. | |
You can access hosts from a web browser. | |
O&M sessions can be monitored in real time and can be interrupted at any time. | |
You can control operations during RDP-based O&M, such as uploading or downloading files from the clipboard and disk mapping. | |
During SSH-based O&M, you can configure whitelists or blacklists to control commands and configure command approval policies. This helps you control the execution of high-risk and sensitive commands. | |
This feature controls the following operations when you perform O&M operations: uploading, downloading, deleting, and renaming files and creating and deleting folders. | |
The O&M applicant review feature is supported. After the feature is enabled, an O&M engineer can log on to the assets only after the Bastionhost administrator approves the O&M application submitted by the O&M engineer. | |
You can configure the users, source IP addresses, and time periods that are approved for logging on to a bastion host. | |
You can configure the maximum duration of an idle O&M session and the maximum total duration of O&M sessions. | |
Log audit | You can audit all O&M operations based on logs and videos. Video playback of O&M operations is supported. |
This feature allows you to audit the file transfer. | |
O&M reports can be generated. You can export reports in PDF, HTML, and Word formats. | |
Audit logs of O&M sessions can be transferred to Simple Log Service and downloaded to your computer by using the log backup feature. | |
API operations | This feature allows you to call API operations. |
Activate and deploy Bastionhost
Purchase Bastionhost:
You can purchase Bastionhost on the Bastionhost buy page of the Alibaba Cloud official website. Security Center provides multiple editions of Bastionhost to meet your O&M requirements in different scenarios. For more information, see Apply for a free trial of Bastionhost.
Manage Edge Node Service instances:
After you purchase Bastionhost, you can manage assets in the Bastionhost console.
Create a network domain:
Bastionhost runs on the central cloud. The computing power of the edge cloud is distributed across edge nodes outside the central cloud. Therefore, the ENS instance is not interconnected with the internal network of VPC where Bastionhost resides. We recommend that you use the network domain feature of Bastionhost when you perform O&M on Edge Node Service instances.
You can create a network domain, configure a proxy server, and then add an Edge Node Service to the network domain in the Bastionhost console. This way, you can perform O&M operations on the instance by using Bastionhost.
On the Network Domain page, click Create Network Domain, set the Connection Mode parameter to Proxy, and then configure Primary Proxy Server.
Configure the following parameters for the primary proxy server: Proxy Type, Server Address, Server Port, Host Account, and Password. Valid values of Proxy Type: SSH Proxy, HTTP Proxy, and SOCKS5 Proxy.
Import an Edge Node Service instance in Assets:
On the Hosts page, select Import Other Hosts and click Create Host to add an ENS instance.
In the Create Host panel, configure the Operating System, Host IP Address, Hostname, and Network Domain parameters.
If you set the Network Domain parameter to Proxy, set the Host IP Address parameter to an internal IP address. If you set the Network Domain parameter to Direct Network (Direct Connection), set the Host IP Address parameter to a public IP address.
Create a host account in Assets:
After you import an ENS instance as a host, find the instance on the Hosts page and click Create Host Account in the Actions column. In the panel that appears, configure the Protocol, Logon Name, Authentication Type, and Password or Key parameters.
Authorize users to manage the host in Users:
After you import the instance as a host, choose Users > Users, and authorize a RAM user to manage the host.
Choose Asset O&M:
After you log on to the Bastionhost console as the RAM user authorized, choose Asset O&M > Host O&M to view the hosts on which you are authorized to perform O&M operations. Find the host that you want to manage and click Remote Connection.
IV. Attack protection (Anti-DDoS Proxy)
Anti-DDoS Proxy is a proxy-based service that is provided by Alibaba Cloud to mitigate volumetric and resource exhaustion DDoS attacks. Anti-DDoS Proxy can protect servers that are deployed on Alibaba Cloud, on third-party clouds, and in data centers. If volumetric DDoS attacks are launched against your service that is added to Anti-DDoS Proxy, Anti-DDoS Proxy forwards traffic to the anti-DDoS scrubbing centers by using DNS resolution for scrubbing and forwards only service traffic to the origin server.
For more information about Anti-DDoS Proxy, see What is Anti-DDoS Proxy?
Capabilities of Anti-DDoS Proxy supported by ENS
Alibaba Cloud provides the following services based on the region where your servers are deployed:
Anti-DDoS Proxy (Chinese Mainland): protects servers deployed in the Chinese mainland. Anti-DDoS Proxy (Chinese Mainland) uses eight Border Gateway Protocol (BGP) lines at the Tbit/s level to protect servers against volumetric DDoS attacks. Anti-DDoS Proxy (Chinese Mainland) provides Anti-DDoS Proxy (Chinese Mainland) instances of the Profession and Advanced mitigation plans.
Anti-DDoS Proxy (Outside Chinese Mainland): protects servers deployed outside the Chinese mainland. Anti-DDoS Proxy (Outside Chinese Mainland) mitigates DDoS attacks by using distributed near-origin traffic scrubbing capabilities and all available mitigation capabilities.
Category | Anti-DDoS Proxy (Chinese Mainland) | Anti-DDoS Proxy (Outside Chinese Mainland) | ||
IPv4 address | IPv6 address | |||
Service integration method | Domains |
|
|
|
Ports |
|
|
| |
Sec-Traffic Manager | Features:
| Features:
| Features:
| |
Protection for infrastructure | Global mitigation policy |
|
|
|
IP address-based blacklist and whitelist |
|
|
| |
Location blacklist | Supported only when the Enhanced function plan is used | × | Supported only when the Enhanced function plan is used | |
Blackhole filtering deactivation |
| × | × | |
Near-origin traffic diversion |
| × | × | |
UDP reflection attack mitigation | Supported only when the Enhanced function plan is used | × | Supported only when the Enhanced function plan is used | |
Protection for website services | Intelligent protection |
|
|
|
Global mitigation policy |
|
|
| |
Domain name-based blacklist and whitelist |
|
|
| |
Domain name-based location blacklist | Supported only when the Enhanced function plan is used | Supported only when the Enhanced function plan is used | Supported only when the Enhanced function plan is used | |
HTTP flood mitigation |
|
|
| |
Protection for non-website services | Intelligent protection for Layer-4 services |
| × |
|
False source |
|
|
| |
Advanced Attack Mitigation Only TCP ports can be protected. |
|
|
| |
Speed limit for destination |
|
|
| |
Packet length limit |
|
|
| |
Rate limit for source |
| × |
| |
Scenario-specific policies |
|
|
| |
Mitigation analysis capabilities | Attack analysis |
| × |
|
Log analysis overview |
|
|
| |
System logs |
|
|
| |
Operation logs |
|
|
| |
Advanced mitigation logs |
|
|
| |
Alert monitoring of CloudMonitor |
|
|
| |
Activate and deploy Anti-DDoS Proxy
Purchase Anti-DDoS Proxy:
You can purchase Anti-DDoS Proxy on the Anti-DDoS page. For more information, visit the Anti-DDoS product page.
Add services:
Use domains
After you add the domain name of a website to Anti-DDoS Proxy, Anti-DDoS Proxy assigns a CNAME to the website. You must change the DNS record to map the domain name to the CNAME. This way, service traffic can be switched to Anti-DDoS Proxy for protection.
Use ports
To use Anti-DDoS Proxy to protect your non-website services, such as client-based applications, you must create port forwarding rules. Then, Anti-DDoS Proxy scrubs traffic that is destined for your services and forwards only service traffic to your origin server based on the port forwarding rules.
Verify the configuration:
After you add a domain name or a port to an Anti-DDoS Pro or Anti-DDoS Premium instance, Anti-DDoS Pro or Anti-DDoS Premium forwards the packets received by the port to the port of the origin server. To ensure service stability, we recommend that you verify whether the forwarding configurations take effect on your computer before the inbound traffic is rerouted to Anti-DDoS Pro or Anti-DDoS Premium.