Security Center:Overview

Background information

Traditional defense methods are used to defend against attacks. However, the traditional methods have limits when attacks have the following characteristics: diversification, concealment, and complexity. For example, traditional security services based on the libraries of attack rules and attack characteristics can hardly detect APT attacks that are launched by exploiting zero-day vulnerabilities. If servers are attacked, security O&M engineers can only handle the issues caused by the attacks, but the engineers cannot prevent attackers from intruding into internal networks and launched attacks. Companies need to proactively defend against attacks, and take measures to defend their services against attackers and protect data.

A honeypot is a system used to attract attackers. The honeypot simulates one or more hosts and services that are vulnerable to attacks and disguises them as business applications. This lures attackers to attack the disguised hosts and services. Honeypots do not provide services for users. Therefore, all connection attempts on honeypots are considered suspicious. Attackers are lured to attack honeypots, which delays the attacks on real targets. This allows you to obtain information about the attackers. You can use the information to improve your defense against attacks. This way, you can protect your business systems.

How cloud honeypot works

Compared with traditional defense methods, honeypots can proactively defend against attacks. However, traditional honeypots are less deceptive and cannot be used for all scenarios. Traditional honeypots provide a limited number of honeypots types and have high costs. To resolve the issues of traditional defense methods and traditional honeypots, the cloud honeypot feature of Security Center is launched.

Cloud honeypot provides the following features:

• Cloud-native VPC probes

  The cloud honeypot feature redirects traffic destined for IP addresses that are unreachable in VPCs to VPC probes. Then, the VPC probes forward traffic to honeypots based on the traffic forwarding rules that are configured for the VPC probes.

• Common host probes

  The cloud honeypot feature allows you to install a host probe on your host on which your workloads are deployed. The host probe is used to forward traffic. After you install the host probe on your host, resource consumption on the host does not significantly increase, and your applications are not affected. Host probes are secure and stable, which can be installed on common hardware and operating systems.

• Various types of honeypots

  The cloud honeypot feature supports high- and low-interaction honeypots. Low-interaction honeypots support all ports. High-interaction honeypots provide various types of built-in honeypots that are vulnerable to attacks. The built-in honeypots include web honeypots, database honeypots, system service honeypots, special defect honeypots, and custom honeypots.

• Custom honeypots

  The cloud honeypot feature allows you to create a custom honeypot based on containers to implement high-level business simulation.

You can use both VPC probes and host probes. This allows you to protect a large number of IP addresses at low costs of IP addresses and computing resources. You can deploy various types of built-in honeypots and custom honeypots as a honeypot cluster. The honeypot cluster is highly deceptive.

Impacts

Security services can cause stability issues and security risks. To prevent these issues, the cloud honeypot feature is designed to deliver honeypot-related capabilities, ensure high stability and high security, and consume a small number of host resources.

Impacts on performance

• Impacts of VPC probes

  VPC probes do not consume host resources or network resources.

• Impacts of host probes

  Host probes forward only unusual traffic on ports and consume a small number of system resources.

Impacts on stability

• Impacts of VPC probes

  VPC probes can simulate interaction with scan traffic. If you use asset detection software that initiates scans, false positives may be reported.

• Impacts of host probes

  Host probes occupy ports on hosts. You must properly allocate host ports for host probes.

Impacts on security

• Security assurance of host probes

  Host probes are controlled by their management nodes. The management nodes can control only the traffic forwarding rules of host probes. Even if management nodes are compromised, attackers cannot use the management nodes to control hosts by using the host probes controller by the management nodes.

• Security assurance of honeypot escape prevention

  Each user can create a unique honeypot cluster in which Docker escape detection is provided by default.

• Security assurance of networks

  Network isolation is implemented. The network of users cannot be attacked over the communication path between honeypots and probes even if a honeypot cluster is compromised.

Network environments

limits

Host probes

Host probes can be installed only on the servers that are displayed in the Assets module in the Security Center console and are protected by Security Center.

VPC probes

VPC probes can be installed on the VPCs in the following regions:

• China (Qingdao)

• China (Beijing)

• China (Zhangjiakou)

• China (Hohhot)

• China (Ulanqab)

• China (Hangzhou)

• China (Shanghai)

• China (Shenzhen)

• China (Heyuan)

• China (Guangzhou)

• China (Chengdu)

• China (Hong Kong)

• Japan (Tokyo)

• Singapore

• Australia (Sydney)

• Indonesia (Jakarta)

• India (Mumbai)

• US (Virginia)

• US (Silicon Valley)

• UK (London)

• UAE (Dubai)

• Germany (Frankfurt)