This topic provides answers to some frequently asked questions about container protection.
My Security Center runs the Enterprise edition. Can I use the container firewall feature?
No, you cannot use the container firewall feature. Only the Ultimate edition of Security Center supports this feature. For more information about how to purchase and upgrade Security Center, see Purchase Security Center and Upgrade and downgrade Security Center.
Do I need to pay for the container firewall feature?
No, you do not need to pay for the container firewall feature. After you purchase the Ultimate edition of Security Center, you can use the container firewall feature free of charge.
After I upgrade Security Center to the Ultimate edition, does Security Center protect only containers?
No, the Ultimate edition of Security Center can protect both containers and Elastic Compute Service (ECS) instances.
What detection mechanisms does Security Center provide for container images?
Security Center fully leverages cloud-native capabilities to provide the following detection mechanisms for container images to reduce risks such as intrusion into containers and tampering:
Container image scan: The container image scan feature can manage container images and detect security risks on container images in a comprehensive manner. The risks include high-risk system vulnerabilities, application vulnerabilities, malicious samples, configuration risks, and sensitive data in images. The feature also supports quick fixing of detected image system vulnerabilities.
Proactive defense for containers: The feature of proactive defense for containers proactively detects risks when your containers start or run from the following dimensions: image security, runtime security, and running environment security. You can configure rules to block the running of at-risk images, stop untrusted processes, and block container escapes. This helps improve the runtime security of your containers.
Container firewall: The container firewall feature provided by Security Center delivers firewall capabilities to protect containers. If attackers exploit vulnerabilities or malicious images to intrude into clusters, the container firewall feature generates alerts or blocks attacks on containers.
Container signature: The container signature feature supports signing container images and verifying container image signatures. This feature ensures that only trusted container images are deployed and prevents unauthorized images from being started. This reinforces your asset security.
CI/CD-based container image scan: The feature of CI/CD-based container image scan is intended for the project building stage on Jenkins and GitHub to detect image risks. The feature can detect high-risk system vulnerabilities, application vulnerabilities, viruses, webshells, execution of malicious scripts, and configuration risks, and help you identify sensitive data on images. The feature also provides solutions to detected image risks.