Configure the IPS of Cloud Firewall - Cloud Firewall - Alibaba Cloud Documentation Center

Cloud Firewall provides a built-in threat detection engine that provides intrusion prevention system (IPS) capabilities to defend against intrusions and common attacks in real time. Cloud Firewall also provides the virtual patching feature to defend against threats. You can configure the mode of the threat detection engine, and enable and configure the threat intelligence, basic protection, intelligent defense, and virtual patching features to effectively identify and block intrusion attempts. This topic describes how to configure the IPS capabilities.

Configure IPS-based capabilities on the Internet boundary

Modes of the threat detection engine

After Cloud Firewall is purchased, the Block mode is automatically enabled for the threat detection engine. Cloud Firewall automatically determines the appropriate level based on your traffic conditions. The threat intelligence, basic protection, and virtual patching features block threats only after the Block mode is enabled. If the Block mode is disabled, these features only monitor threats and malicious traffic.

For more information about the modes of the threat detection engine, see Overview of IPS.

Log on to the Cloud Firewall console. In the left-side navigation pane, choose Prevention Configuration > IPS Configuration.
On the right side of the Internet Border tab, select a value for Threat Engine Mode.
The threat detection engine supports the following modes:
- Monitor: If you select this mode, Cloud Firewall records attacks and generates alerts for the attacks, but does not intercept attacks. In this mode, the action of threat intelligence policies, basic protection policies, and virtual patching policies is set to Monitor.
- Block: If you select this mode, Cloud Firewall blocks malicious traffic and intrusion attempts.
  You can also select one of the following levels for this mode based on your business requirements:
  Block-Loose: blocks attacks in a loose manner by using rules that prevent a high rate of false positives. This level is suitable for business that requires the rate of false positives to be minimized.
  Block-Medium: blocks attacks in a standard manner by using common rules. This level is suitable for daily O&M and provides a lower rate of false positives than the Strict level.
  Block-Strict: blocks attacks in a strict manner by using all rules. This level is suitable for business that requires the rate of false negatives to be minimized. This level may cause a higher rate of false positives than the Medium level.

Overview

The IPS-based capabilities on the Internet boundary includes Basic Protection, Virtual Patching, Threat Intelligence, Intelligent Defense, Data Leak, and IPS Private IP Tracing. You can turn on or turn off the switches on the left side of each tab.

Basic Protection

By default, Basic Protection is turned on, and the basic protection policies that are used to detect common threats are enabled. The basic protection feature protects your assets against common intrusions, such as attacks that exploit command execution vulnerabilities. The feature also manages connections from compromised hosts to a command-and-control (C&C) server and provides basic protection for your assets. We recommend that you enable the basic protection feature.

Modify a policy: Find the policy that you want to manage and change the value in the Current Action column. After the modification, the policy is marked as Custom.
Restore to the default policies: Click Restore to Default IPS Rules. In the message that appears, click OK.
Enable or disable a policy: Turn on or turn off the switch in the Enabling Status column.
- Enabled: The policy takes effect. A policy that is marked as Custom has a higher priority than a policy that uses the default action.
- Disabled: The policy does not take effect.

Virtual Patching

By default, Virtual Patching is turned on, and Cloud Firewall protects your assets against common high-risk vulnerabilities and urgent vulnerabilities in real time. The virtual patching feature provides hot patches at the network layer to protect your business against high-risk vulnerabilities and urgent vulnerabilities that can be remotely exploited. This helps intercept vulnerability exploits in real time and prevents business interruption when vulnerabilities are being fixed. You do not need to install virtual patches on your server. If the feature is disabled, Cloud Firewall cannot automatically update patches for your assets. We recommend that you enable all virtual patching policies.

Modify a policy: Find the policy that you want to manage and change the value in the Current Action column. After the modification, the policy is marked as Custom.
Restore to the default policies: Click Restore to Default IPS Rules. In the message that appears, click OK.
Enable or disable a policy: Turn on or turn off the switch in the Enabling Status column.
- Enabled: The policy takes effect. A policy that is marked as Custom has a higher priority than a policy that uses the default action.
- Disabled: The policy does not take effect.

Threat Intelligence

By default, Threat Intelligence is turned on, and Cloud Firewall scans for threat intelligence and sets the action of threat intelligence to Monitor or Block. The threat intelligence feature synchronizes malicious IP addresses that are detected across Alibaba Cloud to Cloud Firewall, including the malicious IP addresses used to initiate malicious access, scans, or brute-force attacks, and then performs precise intrusion prevention. We recommend that you enable the threat intelligence feature.

Intelligent Defense

By default, Intelligent Defense is turned on, and Cloud Firewall learns from a large amount of data about attacks in the cloud to improve the accuracy of threat detection and attack detection. The intelligent defense feature is available only when Threat Engine Mode is set to Monitor.

Important

To turn on Intelligent Defense, turn on Basic Protection first.

Data Leak

Cloud Firewall can detect sensitive data in the outbound connections of your cloud assets and identify related risks.

Enable the data leak detection feature for your assets.
Enable or disable the data leak detection feature for a data type based on your business requirements. On the Internet Border > Data Leak > Common Industry Template tab, you can view the types of sensitive data that can be identified by Cloud Firewall.
Click Configure Assets, find the Internet-facing asset that you want to manage and click Enable Data Leak Detection in the Operation column.

You can view the data leak dashboard on the Data Leak Detection page to obtain related assets, events, and risk payloads for data leaks in an accurate manner. For more information, see Data leak detection.

IPS Private IP Tracing

In scenarios in which a service such as NAT Gateway or Server Load Balancer (SLB) is deployed, the originating IP addresses of backend servers, such as Elastic Compute Service (ECS) instances, are hidden. If attacks occur, the attacked backend server is difficult to identify. The IPS private IP tracing feature can automatically associate the session logs of NAT gateways, display private IP addresses, help implement source tracing for attacks, and identify at-risk assets in an efficient manner.

Important

Only Internet NAT gateways are supported.
If you enable the feature, you are not charged for the feature. However, the system creates indexes on the session logs of your NAT gateways, which allows you to query the logs. You are charged for the indexes and query operations. For more information, see Billing overview.
If indexing is not enabled for the session logs of NAT gateways or the fields required for source tracing after the feature is enabled, the system automatically rebuilds indexes or creates indexes for the required fields.

Enable the feature for Internet-facing assets. You can view the Internet-facing assets for which you can enable the feature on the IPS Private IP Tracing page. You can enable the feature for an Internet-facing asset only if the value in the Internet Firewall Status column is Protected and the value in the Session Log for NAT Gateway column for the asset is Enabled. If a message appears when you turn on the switch in the Operation column for an asset, you can view the reasons why the enable operation fails and click the related links to enable the related features. For more information, see the following topics:
- Enable the Internet firewall
- Enable the session log feature
Note
If a NAT gateway includes only DNAT entries, you do not need to enable the session log feature for the NAT gateway.
If the value in the Internet Firewall Status column is Protected and the value in the Session Log for NAT Gateway column is Enabled for an Internet-facing asset, turn on the switch in the Operation column. In the message that appears, click OK. If the value in the IPS Private IP Tracing column is Enabled, the feature is enabled.
Note
The IPS private IP tracing feature is based on the session log feature of NAT Gateway. When NAT session logs are collected and delivered, latency exists. Therefore, you can query the results of source tracing only after a latency of approximately 20 minutes.

Whitelists

You can add trusted source IPv4 and IPv6 addresses to an inbound whitelist or add trusted destination IPv4 and IPv6 addresses to an outbound whitelist. After you add IP addresses to a whitelist, the basic protection, intelligent defense, and virtual patching features allow traffic of the IP addresses. You can add up to 50 IP addresses to a destination IP address whitelist or a source IP address whitelist.

To add IP addresses to a whitelist, click Whitelist on the right side of each tab.

The whitelists that you configure take effect only for the basic protection, intelligent defense, and virtual patching features.

IPS-based capabilities on the VPC boundary

You must enable a virtual private cloud (VPC) firewall before you can configure IPS capabilities for the VPC firewall.

Configure basic protection policies

The basic protection feature protects your assets against common intrusions, such as attacks that exploit command execution vulnerabilities. The feature also manages connections from compromised hosts to a C&C server and provides basic protection for your assets.

On the VPC Border tab, click View Basic Protection Policies.
In the Basic Protection panel, find the policy that you want to manage and change the values in the Current Action and Enabling Status columns for a policy.
- Modify a policy: Find the policy that you want to manage and change the value in the Current Action column. After the modification, the policy is marked as Custom.
- Restore to the default policies: Click Restore All IPS Rules of VPC Firewall. In the message that appears, click OK.
- Enable or disable a policy: Turn on or turn off the switch in the Enabling Status column.
  - Enabled: The policy takes effect. A policy that is marked as Custom has a higher priority than a policy that uses the default action.
  - Disabled: The policy does not take effect.

Note

The enabled policies take effect on all of your VPC firewalls.

Configure virtual patching policies

After you enable the virtual patching feature, Cloud Firewall protects your assets against common high-risk vulnerabilities and urgent vulnerabilities in real time. The virtual patching feature provides hot patches at the network layer to protect your business against high-risk vulnerabilities and urgent vulnerabilities that can be remotely exploited. This helps intercept vulnerability exploits in real time and prevents business interruption when vulnerabilities are being fixed. You do not need to install virtual patches on your server. If the feature is disabled, Cloud Firewall cannot automatically update patches for your assets.

On the VPC Border tab, click View Virtual Patching Policies.
In the Virtual Patching panel, change the values in the Current Action and Enabling Status columns for a policy.
- Modify a policy: Find the policy that you want to manage and change the value in the Current Action column. After the modification, the policy is marked as Custom.
- Restore to the default policies: Click Restore All IPS Rules of VPC Firewall. In the message that appears, click OK.
- Enable or disable a policy: Turn on or turn off the switch in the Enabling Status column.
  - Enabled: The policy takes effect. A policy that is marked as Custom has a higher priority than a policy that uses the default action.
  - Disabled: The policy does not take effect.

Note

The enabled policies take effect on all of your VPC firewalls.

Configure IPS modes

Find the asset that you want to manage and click Configure IPS Mode in the Actions column.
In the Configure IPS Mode dialog box, select an IPS mode and click OK.
The following IPS modes are supported:
- Monitor mode: Cloud Firewall monitors traffic and generates alerts for malicious traffic.
- Block mode: Cloud Firewall intercepts malicious traffic and blocks intrusion attempts. You can select a level for the Block mode based on your business requirements.
  - Loose: blocks attacks in a loose manner by using rules that prevent a high rate of false positives. This level is suitable for business that requires the false positive rate to be minimized.
  - Medium: blocks attacks in a standard manner by using common rules. This level is suitable for daily O&M.
  - Strict: blocks attacks in a strict manner by using all rules. This level is suitable for business that requires the false negative rate to be minimized, such as major events or cybersecurity protection activities launched by public service sectors. The activities are rehearsals for network attack and defense. This level may cause a higher false positive rate than the Medium level.

Configure IPS capabilities

You can enable the basic protection and virtual patching features to monitor the basic protection and virtual patching policies that are enabled.

To configure IPS capabilities, go to the VPC Border tab, find the required Cloud Enterprise Network (CEN) instance or firewall that is created for an Express Connect circuit, and then click Configure IPS Capabilities in the Actions column.

Configure IPS whitelists

You can add trusted source IP addresses to an inbound whitelist or add trusted destination IP addresses to an outbound whitelist. After you add IP addresses to a whitelist, the basic protection, intelligent defense, and virtual patching features allow traffic of the IP addresses. You can add up to 50 IP addresses to a destination IP address whitelist or a source IP address whitelist.

To add an IP address to a whitelist, go to the VPC Border tab, find the required CEN instance or firewall that is created for an Express Connect circuit, and then click Configure IPS Whitelist in the Actions column.

What to do next

After you turn on Basic Protection, you can view malicious traffic that is blocked by Cloud Firewall on the Intrusion Prevention page. The traffic includes inbound and outbound traffic and traffic between VPCs.
On the Vulnerability Prevention page, you can view information about the vulnerabilities that can be exploited by cyberattacks. The vulnerabilities are automatically detected by Security Center and synchronized to Cloud Firewall. On this page, you can enable the firewalls of Cloud Firewall and configure protection rules of the IPS to prevent the vulnerabilities from being exploited.
On the Breach Awareness page, you can view intrusion events that are detected by the IPS and the details of the intrusion events.
FAQ:
- What are the priorities of rules that are used by Cloud Firewall to protect traffic?
- Why is attack traffic not blocked after I select a block mode on the Prevention Configuration page?