DocsICP FilingConsole
官方文档
首页

IPS configuration

更新时间:
复制 MD 格式
产品详情
我的收藏

Cloud Firewall has a built-in threat engine that blocks malicious internet traffic, defends against common attacks in real time, and provides precise virtual patching. You can configure the engine mode and manage modules such as Threat Intelligence, Basic Protection, Intelligent Defense, and Virtual Patching to more accurately identify and block potential intrusions. This topic explains how to configure Intrusion Prevention System (IPS) features.

IPS capabilities for the internet boundary

Threat engine mode

When you enable Cloud Firewall, its threat engine defaults to block mode and automatically selects a strictness level based on your traffic. The Block Mode and Block Mode features block threats only when Block Mode is enabled. If Block Mode is disabled, the intrusion prevention feature only monitors for threats and malicious traffic.

For more information about the engine mode, see Overview of IPS capabilities.

  1. Log on to the Cloud Firewall console. In the left-side navigation pane, choose Prevention Configuration > IPS Configuration.

  2. On the Internet Border tab, configure the Threat Engine Mode on the far right.

    You can select one of the following engine modes:

    • Monitor: In this mode, Cloud Firewall logs and alerts on attacks without blocking them. The protection actions for Threat Intelligence, Basic Protection, and Virtual Patching are all set to Monitor.

    • Block: In this mode, Cloud Firewall blocks malicious traffic and stops intrusion activities.

      You can choose a block mode with a different strictness level based on your security needs:

      • Block - Loose: Provides coarse-grained protection and uses rules with a low false positive rate. This mode is ideal for services that are sensitive to false positives.

      • Block - Medium: Provides a balance between the Loose and Strict modes with high accuracy. This mode is suitable for daily operations.

      • Block - Strict: Provides fine-grained protection with a comprehensive set of rules. This mode may have a higher false positive rate than the Medium mode but is ideal for scenarios that require a low false negative rate.

Features

The IPS configuration for the internet boundary provides features such as Basic Protection, Virtual Patching, Threat Intelligence, Intelligent Defense, Data Loss Prevention, and Private IP Traceback. You can use the toggles on the left to enable or disable these features.

Basic protection

The Basic Protection toggle is enabled by default. Cloud Firewall activates detection rules for some common threats. Basic Protection provides fundamental intrusion prevention, including blocking command execution vulnerabilities and connections from compromised devices to Command and Control (C&C) servers. This feature provides essential protection for your assets. We recommend keeping Basic Protection enabled to enhance security.

  • Modify a protection rule: In the Current Action column, change the action for a rule. Modified rules are marked as custom rules.

  • Restore default protection rules: Click Restore to Default IPS Rules, and then click OK.

  • Enable or disable a rule: Click the toggle in the Status column.

    • Enabled: The rule is active. Custom protection rules have a higher priority than default rules.

    • Disabled: The rule is inactive.

Virtual patching

The Virtual Patching toggle is enabled by default. Cloud Firewall provides real-time protection against popular high-risk and emergency vulnerabilities. Virtual Patching applies hot-patches at the network layer to block exploit attempts, avoiding service interruptions that can occur when patching hosts. No patch installation on your servers is required. If this feature is disabled, it no longer receives real-time updates. We recommend that you keep all virtual patches enabled.

  • Modify a protection rule: In the Current Action column, change the action for a rule. Modified rules are marked as custom rules.

  • Restore default protection rules: Click Restore to Default IPS Rules, and then click OK.

  • Enable or disable a rule: Click the toggle in the Status column.

    • Enabled: The rule is active. Custom protection rules have a higher priority than default rules.

    • Disabled: The rule is inactive.

Threat intelligence

The Threat Intelligence toggle is enabled by default. Cloud Firewall scans for threats based on intelligence feeds and allows you to set the action to Monitor or Block. This feature synchronizes malicious IP addresses detected across the Alibaba Cloud network to your Cloud Firewall. These include malicious access sources, scanning sources, and brute-force attack sources. This allows you to proactively defend against network threats. We recommend that you enable Threat Intelligence.

The Threat Intelligence page includes four tabs: Outbound IP, Inbound IP, Domain, and URL. The intelligence types under each tab include scanning, brute-force attacks, vulnerability exploits, SQL injection, code execution, and webshells. Currently, only the scanning type is available, and you can change its action in the Current Action column. Other types are marked as Coming Soon.

Intelligent defense

The Intelligent Defense toggle is enabled by default. Cloud Firewall learns from attack data across the cloud to improve the accuracy of threat and attack detection. Currently, Intelligent Defense is supported only when the threat engine is set to monitor mode.

Important

To enable Intelligent Defense, you must first enable Basic Protection.

The Intelligent Defense panel provides an entry to the Allowlist in the upper-right corner and displays the current rule database version, such as IPS-2502-01, in the lower-right corner.

Data loss prevention

Cloud Firewall inspects outbound traffic from your assets to the internet to identify potential sensitive data exfiltration.

  1. You must first enable data leak detection for your assets.

  2. In the General Industry Template list, view the data types that Cloud Firewall can identify. You can enable detection for specific data types based on your business needs.

  3. Click Apply to Assets, locate the target public asset, and in the Actions column, click Enable Data Leak Detection.

On the Data Loss Prevention page, you can view an overview of data leak events detected by Cloud Firewall. This page provides details on affected assets, leak events, and risk payloads. For more information, see Data Loss Prevention.

Private IP traceback

When a service's real IP address is hidden, such as behind a NAT Gateway or load balancer, locating the specific instance (such as an ECS instance or a server) under attack is difficult. The Private IP Traceback feature automates attack source tracing by correlating the NAT session log to reveal the private IP address, to help you quickly identify the at-risk asset.

Important

  • This feature is supported only for NAT Gateway public assets.

  • Enabling Private IP Traceback does not incur extra charges from Cloud Firewall. However, the system creates an index for and runs queries against your NAT session log, which generates Log Service (SLS) fees. For more information about SLS billing, see Billing of SLS.

  • If Private IP Traceback is enabled but the index for the NAT session log is not enabled or is missing required fields, the system automatically creates a new index or adds the required fields.

  1. The Private IP Traceback page lists the public assets that support tracing. For the corresponding NAT Gateway, you must first enable Internet Firewall Status and NAT Gateway Session Logs before Cloud Firewall can perform a private IP traceback. When you click the toggle in the Actions column, a prompt appears with links to guide you through the setup. You can also refer to the following documents for detailed instructions:

    Note

    The NAT session log is not required for DNAT-only configurations.

    After both Internet Firewall Protection and NAT session log are enabled, click OK to enable Private IP Traceback. When the Private IP Traceback shows Enabled, the tracing feature is active for the public asset.

    Note

    The Private IP Traceback feature works with the NAT session log. Due to data latency in capturing and delivering NAT Gateway logs, private IP tracing results may be delayed by approximately 20 minutes.

Allowlist

If you need to allow trusted bidirectional traffic to or from specific IPv4 and IPv6 destination or source IP addresses, you can add them to an allowlist. Traffic from IP addresses in the allowlist is not blocked by Basic Protection, Intelligent Defense, or Virtual Patching rules. You can add up to 50 IP addresses to both the destination IP allowlist and the source IP allowlist.

On the right side of the page, click Allowlist to configure the settings.

The allowlist applies only to Basic Protection, Intelligent Defense, and Virtual Patching.

IPS capabilities for the VPC boundary

You must enable a VPC Firewall before you can configure IPS capabilities for the VPC boundary.

Basic protection rules

Basic Protection provides fundamental intrusion prevention, including blocking command execution vulnerabilities and connections from compromised devices to C&C servers. This feature provides essential protection for your assets.

  1. Click VPC Border > View Basic Protection Policies.

  2. In the Basic Protection panel, configure the Current Action and Status for each rule.

    • Modify a protection rule: In the Current Action column, change the action for a rule. Modified rules are marked as custom rules.

    • Restore default protection rules: Click Restore All IPS Rules of VPC Firewall, and then click OK.

    • Enable or disable a rule: Click the toggle in the Status column.

      • Enabled: The rule is active. Custom protection rules have a higher priority than default rules.

      • Disabled: The rule is inactive.

Note

Enabled protection rules apply to all VPC Firewalls for your services.

Virtual patching rules

Cloud Firewall provides real-time protection against popular high-risk and emergency vulnerabilities. Virtual Patching applies hot-patches at the network layer to block exploit attempts, avoiding service interruptions that can occur when patching hosts. You do not need to install virtual patches on your servers. If this feature is disabled, it no longer receives real-time updates.

  1. Click View Virtual Patching Policies.

  2. In the Virtual Patching panel, configure the Current Action and Status for each rule.

    • Modify a protection rule: In the Current Action column, change the action for a rule. Modified rules are marked as custom rules.

    • Restore default protection rules: Click Restore All IPS Rules of VPC Firewall, and then click OK.

    • Enable or disable a rule: Click the toggle in the Status column.

      • Enabled: The rule is active. Custom protection rules have a higher priority than default rules.

      • Disabled: The rule is inactive.

Note

Enabled Virtual Patching rules apply to all VPC Firewalls for your services.

IPS mode

  1. Click Configure IPS Mode.

  2. In the Configure IPS Mode dialog box, select a mode and click OK.

    You can select one of the following IPS modes:

    • monitor mode: In this mode, Cloud Firewall monitors malicious traffic and generates alerts.

    • block mode: In this mode, Cloud Firewall blocks malicious traffic and stops intrusion activities. You can select different levels of block mode based on your protection requirements.

      • Loose: blocks attacks in a loose manner by using rules that prevent a high rate of false positives. This level is suitable for business that requires the false positive rate to be minimized.

      • Medium: blocks attacks in a standard manner by using common rules. This level is suitable for daily O&M.

      • Strict: blocks attacks in a strict manner by using all rules. This level is suitable for business that requires the false negative rate to be minimized, such as major events or cybersecurity protection activities launched by public service sectors. The activities are rehearsals for network attack and defense. This level may cause a higher false positive rate than the Medium level.

IPS capabilities

You can configure Basic Protection and Virtual Patching. After the configuration is complete, Cloud Firewall inspects traffic based on the enabled Basic Protection and Virtual Patching rules.

Locate the target Cloud Enterprise Network (CEN) instance or Express Connect firewall. In the Actions column, click Configure IPS Capabilities to configure the settings.

IPS allowlist

If you need to allow trusted traffic to or from specific destination or source IP addresses, you can add them to an allowlist. Traffic from IP addresses in the allowlist is not blocked by Basic Protection, Intelligent Defense, or Virtual Patching rules. You can add up to 50 IP addresses to both the destination IP allowlist and the source IP allowlist.

Locate the target Cloud Enterprise Network (CEN) instance or Express Connect firewall. In the Actions column, click Configure IPS Whitelist to configure the settings.

The allowlist can be configured in three ways: Not configured, Custom, and Reference address book. If you select Custom, enter CIDR blocks, such as 100.100.100.100/32, and separate multiple blocks with commas. If you select Reference address book, you must first manage your address books in Access Control. This setting applies to all VPCs within the same CEN instance.

Related topics

Previous:Overview of IPS capabilitiesNext:Access Control