Help Center> Cloud Firewall> User Guide> Configuring Intrusion Prevention
Updated on 2024-03-08 GMT+08:00

Configuring Intrusion Prevention

CFW provides you with basic protection functions, and, with many years of attack defense experience, it detects and defends against a wide range of common network attacks and effectively protects your assets.

Basic protection cannot be disabled, but can be changed with protection mode. Basic protection functions scan traffic for attacks, threats, and vulnerabilities, such as phishing, Trojans, worms, hacker tools, spyware, password attacks, vulnerability exploits, SQL injection attacks, XSS attacks, and web attacks. They also check for exceptions in protocols, buffer overflow, access control, and suspicious DNS activities.

Constraints

  • Only firewalls of the professional edition support Custom IPS Signature.

Procedure

  1. Log in to the management console.
  2. Click in the upper left corner of the management console and select a region or project.
  3. In the navigation pane on the left, click and choose Security & Compliance > Cloud Firewall. The Dashboard page will be displayed.
  4. (Optional) If the current account has only one firewall instance, the firewall details page is displayed. If there are multiple firewall instances, click View in the Operation column to go to the details page.
  5. In the navigation pane, choose Attack Defense > Intrusion Prevention.

    Table 1 Intrusion prevention functions

    Function

    Description

    Protection Mode

    • Observe: Attacks are detected and recorded in logs but are not intercepted.
    • Intercept: Attacks and abnormal IP address access are automatically intercepted.
      • Intercept mode - loose: The protection granularity is coarse. In this mode, only attacks with high threat and high certainty are blocked.
      • Intercept mode - moderate: The protection granularity is medium. This mode meets protection requirements in most scenarios.
      • Intercept mode - strict: The protection granularity is fine-grained, and all attack requests are intercepted.
    NOTE:
    • You are advised to use the observe mode for a period of time before using the intercept mode. For details about how to view attack event logs, see Attack Event Logs
    • If packets are incorrectly intercepted, you can modify the action of a single defense rule in the basic defense rule library. For details about operations, see Managing Intrusion Prevention.

    Basic Protection

    Basic protection on your assets. It is enabled by default. Its functions are as follows:

    • Scan for threats and scan vulnerabilities.
    • Detects whether traffic contains phishing, Trojan horses, worms, hacker tools, spyware, password attacks, vulnerability attacks, SQL injection attacks, XSS attacks, and web attacks.
    • Checks whether there are protocol anomalies, buffer overflow, access control, suspicious DNS activities, and other suspicious behaviors in traffic.
    NOTE:

    For details about how to view basic defense rules, see Checking the IPS Rule Library.

    Virtual Patching

    Hot patches are provided for IPS at the network layer to intercept high-risk remote attacks in real time and prevent service interruption during vulnerability fixing.

    New IPS rules are displayed in the virtual patch rule library. To view the rule library, click View Virtual Patch. For details about the parameters in the rule library, see Checking the IPS Rule Library.

    Auto Update: After this function is enabled, rules in the virtual patch take effect. Protection is implemented in real time and protection actions can be manually modified.

    Custom IPS Signature

    If the basic defense rule library does not meet your requirements, you can create custom IPS signatures.

    Only the professional edition support custom IPS signatures. For details, see Customizing IPS Signatures.

    Advanced

    Sensitive Directory Scan Defense

    Defense against scan attacks on sensitive directories on your servers.

    Action:
    • Observe: If a sensitive directory scanning attack is detected, CFW records it in logs only. For details about how to view attack logs, see Attack Event Logs.
    • Block session: If the firewall detects a sensitive directory scan attack, it blocks the current session.
    • Block IP: If CFW detects a sensitive directory scan attack, it blocks the attack IP address for a period of time.

    Duration: If Action is set to Block IP, you can set the blocking duration. The value range is 60s to 3,600s.

    Threshold: CFW performs the specified action if the scan frequency of a sensitive directory reaches this threshold.

    Reverse Shell Defense

    Defense against reverse shells.

    Action:
    • Observe: If a reverse shell attack is detected, it is only recorded in attack logs. For details about how to view attack logs, see Attack Event Logs.
    • Block session: If the firewall detects a reverse shell attack, it blocks the current session.
    • Block IP: If CFW detects a reverse shell attack, it blocks the attack IP address for a period of time.

    Duration: If Action is set to Block IP, you can set the blocking duration. The value range is 60s to 3,600s.

    Mode:

    • Conservative: coarse-grained protection. If a single session is attacked for four times, observation or interception is triggered. It ensures that no false positives are reported.
    • Sensitive: fine-grained protection. If a single session is attacked for two times, observation or interception is triggered. It ensures that attacks can be detected and handled.

Follow-up Operations

After the intrusion prevention policy is configured, you can choose Security Dashboard to view the protection details. For details, see Security Dashboard.