Host Security


Alibaba Security
Host Security
PREVIEW16m 52s
14m 14s

The course is part of this learning path

Host Security

In this course, we'll take a look at Alibaba Cloud security products to ensure host, network, apps, and data security.

Learning Objectives

  • Get a good understanding of Alibaba Cloud's Security portfolio
  • Learn how to defend your workloads from a variety of threats at the host, application, and network layer
  • Learn how to encrypt your data at rest and in transit
  • Learn how to potentially deal with unwanted user-generated content

Intended Audience

This course is intended for anyone looking to use the products in Alibaba's security portfolio in order to sure their Alibaba Cloud workloads, as well as anyone studying for the ACP Cloud Computing certification exam.


To get the most out of this course, you should have a basic understanding of the Alibaba Cloud platform.


All right. Hello, everyone. And welcome back again. We're starting the Host Security section of the Security Overview. So let's take a look at what Alibaba Cloud can offer in the host security domain. Our primary product offering there is something we call Security Center. If you've been an Alibaba Cloud user for a long time, you'll recall that we used to have two separate products called TDS, Threat Detection Service, and also Server Guard. So what happened is TDS and Server Guard have been combined into one product and that is Security Center. Let's dive into it and see how it works.

So, being on the cloud really forces you to redefine how you perform security operations. You go from an off cloud environment where you've got lots of custom monitoring and metrics, and you might be generating thousands of alerts a day. You need to bring that down to a more manageable number. You need to really decide what the real threats are and focus on those things. So typically, when we have customers migrate to the cloud, they go from an environment where they're receiving thousands of alarms per day down to 20 or 30. You also need to improve your response time.

Actually, this is something that just being on the cloud helps you with. Thanks to automation. You can take response time down from days to minutes using tools like Terraform, for instance. Executing a response plan, identifying impacts, reproducing an intrusion, alert correlation, and eliminating false positives are all things you can now do on the cloud with the help of built and standardized tools. And of course, because so many of these things can be automated, when you move on cloud, your security operations team can usually shrink.

Now, it might be possible to have a single engineer who's running your entire cloud platform, but that's a challenge because this person might also have architectural and developer duties that would get in the way of managing vulnerabilities and dealing with security and patching. So, how do you give this person the tools to stay on top of everything? Let's start by looking at some best practices. Essentially, you should spend 90% of your time on hardening before something goes wrong. Then, you will only have to spend 10% of your time fixing issues when they pop up.

So, there's three components here to a good security model. Prevention, detection, and response. Prevention mostly means hardening, vulnerability management, configuring security baselines that are solid, cloud service configuration, tamper proofing, providing yourself with protection against crypto jacking through regular backups. And then, you can move from prevention into detection. That means monitoring and blocking attacks as they occur. We're talking about avoiding leaking access keys, making sure you have antivirus software installed, and up-to-date and running, a system baseline analysis where you look to see if the configuration for any of the key pieces of software on your servers has changed, intrusion detection, situational analysis, and of course, whitelisting and blacklisting of applications. And then finally, there's response.

So, prevention tries to keep you from getting attacked in the first place. Detection lets you discover and block the attack as it's happening. And then, response is what you do after an attack was successful. But this is actually a very important part of your security strategy because you need to know what the nature of the attack was if you're going to avoid it in the future. So, we have tools built into Security Center that help you with automated root cause analysis. And of course, there's a solid asset fingerprint and log analysis tool built into Security Center to help you determine where things went wrong.

So, the traditional method for dealing with security threats is a manual method. So, you collect logs into some type of SIM system that sends alerts to your operations personnel. And then, they configure firewall rules and host rules that are designed to mitigate threats that have been discovered via log collection. And that's a process that can take hours to days to implement. On the cloud, you can fully automate this. This is one of the key advantages of moving onto a cloud platform. The host and firewall can be connected to Cloud Security Center. And Security Center itself can make decisions about how to adjust rules in order to prevent threats as they pop up.

So, Alibaba Cloud Security Center aims to be a one-stop security platform for host protection. We currently use this platform, this Security Center, to fix 8.3 million high-risk vulnerabilities a year. And we've actually, as a result of having this Security Center installed and in place in production, we've been able to initiate 79 emergency responses based on threats that we discovered through Security Center. And so, we've been able to detect and patch threats in an emergency, thanks to having this tool deployed.

Part of the reason we're able to do that is because our platform is so large and we collect so much data, we can actually do threat analysis and detection using data analytics tools. So, we collect more than a petabyte worth of new threat intelligence and log data at a day. And we're able to sift through that and use it to detect new attacks. And then, we feed that information back into Security Center to improve it further. We're currently serving about 1 million enterprises on Alibaba Cloud. And by default, they're all protected by Security Center because this is something that you get for free. At least the Server Guard component of it is free. This is something you get for free when you turn on your account.

A big advantage of Security Center over a traditional architecture is that the, in a traditional security architecture, sandboxing, potentially the firewall, antivirus software, those things have to be installed directly on the endpoint. So, you'll have to put all of that heavy duty software on to the server that you want to protect. In a cloud-native architecture, what you have on your end points, your actual servers, your virtual machines is an agent. This is a lightweight process that sends information somewhere else to HIDS or antivirus service, and then gets responses back from that service. This takes a lot of the load off of the endpoint off of your virtual machine itself, which gives you lower resource consumption for the same level of protection.

Also, because the cloud firewall security group feature is not part of the endpoint software firewall because that's actually something that's provided separately as an Alibaba Cloud service, there's less of a hit on network performance as well. Of course, it's not enough to have the best tools if you don't use them right. So, we must recommend some best practices related to securing your infrastructure. The first is, of course, to have a strong password strategy. Your passwords at minimum should be at least eight characters.

In fact, my personal recommendation is that you don't even use passwords at all. You're much better off using SSH keys wherever possible. And you should rotate them every 90 days and avoid reusing old passwords. Definitely turn on two-factor authentication. If you are using an SSH key, it might be a good idea to password protect that SSH key. If you're using the console, the web user interface, it's probably a good idea to turn on multifactor authentication so that you have to type in a six digit code from your phone each time you log into your account.

Network security, you should make sure that remote management ports such as RDP and SSH are not open to the internet. They should be closed whenever possible. And you should always try to use encrypted protocols. So, don't use FTP. Use SFTP. Never, ever use Telnet. Use SSH. Make sure you're using secure communications protocols. And use the host firewall to enhance network access control if you feel you need the extra layer of protection. Of course, we do have a method for protecting machines that are in an Alibaba Cloud network group. That's called a security group. It's essentially like a firewall that lives outside of your host instance. It's a virtual firewall. But you should also consider turning on the host firewall that's actually part of the operating system on your ECS instance as well.

One of the core components of Security Center is the agent. This is actually the component that I referred to before as Server Guard. It contains two processes. One of them is AliYunDun. This is the Alis shield in Chinese. So, AliYun is of course Alibaba Cloud. Dun is shield. So it's the Ali shield, an AliYunDun update which is the updater service for the Server Guard agent. In a Linux system, these processes run under the root accounts. In a Windows system, they run with the system account. And of course, you can see here on the slide where these files are located on either system. This is not a resource intensive tool. When it's not doing any active scans, this agent takes up less than 1% of CPU, maybe 10 megabytes of memory. When it is working, it does not exceed 10% CPU utilization or 80 megabytes of memory occupied. If those limits are exceeded, Server Guard agent will suspend itself and wait for a quieter time to try again, to avoid interfering with any production workload that your instance might already be running.

Security Center includes essentially four different types of features. There's patch management, Trojan scans, health checks and hardening, and attack interception. We'll start from the left and go to the right. So under patch management, Security Center has the ability to detect common vulnerabilities in web CRM systems in Linux and in Windows and to warn you when a server needs to be patched. It also has a quick repair tool which you can use to automatically execute the update process on some instances. And 0-day hotfix option that can be used to implement temporary protections against attacks that had no patch yet.

Trojan scan. Security Center can detect web shell uploads and also detect Trojans that have been installed on your DCS instances. And it can quarantine them for you. Health checks and hardening. Security Center lets you check the security configuration of your instances. It can warn you about changes in configuration, or it can also give suggestions for ways to improve or harden the security settings on your servers. And it can detect some types of backdoors. In terms of attack intraception, Security Center is able to detect brute force attacks. So, attempts to guess a password. And also it can audit log in behavior. So, it can check for unusual login. So, that might mean someone logging in from a new location or someone logging in at an unusual time of day.

From within the Security Center itself, you can actually run a health status check that will give you a quick general overview of the health of all your ECS instances. One of Security Centers cooler features is the ability to fix vulnerabilities without downtime, and in mostly automated way. So as you can see on the left, the traditional way that you'd patch your vulnerability would be after you've detected it, you'd make an evaluation, figure out what you need to do to fix it, plan your system downtime, make a backup, patch the software on the machine, reboot the machine, make sure everything's working, and then release it back into the production environment where it can serve traffic. And of course, that's all a lot of work and all those steps have to be done manually.

In Security Center, however, you can automate most of this. You identify the vulnerability you want to fix. And then, you select the instance you want to fix. And from that point on, the process is mostly automated. So, let's say you want to fix an instance, instance A. So, what you'll do is you'll select that instance and you'll say I want to patch this instance. And from that point, the Security Center will take a snapshot of instance A, create an instance B, a new instance, based on the snapshot, take the public IP from instance A and attach it to B, validate and restart instance B, run automatic checks, unbind the elastic IP, and then rebind it to A and then delete B. So, it actually goes through the entire cycle of fixing and validating instance A without actually ever having any downtime. Because while instance A is being fixed, instance B can serve live traffic. So, there's always at least one instance up and running, serving traffic at any given time.

Security Center also gives you a built-in baseline check tool. This can help you determine not just problems that exist in the configuration of your ECS instances, but also your OSS buckets and RDS databases. There are baselines available for databases, operating systems, weak passwords, middleware services. We cover the CIS benchmark and MLPS if you're a Go-China customer. So, we do have regulatory and compliance benchmark coverage. And there's baseline based vulnerability hardening as well. You can patch hosts in a batch. And you can patch with a snapshot for better protection. So this is the first service of its kind at least available in the China region.

All right, let's next take a look at patch management. So, patch management is a special function of Alibaba Cloud Security Center that allows you to automate the process of patching your ECS instances. It helps fix system vulnerabilities, especially those found in popular CMS systems. So if you're running a popular CMS like WordPress, we can help you patch that automatically. There's only one downside. Server Guard, which is the host monitoring component of Security Center, can work with servers that are not hosted on Alibaba Cloud, but that's not true for patch management. For patch management, your servers must be ECS instances hosted on Alibaba Cloud platform.

Security Center provides a rich monitoring dashboard that gives you complete information about all security threats you face across all of your resources in all of our Alibaba Cloud regions. So, this is a global dashboard where you can see any uninspected assets, baseline risks, vulnerabilities, or security events that have occurred under your account worldwide. In vulnerability management here, you can see a list of vulnerabilities that your servers are susceptible to. And there's three categories, low, medium, and critical. We can scan for vulnerabilities in common web CMS systems in Windows and in Linux. You can choose different types of vulnerabilities to check for as well from the Settings pane in Security Center. You can decide if you wanna check for all Linux and Windows vulnerabilities, or just web CMS or just emergency vulnerabilities. So these are things that are critical or have just come out. I usually turn all of these on.

There's also a built-in configuration baseline check. So, this can give you interesting and valuable information about the software configuration of your ECS instances. So for instance, if you have a weak password or maybe your CentOS system baseline is set up in such a way that it's not secure. Maybe it accepts traffic on Port 80 and you've set a baseline rule to check for that. You can make those kinds of configurations from the baseline check area in the Security Center console. If you're not happy with the baseline techs that are built into Security Center, you can make your own. So you can take any of the checked items listed in the Configure Policy section of the Security Center console, and use them to build a custom baseline checking policy.

Notifications. There's several different ways to get notified if an event occurs or if there is a vulnerability you need to be aware of. Based on the severity of the vulnerability, you can choose to get different types of alerts. The default method for all types of alerts is email. One of my favorite features in Security Center is the asset footprint. So this can look at processes, accounts, listening ports, installed software, and potential backdoors. So this is a great way to get an overall view, a high level view of what services are running on which of your servers, what software is running of which of your servers, and which accounts are allowed to log in where. This can be very valuable in finding ways to reduce your attack surface.

Security Center also has built in log retrieval and storage. By default, logs are stored for six months and you can use the built-in log search and log analysis tools to go through your logs. And assess the scope and impact of any damage that might have occurred as a result of an attack. This is a full SAS based log retrieval platform. There's nothing to install it, nothing for you to maintain. It's just there. And it supports basic logical expressions, like Boolean expressions, when you're searching. You can search along up to 50 different dimensions and you can give results back within just a few seconds. So, it's a very powerful search and retrieval tool. In the next section, let's take a look at network security.

About the Author
Learning Paths

Alibaba Cloud, founded in 2009, is a global leader in cloud computing and artificial intelligence, providing services to thousands of enterprises, developers, and governments organizations in more than 200 countries and regions. Committed to the success of its customers, Alibaba Cloud provides reliable and secure cloud computing and data processing capabilities as a part of its online solutions.