Cloud firewall products have evolved for more than two years , Our products have gradually formed a set of product evolution ideas from the beginning of crossing the river by feeling the stones . This article will help users build a firewall “ The walls ” Defense system to expand the evolution direction of our products .

One 、 If you imagine the user's business as a city

If we are carrying out a task of protecting the city , In order to prevent foreign invasion, how should we build a solid defense system ？ We can list the following points ：

1、 First of all, we must build a city wall ;

2、 How many gates have been opened on the wall ？ What is the purpose of each gate ？ Whether the city gate is damaged ？

3、 Some gates are aimed at passers-by , For passers-by entering the city, it is necessary to check whether they are carrying prohibited items （ The knife 、 gun 、 Flammable and explosive, etc ）;

4、 Some gates are aimed at staff , For staff entering the city , Its identity token needs to be checked , Only qualified identity tokens can be admitted ;

5、 The range of activities of passers-by needs to be limited , No access to staff 、 Military and other important places ;

6、 Set traps in various areas , When a malicious element carries out a spot reconnaissance, it will trigger a trap and cause an alarm ;

7、 Check the destination and carry on of personnel leaving the city , Prevent collusion with the enemy and disclosure of private information ;

8、 Everyone's entry and exit will be recorded .

Two 、 Carry out product evolution for the above urban defense system

In fact, the idea of firewall products is also an evolution of the above-mentioned way of building urban defense system ：

1、 First of all, there must be a firewall ;

2、 The cloud firewall's missing scanning ability and traffic analysis ability help users sort out what assets are in the cloud , Which assets are exposed to the public network , What components are used , Is there a loophole ;

3、 For those applications that need to be exposed on the public network to provide services to end users , The function of firewall is to detect whether the incoming traffic has some characteristics of malicious behavior , And intercept it , That is to say IPS function ;

4、 For O & M or internal website , The firewall provides a scheme to check their identity information （ For example, wechat 、 Enterprise WeChat ）, You can only access after you pass the identity authentication ;

5、 Cloud firewall VPC The firewall between is DMZ The corresponding passing area and DB Provide isolation mechanism between regions where key servers are located ;

6、 The network honeypot of cloud firewall can set traps in various networks of users , When a potential attacker detects in the network, he may step on the trap by mistake and be found ;

7、 Cloud firewall NAT The boundary firewall checks the access purpose and content of outgoing traffic initiated in the user network , And use this to determine whether there is a host failure ;

8、 All access logs will be recorded , So as to trace the source and obtain evidence later .

3、 ... and 、“ Jugate ”&“ Know 1 pet. ”

The above is the evolution of firewall products , For firewalls, security capability is undoubtedly the most important point , On security capacity building , We Ability is divided into self-knowledge and self-knowledge The two parts evolve separately ：

Jugate ：

• Help users sort out business assets and collect information , Which assets are exposed to the public network , Whether there are loopholes in the assets ;
• Flow visualization of assets , An alarm will be generated for abnormal traffic ;
• Identify which services are provided to the public , What services are provided to internal personnel ;
• Active defense ： Introduce deception techniques , Users can choose to place traps in their own network areas , Even if a malicious attacker bypasses numerous detection mechanisms and enters the intranet , You will also be found by stepping on the trap by mistake .

Know 1 pet. ：

“ Know 1 pet. ” The simple understanding is that the firewall needs to know the attackers and their attack methods and intercept them . The core here is access control , There are generally two ways of access control , The default release blacklist mechanism , The default blocking whitelist mechanism .

If you press both detection and attack known and unknow Two dimensions , It can be divided into four categories ：

• known known： I can detect known attacks , Provide detection rules for known attacks ;
• unknown known： I can't detect known attacks , Insufficient rule ability ;
• unknown unknown： I can't detect unknown attacks , Beyond cognition ;
• known unknown： Although I don't know the specific attack behavior , But I can detect and protect .

The first two categories （ Detected as known） yes Rule based detection , In fact, it can also be considered as a blacklist mechanism , Most security products will focus on this , Find the attack and block it .

Detection of unknown attacks （ namely unknown）, At present, there are many schemes on the market , Include UEBA、 Zero trust and so on , These schemes are essentially white list mechanisms , Turn from how to find abnormal access to how to define normal access . The detection set of blacklist mechanism is infinite , The detection set of white list mechanism is limited , The advantages here are self-evident .

Through the above four scenarios, we have also made it clear that The direction of the product ：

• in the light of known known This kind of ： It can automatically identify and intercept Internet attacks and exploits , Such as intrusion prevention ;
• in the light of unknown known This kind of ： Support adding Internet boundary rules manually 、NAT Boundary rules 、 White list rules 、VPC Inter rule, etc , Realize functions such as flow visualization ;
• in the light of unknown unknown This kind of ： By exposing the probe to the user's network , To record 、 Trace attacker information and attack tactics , Such as network honeypot ;
• in the light of known unknown This kind of ： To malicious sources IP、 Accurately identify the access traffic of dangerous domain names 、 Second level automatic update , Such as threat intelligence .