百度智能云
All Product Document

          Virtual Private Cloud

          • Virtual Private Cloud
          • >
          • Best Practices
          • >
          • Description of Network Security

          Description of Network Security

          Last Updated2021-12-16

          1. Network Access Control

          Nowadays, the threshold for network attacks is getting lower, and servers are hacked from time to time. If a company suffers a network attack, the loss is serious. If you want to protect your servers from attack, network access control is an indispensable measure.

          VPC

          VPC is a user-definable virtual network, allowing you to flexibly set the network address space and achieve network isolation between different services.

          The most common problems encountered by engineers in operations are IP address overlapping and running-out, misuse of public network addresses, and other problems, resulting in the impossibility to expand and upgrade the VPC quickly and effectively. To avoid address conflict during VPC expansion and when enabling the VPN or express tunnel connected to IDC and other public cloud platforms subsequently, you need to take full account of the early network planning needs and allocate the address space reasonably.

          At present, the address space available in Baidu AI Cloud includes 10.0.0.0/16, 172.16.0.0/12, and 192.168.0.0/16. Baidu AI Cloud usually recommends you to reserve a larger address space and avoid the use of small VPCs, ensuring flexibility. Furthermore, similar businesses are assigned to the same subnet to facilitate the unified management of servers. Baidu AI Cloud supports incorporating BCC, sub-instance of DCC, and BBC into VPC.

          For details, see Virtual Private Cloud (VPC).

          Routing Table

          The routing table is the flow controller in the VPC, which can achieve traffic control at the global and subnet levels. Subnets in the same VPC are interconnected by default. In addition, users can customize routing rules to control the destination of the network traffic. At present, Baidu AI Cloud supports peering connection, NAT gateway, VPN gateway, express tunnel gateway, and custom forwarding of instances, achieving routing solutions in multiple scenarios.

          For details, see Routing Table.

          NAT Gateway

          The NAT gateway provides Internet access services for Baidu Cloud Compute and supports SNAT and DNAT. Thus, the NAT gateway enables multiple Baidu Cloud Computes to share public network IP resources to access the Internet. Also, the NAT gateway allows the Baidu Cloud Computes to provide Internet services.

          The NAT gateway can provide public network access internally, hide the private network server externally, and improve the privacy and security of the network.

          For details, see NAT Gateway, Best Practices for NAT Gateway.

          VPN Gateway and Express Tunnel (ET)

          When a user has a cross-border link, the data transmitted via the Internet is probably attacked by hackers. By deploying the VPN and express tunnel services, you can enable the end-to-end encrypted tunnel or express tunnel link, which can significantly reduce the risk of being attacked.

          Through the VPN gateway, you can build VPN tunnels between Baidu AI Cloud and multiple data centers quickly and flexibly. The Baidu AI Cloud VPN gateway, based on the high-reliability architecture in the master and slave modes, supports automatic VPN health detection, automatic fault recovery, and other features.

          If you have high requirements for network delay and stability simultaneously, Baidu AI Cloud express tunnel service is your best choice. The ET service offers users a fast and reliable method for connecting the IDC to Baidu AI Cloud. The ET service consists of two parts, including physical ET and ET gateway. Users can take multiple ETs on the physical ET as virtual link resources. Meanwhile, the user can create and maintain the ET gateway in their VPC. The user binds the express tunnel to the designated express tunnel gateway and configures the routing at both ends to achieve traffic interconnection.

          For details, see VPN Gateway, Express Tunnel (ET).

          Security Group and ACL

          Hackers can establish a TCP connection with certain ports of the destination CVM server through Socket programming and verify the transport protocol. Thus, hackers can detect whether the service port of the destination server (which refers to the service port in the TCP/IP protocol within the range of 0-65535) is active, what services the server provides, whether the services offered contain certain defects, and so on.

          High-risk ports are often used by hackers to enter the server to implant Trojan viruses, causing security threats. Therefore, server port security protection is also a top priority. Common high-risk ports are TCP 135, 139, 445, 1433, 3306, 5900, and so on.

          If all ports are open without restriction, the loss is enormous once the server is compromised. However, the server hopes only to offer services to authorized clients and reject unauthorized access. How to reject unauthorized access as much as possible?

          The security group is an instance-level static packet filtering firewall created for BCC, which can define inbound and outbound access policies for IP+ports. By default, the security group releases all inbound and outbound traffic. To improve the BCC security, Baidu AI Cloud recommends you open the minimum inbound access permissions based on the BCC internal services. If unnecessary, Baidu AI Cloud recommends you prohibit the outbound traffic of the server. If you need to access the Internet, configure the minimum release rules as required.

          ACL is a subnet-level firewall component, which allows you to flexibly set the traffic of one or more subnets to meet the user's security requirements for different network deployment.

          For details, seeSecurity Group, ACL, Best Practices for Security Group (Quick Start), and Best Practices for Security Group (Advanced).

          2. Diagnosis Log and Monitoring System

          The network problems show a high real-time property. When network jitter or sudden abnormal traffic occurs, manually collecting logs is usually impossible. Once the problem disappears, it is difficult to locate the fault cause. Furthermore, it is impossible to optimize the system in terms of potential problems.

          Flow Log

          The flow log feature is used to record the network flow information sent and received by a BCC instance in the VPC. Also, this feature can provide users with the capabilities of traffic analysis, visualization, fault diagnosis/locating, and network architecture tuning.

          The flow log feature can save the fault scene, help you locate the network fault quickly, and solve the root cause of the problem timely. For example, the feature can promptly determine whether the BCC is inaccessible because the security group or the ACL setting is unreasonable.

          The flow log feature can collect network card traffic, help you improve data-driven network operations capabilities, and rationally optimize network architecture, e.g., analyze historical network data and build business network benchmarks. Also, the feature can discover performance bottlenecks in time, scale up the capacity or degrade the traffic reasonably, analyze access user regions and network traffic, expand business coverage reasonably, and optimize network security policies.

          The increase of traditional flow checkpoints degrades the performance of the CVM server. The flow log can find the network security threat timely and improve the system security without affecting the performance of the CVM server. For example, the flow log can attempt to connect a wide range of IP addresses, communicate with the known threat IP address, and identify uncommonprotocols.

          For details, see Flow Log.

          Baidu Cloud Monitor (BCM)

          BCM can help users monitor the health status of various cloud products used on the Baidu AI Cloud, including Baidu Cloud Compute, Cloud Databases, Object Storage, Content Delivery Network, and so on. Also, BCM can achieve richer and more flexible analysis and monitoring of application systems through site monitoring, application monitoring, and custom monitoring, timely know business operation status, and ensure the healthy and stable operation of the business.

          By configuring the alarm policy, users can receive an alarm immediately through short messages and email when an abnormal problem or resource shortage occurs in a cloud product. Also, you can compare and analyze historical monitoring data to further diagnose and solve problems.

          You do not need to buy and enable the BCM service. After you register a Baidu AI Cloud account, the Baidu Cloud Monitor service is enabled automatically. After you buy and use Baidu AI Cloud products, you can view the product running status and set the alarm through the BCM management console.

          For details, see BCM.

          3. Network Cloud Attack Protection

          What Is DDoS attack?

          Distributed Denial of Service (DDoS) refers to the attack toward one or more targets launched by multiple attackers at different locations simultaneously, or the attack launched by one attacker through controlling multiple machines at different locations and making use of the machines.

          The attacker can launch the DDoS by two methods. The first one is traffic attack, by which the attacker launches an attack on network bandwidth; that is, a large number of attack packets cause the network bandwidth to be blocked, so that the valid network packets are flooded by false attack packets and cannot be delivered to the CVM server. The second method is the resource depletion attack, by which the attacker launches an attack on the CVM server; that is, a large number of attack packets cause the CVM server's memory to be depleted or the CPU is occupied by the kernel and applications, resulting in the impossibility to provide network services. During the DDoS attack, the main manifestations are as follows:

          (1) A large number of TCP connections are waiting on the attacked CVM server.

          (2) The network is flooded with a large number of useless data packets, and the source address is false.

          (3) Create a high flow of useless data to cause network congestion and make the attacked CVM sever impossible to communicate with the external devices normally.

          (4) Send specific service requests repeatedly at high speed by using the service provided by the attacked CVM server or the defects in the transmission protocol, thus making the attacked CVM server impossible to process all normal requests timely.

          (5) In serious conditions, the system may crash.

          Baidu AI Cloud AntiDDoS Protection

          Baidu AI Cloud provides users with basic DDoS protection capabilities for free, which can meet users' daily secure operation requirements and ensure the normal and reliable running of cloud resources. Baidu AI Cloud users can enjoy DDoS protection capability up to 5Gbps for free. The basic protection capability in the Hong Kong region is 1Gbps.

          Baidu AI Cloud can provide the DDoS protection service for the following attacks:

          Network attack:

          • SYN flood attack;
          • ACK flood attack;
          • FIN/ RST flood attack;
          • UDP flood attack;
          • ICMP flood;
          • TCP connection depletion attack;

          Application attack:

          • HTTP get/post flood attack;
          • CC attack;
          • HTTP slow header/post attack.
          Previous
          Best Practices of Peer Connection
          Next
          API Reference