User Guide - static.huaweicloud.com · User Guide 3 Troubleshooting Issue 03 (2017-01-20) Huawei Proprietary and Confidential ... User Guide Huawei Technologies Co., Ltd. User Guide

Security Index Service

User Guide

Issue 03

Date 2017-01-20

HUAWEI TECHNOLOGIES CO., LTD.

Copyright © Huawei Technologies Co., Ltd. 2017. All rights reserved.No part of this document may be reproduced or transmitted in any form or by any means without prior writtenconsent of Huawei Technologies Co., Ltd. Trademarks and Permissions

and other Huawei trademarks are trademarks of Huawei Technologies Co., Ltd.All other trademarks and trade names mentioned in this document are the property of their respectiveholders. NoticeThe purchased products, services and features are stipulated by the contract made between Huawei and thecustomer. All or part of the products, services and features described in this document may not be within thepurchase scope or the usage scope. Unless otherwise specified in the contract, all statements, information,and recommendations in this document are provided "AS IS" without warranties, guarantees orrepresentations of any kind, either express or implied.

The information in this document is subject to change without notice. Every effort has been made in thepreparation of this document to ensure accuracy of the contents, but all statements, information, andrecommendations in this document do not constitute a warranty of any kind, express or implied.

Huawei Technologies Co., Ltd.Address: Huawei Industrial Base

Bantian, LonggangShenzhen 518129People's Republic of China

Website: http://e.huawei.com

Issue 03 (2017-01-20) Huawei Proprietary and ConfidentialCopyright © Huawei Technologies Co., Ltd.

i

http://e.huawei.com

Contents

1 Overview......................................................................................................................................... 11.1 SIS.................................................................................................................................................................................. 11.2 Functions........................................................................................................................................................................ 11.3 Application Scenarios.....................................................................................................................................................21.4 Charging Standards.........................................................................................................................................................21.5 Accessing and Using SIS................................................................................................................................................21.5.1 How to Access SIS...................................................................................................................................................... 21.5.2 How to Use SIS........................................................................................................................................................... 21.5.3 Related Services.......................................................................................................................................................... 2

2 Management................................................................................................................................... 32.1 Obtaining the Latest Assessment....................................................................................................................................32.2 Understanding Assessment Results................................................................................................................................ 4

3 Troubleshooting............................................................................................................................ 73.1 Anti-DDoS Defense........................................................................................................................................................73.2 Security Group................................................................................................................................................................83.3 SMS Login Message Verification...................................................................................................................................93.4 System Security............................................................................................................................................................ 113.5 Security Check..............................................................................................................................................................13

4 FAQs...............................................................................................................................................144.1 What Is Security Index Service?.................................................................................................................................. 144.2 Does Security Index Service Charge Fees?.................................................................................................................. 144.3 How Many Security Levels Are There in Security Index Service?..............................................................................144.4 What Should I Do If Security Index Service Displays High Risk?..............................................................................144.5 Why Is Information on the Page Different From My Actual Configurations?.............................................................15

A Change History........................................................................................................................... 16

Security Index ServiceUser Guide Contents


ii

1 Overview

1.1 SISThe Security Index Service (SIS) is a security assessment service for users' cloudenvironments. It provides users with unified, clear, and multi-dimensional security views.Using SIS, you can check whether your cloud environment is properly configured, whethercurrent security measures are sufficient, and proactive and active security situations. You canconveniently configure SIS security items.

NOTICESIS has provided Host Intrusion Detection (HID) information since September 30, 2016 onlyfor users in CN North 1.This document is intended only for users in CN North 1. If you are not in this region, clickDocument Download in the navigation tree on the left to obtain the Security Index ServiceUser Guide (for Users in CN South 1 and CN East 2).

1.2 FunctionsSIS provides the following functions:l Security level assessment: SIS provides clear security levels for users to take

corresponding actions.l Proactive and active security situations: SIS displays security situations such as Anti-

DDoS defense, host intrusion detection, and web scan.l Security configuration assessment: SIS assesses configurations such as security groups

and SMS login verification.l Convenient paths to security services: SIS offers convenient paths to configurations of

various security services.

Security Index ServiceUser Guide 1 Overview


1

http://support.hwclouds.com/en-us/ims_dld/index.html

1.3 Application ScenariosSIS enables users to know whether their security measures are sufficient. In addition, itprovides convenient paths to other security services so that users can configure the servicesrapidly, thereby saving security maintenance costs.

1.4 Charging StandardsSIS is free of charge currently.

1.5 Accessing and Using SIS

1.5.1 How to Access SISYou can use the management console to access SIS. If you have registered a public cloudaccount, log in to the management console and choose Security > Security Index Service onthe homepage.

1.5.2 How to Use SISYou can use SIS after logging in to the management console.

Using SIS, you can check whether your cloud environment is properly configured, whethercurrent security measures are sufficient, and proactive and active security situations. You canconveniently configure SIS security items.

1.5.3 Related ServicesSIS assesses security situations of user resources based on the following cloud services:l Anti-DDoS traffic cleaning (Anti-DDoS for short)l Virtual Private Cloud (VPC)l Identity and Access Management (IAM)l Web Scanl Host Intrusion Detection (HID)

Security Index ServiceUser Guide 1 Overview


2

2 Management

2.1 Obtaining the Latest AssessmentStep 1 Log in to the console and choose Security > Security Index Service. The service page is

displayed.

Step 2 Click in the upper right corner to obtain the latest security assessment, as shown in thefollowing figure:

Step 3 In the upper right corner of the area displaying details about each security item, click the button to obtain the latest assessment about this item, as shown in the following figure:

Security Index ServiceUser Guide 2 Management


3

----End

2.2 Understanding Assessment Results

Introduction

SIS clearly displays the security situation of the cloud environment to help users know risksin their ECSs in a timely manner. It assesses security risks from the following aspects:

l Cyber security

l Authentication security

l System security

l Security check

SIS gives security assessment results in three forms: score circles, a ring chart, and securitysituations.

Score Circles

Score circles give overall security situations, as shown in Figure 2-1. Sub-circles in differentcolor indicate different security sub-items.

Figure 2-1 Score circles

A more complete circle indicates a higher security level. For example, Figure 2-2 gives acomparison of score circles. Circles on the left indicate a lower security level and those on theright indicate a higher one.



4

Figure 2-2 Comparison of score circles

Ring ChartResult of security check is given in a ring chart where segments of different color indicatenumbers of vulnerabilities of different levels, as shown in Figure 2-3. An all-grey ring chartindicates that no vulnerabilities exist.

Figure 2-3 Ring chart

Security SituationsSecurity situations corresponding to each circle or ring chart are given in the lower part of thepage. For example, cyber security score circles correspond to the Cyber Security area, asshown in Figure 2-4.



5

Figure 2-4 Cyber security situation



6

3 Troubleshooting

3.1 Anti-DDoS Defense

SymptomsIn the Anti-DDoS Defense area, the Not defended value is larger than 0, as shown in Figure3-1.

Figure 3-1 Anti-DDoS Defense

ConceptsThe Anti-DDoS service protects your elastic IP addresses (EIPs) exposed to the Internetagainst distributed denial of service (DDoS) attacks. However, you need to enable Anti-DDoSdefense for your EIPs first.

l Defended: indicates the number of EIPs for which you have enabled Anti-DDoSdefense.

l Not defended: indicates the number of EIPs for which you have not enabled Anti-DDoSdefense.

l Number of intercepted DDoS attacks: indicates the number of DDoS attacksintercepted in the last seven days.

l Peak DDoS attack traffic: indicates peak traffic of DDoS attacks intercepted in the lastseven days.

l Number of ongoing DDoS attacks: indicates the number of EIPs being defended.

Best PracticesIf you do not enable Anti-DDoS defense for EIPs exposed to the Internet, the EIPs arevulnerable to DDoS attacks and security risks exist in your cloud environment.

Security Index ServiceUser Guide 3 Troubleshooting


7

You are advised to enable Anti-DDoS defense for all EIPs exposed to the Internet.

Handling MethodStep 1 In the Anti-DDoS Defense area, click Details to navigate to the list of Anti-DDoS defense

instances.

Step 2 Enable Anti-DDoS defense for required EIPs by following instructions in section EnablingAnti-DDoS Defense in the Anti-DDoS User Guide.

----End

3.2 Security GroupSymptoms

In the Security Group area, the value of Hosts affected by insecure security groups islarger than 0, as shown in Figure 3-2.

Figure 3-2 Security group issue

Conceptsl Insecure security groups are security groups whose Transfer Direction is Inbound,

Protocol is ANY, and Remote End is 0.0.0.0/0.l Hosts affected by insecure security groups: indicates the number of hosts that belong

to the insecure security groups defined earlier.l Hosts protected by security groups: indicates the number of hosts that do not belong to

the insecure security groups defined earlier.

Best PracticesIf your ECSs belong to an insecure security group, they are vulnerable to attacks because theyare not protected by access limits provided by a secure security group.

You are advised to set strict access limits for your security groups. Do not use insecuresecurity groups.

Handling MethodStep 1 In the Security Group area, click Details to go to the VPC page.

Step 2 Click Security Group in the navigation tree to check for insecure security group rules.

Figure 3-3 Checking security group rules



8

Step 3 If insecure rules exist, handle then in either of the following methods:l Modify the rules as instructed in Step 4.l Move hosts to secure security groups as instructed in Step 5.

Step 4 Delete the insecure rules and add secure rules. For example, add a trusted IP address range forinbound access traffic.

Figure 3-4 Adding a rule

Step 5 Click and choose Computing > Elastic Cloud Server. The ECS management pageis displayed.

Step 6 Click the name of a desired ECS. On the displayed page, click the NIC tab and then tocheck whether the ECS belongs to a secure security group.

If the ECS belongs to an insecure security group, click Change Security Group. In thedisplayed Change Security Group dialog box, select a secure security group for the ECS,and click OK.

----End

3.3 SMS Login Message Verification

SymptomsIn the SMS Verification for Login area, the SMS Verification for Login value is Notenabled, as shown in Figure 3-5.

Figure 3-5 SMS verification for login



9

ConceptsSMS message verification during a login is an auxiliary verification method that helps ensureyour secure login. When you try to log in to the console, an SMS message containing averification code is sent to your pre-set mobile phone number. Enter the code and your loginpassword to log in.

Best PracticesYour password is vulnerable to password guessing or brute force cracking attacks if you donot enable the SMS login message verification.

Enable the verification in My Credential.

Handling Method

Step 1 In the SMS Verification for Login area, click Details to go to the account information page.

Step 2 On the My Credential page, click Edit in the Verify Login by SM row.

Figure 3-6 My Credential

Step 3 In the Set SM-based Login Verification dialog box, enter the verification code and click OKto enable the verification, as shown in Figure 3-7.



10

Figure 3-7 Enabling SMS verification

----End

3.4 System Security

Symptoms

In the Host Intrusion Detection area, the value of Not enabled for is larger than 0, as shownin Figure 3-8.

Figure 3-8 System security issue

Concepts

The System Security area displays host intrusion detection results.

l Enabled for: indicates the number of hosts for which the Host Intrusion Detection (HID)service has been enabled.

l Not enabled for: indicates the number of hosts for which HID has not been enabled.

l Remote logins detected (in 7 days): indicates the number of remote logins detected inthe last seven days.

l Brute force crackings detected (in 7 days): indicates the number of brute forcecracking attacks detected in the last seven days.

l Weak passwords discovered: indicates the number of discovered system and database(MySQL) accounts with weak passwords.

l Processes with excessive permissions: indicates the number of discovered processesthat can be started with a high-level account, such as the database (MySQL) process thatcan be started with a system account.

l Web backdoors discovered: indicates the number of discovered web backdoors.



11

Best Practices

If system security issues exist, ECSs have risks of being intruded by hackers.

Based on the detection results, you can harden your ECS security accordingly to improveyour system security and mitigate risks of your ECS being intruded.

Handling Method

Step 1 In the Host Intrusion Detection area, click Details to go to the host list and handle issues.

Step 2 If intrusion detection is not enabled for a host, perform the following operations:

1. On the ECS list page, find the ECS for which you want to enable HID. Confirm that theECS detection status of the ECS is Not enabled.

NOTE

– If ECS detection status is Abnormal and the cause is a network fault, ECS detection statusbecomes Normal automatically after the network recovers and no manual intervention isrequired. However, if ECS detection status is Abnormal for a long period of time, you mustlog in to the ECS and restart or re-install the HID client.

– If ECS detection status is Not installed, install the HID client as instructed in sectionInstalling the Client of the Host Intrusion Detection User Guide.

2. In the Operation column, click Enable Detection to enable the HID service.

Step 3 In the navigation tree on the left, click Detection Report. On the page that is displayed, clickthe Table tab to view the detection results about all ECSs, as shown in Figure 3-9.

Figure 3-9 Detection results about all ECSs

Step 4 Handle issues for each ECS according to the information in the table:

l If remote logins are detected and they were not performed by yourself, change the loginpassword immediately.

l If brute force cracking attacks are detected, harden your ECS security according to thedetection results. For example, if your database has been attacked, change the databasepassword immediately.

l If weak passwords exist, change them to strong ones immediately to prevent cracking.

l If processes with excessive permissions exist, change the accounts to lower-level ones toprevent the high-level accounts from being utilized.

l If web backdoors exist, find and modify the corresponding files based on the locations ofthe backdoor files to prevent hackers from using backdoors to control your ECS.

----End



12

3.5 Security Check

SymptomsIn the Web Scan area, security vulnerabilities are detected, as shown in Figure 3-10.

Figure 3-10 Security check issue

ConceptsThe Security Check area displays web vulnerability scan results. Various security scanningservices are supported, such as common vulnerability detection, third-party applicationvulnerability detection, and fingerprint identification.

l Websites that have not passed security check: indicates the number of websites forwhich you have configured but not enabled the Web Scan service (Web Scan).

l Last scan time: indicates the duration from the last scan to now.l Earliest scan time: indicates the duration from the earliest scan to now.

Best PracticesWeb security vulnerabilities on your network are prone to be maliciously utilized and causeloss.

You are advised to scan all websites regularly to discover vulnerabilities as soon as possible.In addition, when the security check suggests that security vulnerabilities exist in yoursystem, handle them as advised promptly.

Handling Method

Step 1 In the Web Scan area, click Details to go to the Web Scan service page.

Step 2 In the navigation tree on the left, click Intercepted Details to view scan results.

Step 3 On the right of a vulnerability link, click More for repair suggestions and handle thevulnerability as suggested. Perform another scan after the repair to confirm that thevulnerability has been repaired.

----End



13

4 FAQs

4.1 What Is Security Index Service?The Security Index Service (SIS) is a security assessment service for users' cloudenvironments. It provides users with unified, clear, and multi-dimensional security views.Using SIS, you can check whether your cloud environment is properly configured, whethercurrent security measures are sufficient, and proactive and active security situations. You canconveniently configure SIS security items.

4.2 Does Security Index Service Charge Fees?SIS is free of charge.

4.3 How Many Security Levels Are There in SecurityIndex Service?

There are three security levels in Security Index Service: Security, Low Risk, and HighRisk.

4.4 What Should I Do If Security Index Service DisplaysHigh Risk?

1. First, you need to check the completeness of score circles in the upper part of the page.The more complete the circle, the higher the security.For example, in Figure 4-1, the circles on the left are less secure than those on the right.

Security Index ServiceUser Guide 4 FAQs


14

Figure 4-1 Comparison of score circles

2. Check insecure items, for example, Anti-DDoS Defense and Security Group in the leftpart of Figure 4-1. Then check details about the insecure items in the lower part of thepage.

a. In the preceding figure, Anti-DDoS defense is not enabled for three EIPs. ClickDetails to enable the defense.

b. Three hosts are affected by insecure host groups. Click Details to modify thesecurity group configuration.

3. After you handle the insecure items as prompted, go back to the SIS service page and

click in the upper right corner. The page displays Security now.

4.5 Why Is Information on the Page Different From MyActual Configurations?

The difference may be caused by modification of security configurations. You can click the

button in the upper right corner of each security item for the system to update theinformation and assess your cloud environment security again.

Security Index ServiceUser Guide 4 FAQs


15

A Change History

Released On Description

2017-01-20 This is the third official release.Added section Accessing and Using SIS.

2016-09-30 This is the second official release.Added section Security Check.

2016-08-25 This is the first official release.

Security Index ServiceUser Guide A Change History


16

Documents

User Guide - static.huaweicloud.com · User Guide 3 Troubleshooting Issue 03 (2017-01-20) Huawei Proprietary and Confidential ... User Guide Huawei Technologies Co., Ltd. User Guide