Tencent Cloud Firewall complies with the main standards of the Cybersecurity Classified Protection Certification 2.0 Standard System. According to Network Security Level Protection Basic Requirements (GB/T 22239-2019), Tencent Cloud Firewall (only advanced edition and above and purchased log analysis) meets level three and below security requirements.
No. | CCP Standard Chapters | CCP Standard Serial Number | CCP Standard Content | Corresponding Function | Evaluation Interpretation |
1 | Security zone boundary - perimeter protection | 8.1.3.1 a) | It should be ensured that cross-boundary accesses and data streams communicate through controlled interfaces provided by boundary devices. | Firewall switch, Access control | CFW supports controlling traffic across north-south and east-west borders; it supports sorting Internet exposure and blocking exposed ports. |
2 | Security zone boundary - perimeter protection | 8.1.3.1 b) | Be able to check or limit the behavior of unauthorized devices privately connecting to the private network. | Firewall switch, Access control | CFW supports traffic audit and analysis in both north-south and east-west directions. It performs real-time control over assets' network access through ACL and blocklist/allowlist. It supports remote Ops via WeChat and blocks unauthorized access to assets. |
3 | Security zone boundary - perimeter protection | 8.1.3.1 c) | Be able to check or limit the behavior of internal users unauthorizedly connecting to the external network. | Firewall switch, Access control | CFW supports traffic audit and analysis in both north-south and east-west directions. It performs awareness and analysis on active outbound behaviors and blocks them. It also supports configuring access control rules to limit unauthorized access. |
4 | Security zone boundary - access control | 8.1.3.2 a) | Set access control rules according to the access control policy at the network boundary or between zones. By default, controlled interfaces deny all communication except for allowed communication. | Access Control | The Internet boundary rules, NAT boundary rules and Inter-VPC Rules of CFW realize the north-south and east-west isolation of business traffic. After configuring rules, unified management and control will be carried out according to the specified execution order. |
5 | Security zone boundary - access control | 8.1.3.2 b) | Extra or invalid access control rules should be deleted, the access control list should be optimized, and the quantity of access control rules should be minimized. | Access Control | Delete or disable invalid or redundant rules according to the execution order and number of hits of rules, thereby optimizing the access control rule list. |
6 | Security zone boundary - access control | 8.1.3.2 c) | Check the source address, destination address, source port, destination port and protocol to allow/deny packets to enter and exit. | Access Control | CFW Access Control Rules can be configured based on specified access source, source port, access destination, destination port and protocol. The optional policies are Allow or Block. |
7 | Security zone boundary - access control | 8.1.3.2 d) | Should be able to provide clear permission/deny access ability for entering and exiting data streams according to session state information. | Access Control | CFW supports providing real-time detection and block and intercept malicious traffic for assets with protection enabled on a session granularity. |
8 | Security zone boundary - access control | 8.1.3.2 e) | Handle data streams in and out of the network and implement access control based on application protocols and application content. | Access Control | CFW Access Control Rules support configuration by protocol; CFW supports protection for applications such as databases and remote connections. |
9 | Security zone boundary - intrusion prevention | 8.1.3.3 a) | Cyber attacks initiated from external sources should be detected, prevented or limited at key network nodes. | Intrusion Prevention | CFW supports detecting malicious traffic and common attack behaviors and blocking them in real time for assets with protection enabled. |
10 | Security zone boundary - intrusion prevention | 8.1.3.3 b) | Cyber attacks initiated from inside should be detected, prevented or limited at key network nodes. | Access Control | CFW supports proactive outbound connection management, host compromise detection, and outbound traffic detection protection and ACL management. |
11 | Security zone boundary - intrusion prevention | 8.1.3.3 c) | Technical measures should be taken to analyze network behavior and achieve the analysis of network attacks, especially new types of network attack behaviors. | Intrusion Prevention | CFW combines Tencent Security Threat Intelligence Database to detect new type attack behaviors and 0day vulnerabilities in the cloud in real time, and supports intercepting and protecting through virtual patches. |
12 | Security zone boundary - intrusion prevention | 8.1.3.3 d) | If attack behaviors are detected, log the attack source IP, attack type, attack target and attack time. Trigger alarm when severe intrusion events occur. | Alert Center | CFW detects network traffic in real time, alerts on risk events, blocks malicious activities, and records attack event types, danger levels, access sources, source ports, access destinations, destination ports, protocols, occurrence times, etc. |
13 | Security zone boundary - malicious code and spam prevention | 8.1.3.4 a) | Detect and remove malicious code at key network nodes, and maintain the upgrade and update of the malicious code protection mechanism. | Intrusion Prevention | CFW supports providing real-time detection and protection against network malicious code attacks, and regularly updates malicious code detection rules. |
14 | Security zone boundary - security audit | 8.1.3.5 a) | Perform security audits at the network boundary and key network nodes. Audit all users. Audit important user behavior and significant security incidents. | Log audit, traffic center | CFW supports storing log data within 6 months after the log analysis feature is enabled, including traffic logs, intrusion prevention logs, access control logs and operation logs. |
15 | Security zone boundary - security audit | 8.1.3.5 b) | Audit records should include the date and time of the event, user, event type, whether the event was successful and other audit-related information. | Log Audit | Cloud firewall log recording includes the date and time of the event, user, event type, whether the event was successful, and other audit-related information. |
16 | Security zone boundary - security audit | 8.1.3.5 c) | Protect audit records, perform scheduled backups, and avoid unexpected deletion, modification or overwrite. | Log Audit | CFW log recording is backed up in real time through primary and secondary storage systems, ensuring that user logs are not lost and recoverable within their storage cycle. |
17 | Security zone boundary - security audit | 8.1.3.5 d) | Behavioral audit and data analysis should be performed separately for user behaviors such as remote access and accessing the Internet. | Log Analysis | The WeChat remote Ops feature of CFW can record all behaviors after users remotely access. Combined with north-south and east-west traffic logs and CFW log analysis feature, comprehensive audit and data analysis can be performed on user behaviors. |