Multicloud Defense Components

Multicloud Defense uses a common principle in public clouds and software defined networking (SDN) which decouples the control and data plane, translating to two solution components - the Multicloud Defense Controller and the Multicloud Defense Gateway.

Multicloud Defense Controller

The Multicloud Defense Controller is a highly reliable and scalable centralized controller that provides the management and control plane. This runs as software-as-a-service (SaaS) and is fully managed and maintained by Multicloud Defense. Customers access a web portal to utilize the Multicloud Defense Controller, or they may choose to use the Multicloud Defense provider for terraform to instantiate security into the DevOps/DevSecOps processes.

Multicloud Defense Gateway

The Multicloud Defense Gateway is an auto-scaling fleet of Multicloud Defense software deployed as patform-as-a-service (PaaS) into the customers public cloud account/s by the Multicloud Defense Controller. This provides advanced, inline security protections that defend against external attacks, prevent egress data exfiltration and prevent the lateral movement of attacks. Multicloud Defense Gateways include functionality for TLS decryption, intrusion detection and prevention (IDS/IPS), web application firewall (WAF), antivirus filtering, data loss prevention (DLP) and FQDN/URL filtering capabilities.

To facilitate the auto-scaling

  • Autoscaling and Self-Healing: Operate as autoscaling, self-healing Platform-as-a-Service (PaaS), serving as inline network-based security enforcement nodes. For more information about auto-scaling and how it operates within the construct of the gateway, see below.

  • Simplified Management: Eliminate the need for constructing virtual firewalls, configuring high-availability setups, or managing software installations.

  • Advanced Security Profiles: Implement granular security profiles within a single pass datapath pipeline, negating the need for traffic offloading to third-party engines.

Important

The Multicloud Defense Gateway does not currently support IP fragmentation because of cloud service provider load-balancer limitations. We strongly recommend you adjust the Maximum Transmission Unit (MTU) size so it is consistent across the network to avoid the need for fragmentation.

Multicloud Defense SaaS Controller

Multicloud Defense offers a sophisticated, streamlined security framework, combining robust controller orchestration, gateway communication, and optimized datapath processing to provide efficient and comprehensive multicloud protection. This solution helps organizations secure their cloud workloads and applications from cyber threats while maintaining flexibility and scalability in their cloud environments:

  • SaaS-Based Management: The Software-as-a-Service (SaaS) controller manages the Gateway stack and includes an API Server for orchestration of CSP load balancers (LBs) and Gateway Instances.

  • Dynamic Scaling: Facilitates dynamic horizontal scaling through instance additions and removals from the load balancer’s “target pool,” monitored for high availability.

  • Continuous Communication: Engages in continuous communication with Cloud Service Provider (CSP) accounts to keep security policies up-to-date.

Communications

Multicloud Defense Gateways engage in continuous communication, approximately every 3 seconds, with the Multicloud Defense Controller, transmitting health status and policy updates. This enables proactive health reporting, gateway replacement, and scalability adjustments as needed.

Optimized Gateway Instances

Multicloud Defense Gateway instances operate on highly optimized software, incorporating a single pass datapath pipeline for efficient traffic processing and advanced security enforcement. Each gateway instance comprises three core processes: a "worker" process responsible for policy enforcement, a "distributor" process for traffic distribution and session management, and an "agent" process communicating with the controller. Gateway instances can seamlessly transition "in service" for a "datapath restart," enabling smooth updates without disrupting traffic flow.

Gateway Auto-scaling

Autoscaling in Multicloud Defense is triggered based on the following usage thresholds:

  • CPU Usage

    • Scale Out: Triggered when CPU usage exceeds 95%.

    • Scale In: Occurs when CPU usage falls below 40%.

  • Memory Usage

    • Scale Out: Triggered when memory usage exceeds 85%.

    • Scale In: Occurs when memory usage falls below 40%.

  • Bandwidth Usage

    • Scale Out: Triggered when bandwidth usage exceeds 75%.

    • Scale In: Occurs when bandwidth usage falls below 40%.

  • Connection Usage

    • Scale Out: Triggered when connection usage exceeds 75%.

    • Scale In: Occurs when connection usage falls below 40%.

  • Load Sustain Period: Autoscaling actions are triggered if the load conditions are sustained for 120 seconds.

  • Scale-In and Scale-Out Periods: Both scale-in and scale-out actions have a 120-second assessment period to ensure consistent load conditions.

For information about specific cloud service providers and their instance type support, see Cloud Service Provider Instance Type Support.

Advanced Security Profiles

Multicloud Defense Controllers implement granular security profiles within the single pass datapath pipeline, catering to evolving traffic needs. Customers have the flexibility to enable or disable Advanced Security Profiles as required. The pipeline's single pass architecture negates the need for traffic offloading to third-party engines. For instance, full TLS decryption is selectively triggered within the pipeline, ensuring efficient handling without unnecessary data transfers.

In essence, Multicloud Defense offers a sophisticated and streamlined security framework, harmonizing controller orchestration, gateway communication, and optimized datapath processing for a robust and efficient multicloud protection mechanism.