Secure and Optimize Your Multicloud Deployments with Cisco Multicloud Defense

By Anubhav Swami, Principal Architect – Cisco Security Business Group
By Muffadal Quettawala, Partner Solutions Architect – AWS

Cisco

As customers move their workloads to the cloud to maximize business velocity and application performance, they often face tradeoffs and additional challenges.

The increase in agility, flexibility, and scale may come at the expense of added security complexity, for example. This is especially true for security teams dealing with securing multicloud, multi-region, multi-Availability Zone (AZ), and multi-account deployments.

At a more granular level, the security challenges faced by organizations in the cloud include:

• Managing security that’s scalable, resilient, and highly available.
• Taking a piecemeal approach to establish security controls like WAF, IDS/IPS, TLS decrypt, and malware defense.
• Data sovereignty and compliance.
• Lack of unified security controls and dynamic policy management.
• Dependency on external scripts for scalability, automation, and orchestration as well as complex Day-0/1/2 operations.

Organizations need a single solution that provides end-to-end visibility, control, policy management, and ease of administration that enables business velocity.

In this post, we will discuss how Cisco’s new multicloud network security offering, Cisco Multicloud Defense, can help protect workloads in Amazon Web Services (AWS). We’ll demonstrate how you can use Cisco Multicloud Defense in different deployment models and show how easy it is to set up centralized and distributed inspection services to protect workloads in AWS.

With Cisco Multicloud Defense, security controls and policies can be managed via a single cloud-delivered management console, thereby providing unified governance across multiple inspection points.

Cisco Systems is an AWS Specialization Partner and AWS Marketplace Seller that helps customers optimize their cloud strategy by bringing together networking, security, analytics and management.

Cisco Multicloud Defense

Cisco Multicloud Defense is a highly scalable, on-demand as-a-service solution that provides cloud-native and flexible security to your multicloud infrastructure. It unifies security controls across cloud environments, protects workloads from multiple directions, and drives operational efficiency with automation and orchestration of cloud-native constructs.

Cisco Multicloud Defense consists of two major components:

• Multicloud Defense Controller: This is fully managed software-as-a-service (SaaS) by Cisco and controls the Multicloud Defense Gateways that are deployed within your virtual private clouds (VPCs).
• Cisco Multicloud Defense Gateway: This is an auto-scaling fleet of security software with a patented flexible, single-pass pipelined architecture. These gateways are deployed as platform-as-a-service (PaaS) into the customer’s public cloud accounts that are fully orchestrated by the Multicloud Defense Controller.

Additionally, Multicloud Defense Gateway provides the following security capabilities:

• Ingress Gateway: Reverse proxy, TLS decrypt, WAF – L7 Dos, IDS/IPS, Antivirus, Geo IP, Malicious IP
• Egress Gateway: Forward proxy, URL filtering, TLS decrypt, FQDN filtering, FQDN-based firewall policy, DLP, IDS/IPS, Antivirus, and L4 firewall

Why Multicloud Defense?

Deploying security services in the cloud often requires building infrastructure using Terraform or AWS CloudFormation templates. These configurations and deployments require cloud infrastructure expertise and dependency on additional external scripts.

The Cisco Multicloud Defense controller integrates with AWS APIs to natively deploy gateways and handle end-to-end orchestration, automation, and scalability of the gateways in the customer’s AWS accounts. The Multicloud Defense Gateways are deployed in the customer’s accounts so traffic does not need to be forwarded to external accounts for inspection, thereby helping to meet data sovereignty and compliance regulations.

In addition, Multicloud Defense integrates with multiple AWS services to deploy security architectures that meet AWS best practices. For example, Multicloud Defense utilizes Gateway Load Balancer and AWS Transit Gateway to give customers the flexibility to deploy either centralized or distributed architectures based on their use cases. Furthermore, Multicloud Defense integrates with VPC flow logs and DNS query logs to provides enhanced traffic visibility of your workloads.

Cisco Multicloud Defense simplifies autoscaling as no external template or scripts are needed to enable autoscaling. The Multicloud Defense Controller handles scale-in and scale-out of Multicloud Defense Gateways based on memory and bandwidth utilization. Cisco Multicloud Defense autoscaling is also multi-AZ aware and recommends at least two gateways are deployed (one per Availability Zone) for resiliency.

Deployment Models

The following deployment models, catering to a variety of customer requirements, are supported and can be orchestrated in minutes via the built-in orchestration the controller has with AWS APIs.

Centralized Security Model

In a centralized security model, the controller orchestrates the deployment of a security VPC, Transit Gateway, Gateway Load Balancer, Network Load Balancer, and route table. A security VPC is created with Multicloud Defense Gateway. Traffic is forwarded to the security VPC for inspection before it’s forwarded to the destination workload.

Figure 1 – Centralized security model.

Figure 1 shows Cisco Multicloud Defense centralized deployment for AWS. In this architecture, applications VPCs are connected to AWS Transit Gateway using VPC attachments. The Transit Gateway is connected to a security VPC, in which Cisco Multicloud Defense Gateways are deployed.

The Cisco Multicloud Defense control plane orchestrates the deployment of a security VPC, Multicloud Defense Gateways, a Network Load Balancer, and Gateway Load Balancer components.

Figure 2 – Ingress protection (centralized security model).

Figure 2 shows the ingress protection reference architecture. This architecture provides a scalable security model for ingress traffic flow. Ingress traffic lands on the Network Load Balancer in the security VPC and is forwarded to the autoscaled Multicloud Defense Ingress Gateways. Once traffic is inspected on the gateway, it’s forwarded to the AWS Transit Gateway before arriving at the application VPC.

For this architecture, the Multicloud Defense Controller orchestrates the creation of security VPC, a Network Load Balancer, Mutlicloud Defense Gateways, Transit Gateway, and routing.

Figure 3 – Egress protection (centralized security model).

Figure 3 shows the egress protection reference architecture. This architecture provides a scalable security model for egress traffic flow. Egress traffic is forwarded to AWS Transit Gateway and sent to the Gateway Load Balancer endpoint, where it’s forwarded to the Gateway Load Balancer before being forwarded to the autoscaled Multicloud Defense Gateways.

The egress traffic source is translated to an elastic IP address which is assigned to the Multicloud Defense Gateway. A multicloud scale-in and scale-out event without an AWS NAT Gateway may result in a change of the source IP address.

Alternately, egress traffic can be forwarded from the Multicloud Defense Gateway to a Network Address Translation (NAT) Gateway. In this case, the source of the egress traffic is translated to the NAT Gateway’s elastic IP address. An AWS NAT Gateways is the preferred service architecture when you want to avoid changing the source IP address of the egress traffic.

For this architecture, the Multicloud Defense Controller orchestrates the creation of security VPC, Mutlicloud Defense Gateways, a Transit Gateway, a Gateway Load Balancer, Gateway Load Balancer endpoint, and routing. 

Figure 4 – Alternate ingress/egress traffic protection.

Figure 4 shows the ingress and egress protection reference architecture with the Gateway Load Balancer endpoint in the application VPC. The architecture can be used for ingress and egress traffic protection. It also covers east-west traffic inspection within the same VPC.

This architecture is recommended when there’s overlapping CIDR, or when there is a case that an Internet Gateway (IGW) cannot be placed in the application VPC. Multicloud Defense allows customers to build policies specific to each VPC, even in the case of overlapping IP addresses.

Figure 5 – East-west protection (centralized security model).

Figure 5 shows the east-west protection reference architecture. This architecture provides a scalable security model for east-west traffic flow. East-west traffic is forwarded to the AWS Transit Gateway and sent to a Gateway Load Balancer endpoint. Once traffic is received on the endpoint, the traffic is then forwarded to Gateway Load Balancer. Following that event, the traffic is forwarded to the autoscaled Multicloud Defense Gateways.

For this architecture, the Multicloud Defense Controller orchestrates the creation of a security VPC, a Network Load Balancer, Mutlicloud Defense Gateway(s), a Transit Gateway, and routing.

Decentralized Egress and Ingress

The decentralized architecture is recommended when there’s a requirement for dedicated gateways in the spoke/application VPC. This may be the case if you want to decrease the blast radius or simplify troubleshooting.

Figure 6 – Decentralized egress.

Figure 6 shows a decentralized egress architecture. In this architecture, Multicloud Defense Gateways are deployed in the application VPC. This covers egress traffic inspection and east-west traffic inspection in the same VPC.

For egress traffic flow, traffic is first sent to the Gateway Load Balancer endpoint and then to the Gateway Load Balancer deployed in the application VPC. Once traffic is received on the Gateway Load Balancer, it’s forwarded to Multicloud Defense Gateways for inspection. In addition to egress traffic inspection, this architecture also covers inter-subnet protection.

For this architecture, the Multicloud Defense Controller orchestrates Mutlicloud Defense Gateways, a Gateway Load Balancer, and Gateway Load Balancer endpoints.

The decentralized egress architecture is recommended when there’s a requirement for dedicated gateways in the spoke/application VPC.

Figure 7 – Decentralized ingress protection.

Figure 7 shows a decentralized ingress architecture. In this architecture, Multicloud Defense Gateways are deployed in the application VPC.

For ingress traffic flow, traffic is first sent to the Network Load Balancer and then to Multicloud Defense Gateways in the application VPC. Once traffic is inspected, then traffic is forwarded to the application. For this architecture, the Multicloud Defense Controller orchestrates Mutlicloud Defense Gateways and a Network Load Balancer.

Customer Success Story: Teradata

Teradata is a market leader in delivering multicloud data and analytics solutions needed to evolve their security stack to keep up with demand while enabling business agility and consistent security across each of their environments. With its previous solution, Teradata faced challenges including delayed customer onboarding due to lengthy provision time for security and downtime caused by upgrades and maintenance.

Teradata made a strategic decision to switch to Cisco Multicloud Defense, seeking substantial improvements in agility, availability, and security. As a result of this transition, Teradata now enjoys a uniform multicloud policy, enhanced visibility, secure egress traffic handling, and a modernized secure networking solution.

Here are some impacts that were measured deploying Cisco Multicloud Defense in Teradata’s environment:

• Provisioning time decreased to < 4 minutes per site. 50% reduction in time from previous state.
• Policy updates decreased to seconds instead of hours. Time was based on the number of gateways to update.
• Upgrades of gateways decreased to < 4 minutes per gateway that run in parallel, totalling 45 minutes vs. 7-8 hours witnessed in prior state. Time-based on the number of gateways to upgrade.
• 35% reduction in infrastructure cost based on architecture optimization.

Conclusion

Cisco Multicloud Defense simplifies the cloud security experience, bringing unified security controls across even the most complex cloud environments. It drives operational efficiency with automation and orchestration of security services, enabling organizations to maintain agility and scale in today’s dynamic digital landscape.

To learn more about how Multicloud Defense can streamline your multicloud network security, explore these additional links and resources:

• Take a product tour
• Webinar: Secure your cloud networks on AWS with Cisco Multicloud Defense
• AWS re:Invent 2023 Talk: Teradata secures 100s of AWS workloads with Cisco Multicloud Defense
• Sign up for the Multicloud Defense free trial
• Purchase Cisco Multicloud Defense through the private AWS Marketplace offer

.

.

Cisco Systems – AWS Partner Spotlight

Cisco Systems is an AWS Specialization Partner that helps customers optimize their cloud strategy by bringing together networking, security, analytics and management.

Contact Cisco | Partner Overview | AWS Marketplace