About Multicloud Defense

About Multicloud Defense

Multicloud Defense (MCD) is a comprehensive security solution consisting of two primary components: the Multicloud Defense Controller and Multicloud Defense Gateway. These components collaborate to establish a secure multicloud environment

Multicloud Defense currently supports Amazon Web Services (AWS), Azure, Google Cloud Platform (GCP), and Oracle OCI cloud accounts. The range of support for these platforms vary.

In essence, Multicloud Defense offers a sophisticated and streamlined security framework, harmonizing controller orchestration, gateway communication, and optimized datapath processing for a robust and efficient multicloud protection mechanism.

This documentation has been prepared for practitioners who have a basic understanding of public cloud networking and security concepts, and participate in various functional teams, including:

  • Development Operations (DevOps and DevSecOps)

  • Security Operation Centers (SOCs)

  • Security Architects Info

  • Sec Architects Cloud Architects

Additional Multicloud Defense Documentation

You can find additional information about Multicloud Defense in the following documents:

Multicloud Defense Naming Conventions

Multicloud Defense interacts with a variety of cloud service providers and in order to provide a universal experience across the platforms, limits the character count when you create gateways and objects. Gateways and objects that exist outside of Multicloud Defense have ciscomcd prepended to the name, which may cause issues if the original gateway or object name is too long.

Consider the following character limitations when naming your gateways or objects, both inside and outside of Multicloud Defense:

Table 1. Character Limitation for Naming Convention

Multicloud Defense Feature

Character Limit

Gateway Instance

55

Object Name

63

Note

The values above indicate the character limit for names without the prepended Multicloud Defense tag. You are not responsible for including the tag when you name the gateway or object.

Supported Regions

Multicloud Defense supports the following regions:

  • United States (US) - us-west-2

  • Europe (EU) - eu-central-1

  • Tokyo (APJ) - ap-northeast-1

  • Sydney (APJ) - ap-southeast-2

  • Mumbai (APJ) - ap-south-1

Multicloud Defense in Cisco Security Provisioning and Administration

Security Provisioning and Administration is a web application that provides centralized management of Cisco Secure product instances, user identity, and user access management across Cisco Security Cloud. Security Provisioning and Administration administrators can create new Security Cloud enterprises, manage users in an enterprise, claim domains, and integrate their organization’s SSO identity provider, among other tasks.

When you enroll in a Multicloud Defense, Security Provisioning and Administration creates an account for your tenancy by default to better manager your enterprises across the board. The Security Cloud enterprise supports the following cases: if you have purchased a license and already have a Multicloud Defense account, and if you have purchased a license but currently do not have a Multicloud Defense account.

Note that

You must complete the following steps in the Security Provisioning and Administration dashboard; feel free to refer to the Cisco Security Provisioning and Administration User Guide for more information for any of these steps:

  1. Buy a subscription license. Once this is purchase, you or the designated system administrator receives an email with a subscription claim code. Do not lose this email.

  2. Claim the subscription. You need the claim code from the email mentioned above. See the "Managing products and subscriptions" for more information.

  3. Activate the instance. This "instance" refers to a Multicloud Defense account that is attached to a tenant in Cisco Defense Orchestrator . See "Activating a product instance" for more information.


    Warning

    You will be prompted to activate a new or existing instance; to apply the license to a Multicloud Defense account that is not already in the enterprise, select Activate a new instance. The Apply license to an existing instance option applies the license to a Multicloud Defense instance that is already enrolled in the Security Cloud enterprise


    Note

    If you do not already have a Multicloud Defense account associated with your CDO tenant, select No when asked "Do you have an existing Cisco Defense Orchestrator Account to associate with your Multicloud Defense License?". This generates a request for a CDO tenant; you can then request and enable a Multicloud Defense. If you select No, disregard step 4.

  4. Confirm the activation. This step is done in CDO; you must confirm the activation by clicking the activation button. This button appears as a new banner located near the top of the dashboard window as depicted below:


    Note

    Once you confirm the activation, you must select the performance tier of the Multicloud Defense account. Depending on whether you have a trial or a full license for the product, the options you see may differ from this screenshot:

Multicloud Defense Components

Multicloud Defense uses a common principle in public clouds and software defined networking (SDN) which decouples the control and data plane, translating to two solution components - the Multicloud Defense Controller and the Multicloud Defense Gateway.

Multicloud Defense Controller

The Multicloud Defense Controller is a highly reliable and scalable centralized controller that provides the management and control plane. This runs as software-as-a-service (SaaS) and is fully managed and maintained by Multicloud Defense. Customers access a web portal to utilize the Multicloud Defense Controller, or they may choose to use the Multicloud Defense provider for terraform to instantiate security into the DevOps/DevSecOps processes.

Multicloud Defense Gateway

The Multicloud Defense Gateway is an auto-scaling fleet of Multicloud Defense software deployed as patform-as-a-service (PaaS) into the customers public cloud account/s by the Multicloud Defense Controller. This provides advanced, inline security protections to defend against external attacks, prevent egress data exfiltration and prevent the lateral movement of attacks. Multicloud Defense Gateways include functionality for TLS decryption, intrusion detection and prevention (IDS/IPS), web application firewall (WAF), antivirus filtering, data loss prevention (DLP) and FQDN/URL filtering capabilities.


Important

The Multicloud Defense Gateway does not currently support IP fragmentation because of cloud service provider load-balancer limitations. We strongly recommend you adjust the Maximum Transmission Unit (MTU) size so it is consistent across the network to avoid the need for fragmentation.

Multicloud Defense SaaS Controller

The Multicloud Defense SaaS Controller manages the gateway stack. The controller, equipped with various microservices, includes an API Server facilitating orchestration of cloud service provider LBs and gateway instances. This enables dynamic scaling through instance additions and removals from the load balancer's "target pool," monitored by the load balancer itself.

Communications

Multicloud Defense Gateways engage in continuous communication, approximately every 3 seconds, with the Multicloud Defense Controller, transmitting health status and policy updates. This enables proactive health reporting, gateway replacement, and scalability adjustments as needed.

Optimized Gateway Instances

Multicloud Defense Gateway instances operate on highly optimized software, incorporating a single pass datapath pipeline for efficient traffic processing and advanced security enforcement. Each gateway instance comprises three core processes: a "worker" process responsible for policy enforcement, a "distributor" process for traffic distribution and session management, and an "agent" process communicating with the controller. Gateway instances can seamlessly transition "in service" for a "datapath restart," enabling smooth updates without disrupting traffic flow.

Advanced Security Profiles

Multicloud Defense Gateways implement granular security profiles within the single pass datapath pipeline, catering to evolving traffic needs. Customers have the flexibility to enable or disable Advanced Security Profiles as required. The pipeline's single pass architecture negates the need for traffic offloading to third-party engines. For instance, full TLS decryption is selectively triggered within the pipeline, ensuring efficient handling without unnecessary data transfers.

In essence, Multicloud Defense offers a sophisticated and streamlined security framework, harmonizing controller orchestration, gateway communication, and optimized datapath processing for a robust and efficient multicloud protection mechanism.

Multicloud Defense Controller Dashboard

The dashboard of the Multicloud Defense Controller has a multitude of widgets to give you a quick snapshot of the current state of your accounts, account resources, and top-hitting policies or profiles.

For your ease, you can drag/drop any of the following widgets to customize and organize the dashboard to whatever fits your needs. You can also click "x" on any of the widgets to remove it from your dashboard view, or "View More" to go directly to the page affiliated with the widget in question. At the top of each widget is an indication as to what function of Multicloud Defense the widget serves: discovery, detection, deployment, or defending.

The following widgets are generated by default:

Cloud Accounts

This is a high-level view to how many cloud accounts you have connected to the Multicloud Defense Controller, and how many of what cloud service provider.

You can easily click "Add Account" from this widget and launch into the connecting wizard to assist onboarding a new cloud service provider.

Account Resources

This is a general list of allocated resources across all of your connected cloud accounts. It displays how many of the following resources are currently used:

  • VPC/VNets.

  • Subnets.

  • Security Groups.

  • Load Balancers.

  • Instances.

  • Tags.

  • Route Tables.

  • Applications.

Top CSP Services

This top-down display of cloud service provider services generalizes DNS traffic of the cloud service providers you already have connected to the Multicloud Defense Controller.

DNS Traffic

Similar to "Top CSP Services", this DNS Traffic widget offers a limited view of current DNS traffic for the cloud service providers that are actively processing traffic. We recommend expanding the widget to the full discovery scope for more insight.

VPCs/VNets with Malicious Traffic

This widget displays any recent VPC or VNet that has encountered mlaicious traffic. For a comprehensive list of events and attacks, expand the widget and view the traffic.

Top Ports with Malicious Traffic

This small snapshot displays whi ports amongst your cloud accounts have the most hits against malicious traffic.

Security Considerations

The Security Considerations widget is a suggestive widget, summarizing which applications, VPCs or VNets, and associated gateways are not protected by the means provided in Multicloud Defense.

System Logs

The System Logs window supplies a recent history of logs that catalogue the accounts affects, the gateway associated, the severity of events or attacks and more. We strongly recommend utilizing this widget, if not the whole System Log page as a valuable resource.

Top Applications

This window accounts for the top-most applications across all cloud service providers that are used.

Threats

View a graph depicting the last seven days of traffic and how much of the incoming traffic was categorized as threats.

Top Countries by Threat

This horizontal bar chart depicts a snapshot of the top 10 countries that during the entirety of the timespan produced the most events, then displayed breaking that volume across the time increments for which the events occurred during the timespan.

Exfiltration Attempts

View a general display of egress data exfiltration that have occurred on the cloud service providers currently connected to Multicloud Defense.

My Profile Information

The User Profile page is the page that details your user information. Access this page by dropping down the Admin arrow in the upper right corner of the Multicloud Defense dashboard. Click your username to see the following information:

  • Your name.

  • The email address associated with your Multicloud Defense account.

  • The user role you currently have.

  • The name of the tenant you are currently logged into.

  • Any and all assigned accounts.

This page can be useful for general knowledge, or in the case you reach out for assistance with the Cisco Support team.

Multicloud Defense 90-Day Free Trial

When you log into your CDO tenant, you will see a wizard that guides you through connecting your cloud accounts to Multicloud Defense so that you can manage them with a free 90-day trail of Multicloud Defense Controller. The 90-day trial experience offers the full functionality of a paid-subscription to Multicloud Defense Controller.

Figure 1. Multicloud Defense Easy Setup


Click Get Started to begin your 90 day trial. This begins the process of provisioning the Multicloud Defense Controller.


Note

Easy Setup supports the following Cloud Providers:

  • Account Onboarding: AWS, Azure, GCP, OCI

  • Enable Traffic Visibility: AWS (Flow Logs, DNS Query Logs), Azure (Flow Logs), GCP (VPC flow logs, DNS Query Logs)

  • Create Services VPC/VNet: AWS, Azure, GCP

  • Create Gateways: AWS, Azure, GCP

Although Services VCN orchestration is not supported for OCI (requires the user to create the Services VCN using the Cloud Provider console), the Gateway orchestration is supported in Multicloud Defense Controller. Open Multicloud Defense Controller and navigate Manage > Gateways > Add Gateway.

Connect Cloud Accounts

After Multicloud Defense Controller is provisioned, the Connect a Cloud Account page opens and you can connect any of the types of cloud accounts that are shown to the Multicloud Defense Controller.

The first step is to onboard a set of one or more cloud accounts. This allows the Multicloud Defense Controller to interact with each account by discovering inventory and traffic, orchestrating security deployment, and creating and managing policy.

Follow these instructions to connect your cloud accounts:

Enable Visibility

Afer onboarding your cloud accounts, enable traffic visibility for that cloud account. In Multicloud Defense in CDO, click Enable Visibility.

Enabling traffic visibility provides awareness into the traffic flows within the Cloud Accounts by collecting VPC/VNet Flow Logs and DNS Query Logs. The Flow and DNS Query logs are used by Multicloud Defense to understand traffic flow, correlate with threat intelligence feeds, and provide insight into existing threats that can be protected using Multicloud Defense.

Enabling traffic visibility is a different process for every cloud account type, but typically you will need to identiy account characteristics such as your cloud account's region, VPC/Vnet you want to monitor, network security groups, and a cloud storage account for logs.

View Traffic on your Cloud Account

Now that you have enabled traffic visibility, view traffic moving through your cloud account, and look for malicious traffic that needs to be protected against.

  1. Log into CDO.

  2. In the left pane, click Multicloud Defense.

  3. In the upper right corner, select Multicloud Defense Controller to open the controller in a new browser tab.

  4. In the Multicloud Defense portal navigate Discover > Traffic > Topology.

  5. Use the Filters and Search bar to find the cloud account you want to monitor.

  6. In the Global View view, add Malicious Traffic to your filtering.

  7. Click through the malicious traffic bubble to see information in the Region View about country of origin, IP address, FQDN, Service an Port that are affected.

Secure Your Cloud Account

Based on your known security needs, and after monitoring traffic, you can secure your accout using a centralized hub and spoke model or a distributed vodel.

Use the Secure Your Account wizard to setup a Service VPC and Multicloud Defense Gateway to secure your account.

  1. Log into CDO.

  2. In the left pane, click Multicloud Defense.

  3. In the upper right corner, select Multicloud Defense Controller to open the controller in a new browser tab.

  4. In the Multicloud Defense Controller dashboard, click Setup in the navigation panel.

  5. Click the button to Secure Account on the Setup page.

  6. Click Centralized or Distributed, click Next and continue with the wizard setup.

    See the Multicloud Defense Gateway overview for more information.

Relaunching Easy Setup

After you complete the Easy Setup workflow on the CDO dashboard to start your 90-day free trial, you can't re-launch it. However, the Easy Setup wizard does exist in Multicloud Defense Controller to help you connect and configure other cloud accounts at a later time:

  1. In the left pane of theCDO dashboard, click Multicloud Defense.

  2. In the upper right corner, click Multicloud Defense Controller.

  3. On the Multicloud Defense dashboard, click Setup in the Multicloud Defense menu bar.