Microgateway 4

At home in Kubernetes

Kubernetes-native application protection:

What's new?

Airlock Microgateway is, starting with version 4, based on Envoy Proxy, the de facto standard for the data plane in the Kubernetes environment. The proven Airlock gateway components (Apache and Security Gatekeeper) were not designed to fit the lightweight architecture of modern cloud applications in terms of memory requirements and process model. The replacement chosen was Envoy, a proxy designed for cloud-native applications and therefore ideally suited to the Kubernetes ecosystem. Envoy supports modern protocols such as HTTP/3, is extensible with Lua scripts and already offers a large feature set. In addition, Envoy is a good fit with a service mesh such as Istio.

At home in Kubernetes.

With or without a service mesh.

More and more web applications and APIs are being deployed in Kubernetes. Many customers rely on a service mesh, which covers operational issues such as transport encryption, metrics, tracing, or canary deployment. What a service mesh lacks, however, is comprehensive protection against application-layer attacks such as the OWASP Top 10. 

Airlock Microgateway fills this gap: it ensures that undesired visitors cannot reach the application at all. Airlock Microgateway works perfectly in combination with Istio Service Mesh, but does not require it. This is particularly interesting if you are not yet using a service mesh, but might do so in the future. Or if you generally use a service mesh, but not in all projects. This allows you to implement a uniform security architecture even in a heterogeneous application landscape.

Airlock Microgateway 4 integrates seamlessly with Kubernetes environments by taking advantage of typical concepts such as operators, sidecars and custom resource definitions (CRD). This eases the onboarding process for Kubernetes users and supports modern DevOps processes:
 

  • Simple and modular configuration with and without templates (with kustomize, helm, etc.).
     
  • Company-wide security policies: security experts can use tools such as Open Policy Agent, Kyverno or Kubewarden to define guidelines and, for example, prevent important security filters from being disabled in production.
     
  • Security as Code: GitOps-ready declaration of infrastructure and security policies in yaml files.
     
  • Plugins for modern IDEs provide automatic validation, code completion and tooltips when editing the Microgateway configuration.

A service mesh like Istio does not protect against application-level attacks such as the OWASP and OWASP API Top 10.
This gap is filled by Airlock Microgateway.

Proven Airlock security

for Kubernetes clusters

Although the Microgateway core has been replaced by Envoy, we have retained the proven security features. These include in particular:

 

  • Airlock Deny Rules for award-winning protection against known attacks and zero-day exploits like Log4Shell.
     
  • Header Rewrites to filter and rewrite HTTP headers, or insert security headers such as HSTS, X-Frame options or CSP in the response.
     
  • Request limits to restrict the size of the entire request body, the number of parameters, and the length of parameter names and values (also for JSON parameters).
     
  • Telemetry interfaces such as Prometheus metrics and structured logs in ECS (Elastic Common Schema) format facilitate monitoring and analysis.
     
  • Minimal container permissions in line with the Principle of Least Privilege (POLP) are made possible by the CNI plugin. Reduced open source dependencies additionally lead to a significantly smaller attack surface compared to Microgateway 3.x.

Upgrade from Microgateway 3.x

The new architecture and functionality of Airlock Microgateway 4.x means that the configuration also differs from previous versions. We are happy to support you during the upgrade or if you have any questions about the migration. Airlock Microgateway 3.3 will be supported and provided with security updates until the end of 2023.

Free Community Edition

The free Community Edition now includes all the important security functions of Airlock Microgateway. Unlike the Premium Edition, it is aimed at small installations and local development environments.

You want to try it?

You can test Airlock Microgateway in this Intruqt Lesson:


Here you can test the Microgateway right away with instructions

(start time about 3 min)

Airlock Microgateway 4.0 Webinar

Slides

Airlock Micorgateway 4.0 (English)

Recording 

Airlock Microgateway 4.0 Release Webinar (Deutsch)

Recording

Information for you

-Our whitepapers-

Executive View: KuppingerCole - Airlock Secure Access Hub for applications and APIs

This KuppingerCole Executive View report provides an architectural and functional overview of the Airlock Secure Access Hub, an integrated platform for secure access management - a multicloud-native security tool for web applications, APIs and beyond.

 

Fill out the form now and receive Executive View!

Whitepaper: Security for cloud-native applications

You can read about how companies can ensure the security of web applications and APIs in Kubernetes in the white paper "Security for cloud-native applications", which was created in collaboration between heise and Airlock.

 

Request whitepaper

Whitepaper: Zero Trust is a journey

The ongoing digital transformation of the world is progressing and having a profound impact on our personal and professional lives in ways that were difficult to imagine just a few years ago.


This white paper discusses the effects of continuous digitalization and its impact.

Request free of charge

Off to DevSecOps

In this white paper, you will learn the most important insights into how you can implement DevSecOps successfully and efficiently, which security components are required for this and the advantages of a microgateway architecture.

 

Request free of charge

Airlock 2FA - Strong authentication. Simple.

Double security - this is what two-factor authentication offers in the field of IT security.


Find out more about strong authentication and the possibilities offered by Airlock in our white paper.

Download for free

Further whitepapers

We provide you with free white papers on these and other topics:

 

  • Successful IAM projects
  • compliance
  • Data protection (DSGVO)
  • Introduction of PSD2
  • PCI DSS requirementsPCI DSS requirements
Request free of charge