Microgateway 4

At home in Kubernetes

Kubernetes-native application protection:

What's new?

Airlock Microgateway is, starting with version 4, based on Envoy Proxy, the de facto standard for the data plane in the Kubernetes environment. The proven Airlock gateway components (Apache and Security Gatekeeper) were not designed to fit the lightweight architecture of modern cloud applications in terms of memory requirements and process model. The replacement chosen was Envoy, a proxy designed for cloud-native applications and therefore ideally suited to the Kubernetes ecosystem. Envoy supports modern protocols such as HTTP/3, is extensible with Lua scripts and already offers a large feature set. In addition, Envoy is a good fit with a service mesh such as Istio.

At home in Kubernetes.

With or without a service mesh.

More and more web applications and APIs are being deployed in Kubernetes. Many customers rely on a service mesh, which covers operational issues such as transport encryption, metrics, tracing, or canary deployment. What a service mesh lacks, however, is comprehensive protection against application-layer attacks such as the OWASP Top 10. 

Airlock Microgateway fills this gap: it ensures that undesired visitors cannot reach the application at all. Airlock Microgateway works perfectly in combination with Istio Service Mesh, but does not require it. This is particularly interesting if you are not yet using a service mesh, but might do so in the future. Or if you generally use a service mesh, but not in all projects. This allows you to implement a uniform security architecture even in a heterogeneous application landscape.

Airlock Microgateway 4 integrates seamlessly with Kubernetes environments by taking advantage of typical concepts such as operators, sidecars and custom resource definitions (CRD). This eases the onboarding process for Kubernetes users and supports modern DevOps processes:
 

  • Simple and modular configuration with and without templates (with kustomize, helm, etc.).
     
  • Company-wide security policies: security experts can use tools such as Open Policy Agent, Kyverno or Kubewarden to define guidelines and, for example, prevent important security filters from being disabled in production.
     
  • Security as Code: GitOps-ready declaration of infrastructure and security policies in yaml files.
     
  • Plugins for modern IDEs provide automatic validation, code completion and tooltips when editing the Microgateway configuration.

A service mesh like Istio does not protect against application-level attacks such as the OWASP and OWASP API Top 10.
This gap is filled by Airlock Microgateway.

Proven Airlock security

for Kubernetes clusters

Although the Microgateway core has been replaced by Envoy, we have retained the proven security features. These include in particular:

 

  • Airlock Deny Rules for award-winning protection against known attacks and zero-day exploits like Log4Shell.
     
  • Header Rewrites to filter and rewrite HTTP headers, or insert security headers such as HSTS, X-Frame options or CSP in the response.
     
  • Request limits to restrict the size of the entire request body, the number of parameters, and the length of parameter names and values (also for JSON parameters).
     
  • Telemetry interfaces such as Prometheus metrics and structured logs in ECS (Elastic Common Schema) format facilitate monitoring and analysis.
     
  • Minimal container permissions in line with the Principle of Least Privilege (POLP) are made possible by the CNI plugin. Reduced open source dependencies additionally lead to a significantly smaller attack surface compared to Microgateway 3.x.

Upgrade from Microgateway 3.x

The new architecture and functionality of Airlock Microgateway 4.x means that the configuration also differs from previous versions. We are happy to support you during the upgrade or if you have any questions about the migration. Airlock Microgateway 3.3 will be supported and provided with security updates until the end of 2023.

Free Community Edition

The free Community Edition now includes all the important security functions of Airlock Microgateway. Unlike the Premium Edition, it is aimed at small installations and local development environments.

You want to try it?

You can test Airlock Microgateway in this Intruqt Lesson:


Here you can test the Microgateway right away with instructions

(start time about 3 min)

Airlock Microgateway 4.0 Webinar

Slides

Airlock Micorgateway 4.0 (English)

Recording 

Airlock Microgateway 4.0 Release Webinar (Deutsch)

Recording

Information for you

-Our whitepapers-

Study Application and API Security 2022

In a recent study in cooperation with CIO, CSO and COMPUTERWOCHE, Ergon Airlock looked at application and API security in the container environment.

Request study

Zero Trust is a journey

The digital transformation of the world continues to progress, and it is profoundly affecting private life and job profiles in a manner that was hard to imagine just a few years ago.

This whitepaper covers the effects of continuous digitization and its implications.

Request free of charge

Toward DevSecOps

In this whitepaper, you will learn the most important insights into how you can successfully and efficiently implement DevSecOps, which security components are required for this, and what benefits a microgateway architecture brings.

Request free of charge

Airlock 2FA - Strong Authentication. Easy.

The two-factor authentication in the area of IT security offers double the security.

Find out more about strong authentication and the possibilities that Airlock offers in our whitepaper.

Request free of charge

Further whitepapers

We provide whitepapers on these and other topics free of charge:

  • successful IAM projects
  • Compliance
  • Data protection (GDPR)
  • Introduction of PSD2
  • PCI DSS requirements
Request free of charge