TAGS: |

Aviatrix’s Modest New Blocking Feature Hints At Greater Ambitions For Multi-Cloud Security

Drew Conry-Murray

Aviatrix, which makes multi-cloud networking software for public clouds, has introduced a new security feature that can identify and then block customers’ cloud-based workloads from connecting to a malicious IP address or known-bad host on the Internet. The new capability is called ThreatIQ with ThreatGuard. It’s available to customers that already license the Aviatrix Co-Pilot service.

How It Works

The Aviatrix platform starts with a software gateway that’s deployed in a public cloud VPC/VNET or transit gateway. Aviatrix gateways sit in the data plane and provide routing, high availability multi-pathing, network segmentation, and IPSec encryption, among other network services. The gateways can run in multiple public clouds including AWS, Azure, Google, and Oracle. Gateways are operated via a controller that runs as a separate service.

Because the gateways are in the data plane, they collect flow records from traffic entering and exiting the VPCs or transit gateways. The flow records are sent to a separate service called Co-Pilot, which provides traffic analytics, heat maps, and other information to customers.

ThreatIQ leverages Co-Pilot’s analysis of the flow records and compares traffic to a third-party database of known malicious hosts (for example, botnets, crypto-miners, command and control servers, and malware sites). Aviatrix licenses the threat database from Proofpoint. If ThreatIQ detects a connection from the customer’s cloud instance to a malicious site, it can generate an alert in Aviatrix’s console, send an email to administrators, or trigger a ticket in ServiceNow.

Threat Details. Source: Aviatrix

ThreatGuard is the remediation portion. ThreatGuard creates a policy that will block the connection via a stateful firewall in Aviatrix’s gateway. Customers can allow ThreatGuard to automatically block the connection, or allow a network or security admin to review and then manually push the policy.

These block policies aren’t necessarily permanent. If a host was compromised and used for malicious activity, but is then remediated and removed from the Proofpoint database, the Aviatrix block can also be removed when the threat database is updated.

Drew’s View

ThreatGuard and ThreatIQ are a modest addition to Aviatrix’s portfolio. If you’ve got virtual instances of next-gen firewalls or Web gateways in your public cloud, you’ve probably already got this capability—and more.

The Aviatrix advantage is in the operational model. If you’re running Aviatrix across multiple availability zones or regions in a single public cloud, or across public clouds, you’re getting networking, visibility, and security that can be operated and managed from one console. You can tie CI/CD pipelines into Aviatrix to ensure that network and security policies are in place for new workloads, and that changes to existing workloads don’t introduce holes.

I anticipate that Aviatrix will add more security capabilities to its gateways, at which time customers will have to evaluate whether it makes sense to run third-party firewalls and other security software if they can get a good-enough option in a gateway that’s already in the data path. In other words, I suspect that blocking connections to malicious hosts is just the first installment of a more ambitious strategy.

About Drew Conry-Murray: Drew Conry-Murray has been writing about information technology for more than 15 years, with an emphasis on networking, security, and cloud. He's co-host of The Network Break podcast and a Tech Field Day delegate. He loves real tea and virtual donuts, and is delighted that his job lets him talk with so many smart, passionate people. He writes novels in his spare time.