Protect Your Crown Jewel Apps

From the Inside Out

Illumio has developed adaptive micro-segmentation technology that prevents the spread of breaches inside any data center and cloud.

WHY RE-INVENT SEGMENTATION?

Segmentation is the best way to prevent the spread of breaches inside data centers and cloud environments. Traditional network segmentation, well understood by security and infrastructure teams, was designed to subdivide the network into smaller network segments through VLANs, subnets, and zones. Although these constructs can provide some isolation, their primary function is to boost network performance and requires control of the infrastructure, which is often a challenge in the public cloud.

In contrast, Illumio’s adaptive micro-segmentation technology enforces security policies – what should and should not be allowed to communicate among various points on the network – by filtering traffic. If networking supports how things can communicate, security dictates if they should.

Illumio Architecture

The Illumio Adaptive Security Platform® (ASP) delivers real-time application dependency mapping and micro-segmentation to prevent the spread of breaches inside your data centers and cloud environments.
Illumio ASP provides real-time visibility into the connectivity between workloads across heterogeneous compute environments, generates optimal micro-segmentation policies based on how workloads communicate, and programs the native stateful enforcement points in each host to enforce applicable firewall rules.

The Illumio Adaptive Security Platform® (ASP) delivers real-time application dependency mapping and micro-segmentation to prevent the spread of breaches inside your data centers and cloud environments.
Illumio ASP provides real-time visibility into the connectivity between workloads across heterogeneous compute environments, generates optimal micro-segmentation policies based on how workloads communicate, and programs the native stateful enforcement points in each host to enforce applicable firewall rules.

CORE COMPONENTS

FLEXIBLE POLICY COMPUTE ENGINE DEPLOYMENT MODEL

You have several options for deploying the Policy Compute Engine (PCE):

  • Illumio ASP Cloud: Illumio hosts and manages the PCE in a multi-tenant SaaS infrastructure.
  • Illumio ASP On Premises:
  • PCE Virtual Appliance: Deployed as a virtual appliance in your data center or private cloud.
  • PCE Software: Deployed as software on the servers in your data center or private cloud.
  • PCE Supercluster enables centralized visibility and policy management for globally distributed environments at massive enterprise scale—environments with more than 25,000 managed workloads. PCE Supercluster supports a single administrative and visibility domain that spans multiple independent PCE regions

    VIRTUAL ENFORCEMENT NODES EVERYWHERE

    A Virtual Enforcement Node (VEN) is installed in discrete operating system instances for which an organization wants complete visibility and enforcement. It can run on a bare-metal server, in a virtual machine, within a containerized host, and on public cloud instances.

    A VEN is not an enforcement point—it collects telemetry from the workload such as the operating system type, interface IP addresses, running processes, and the IP addresses to which those workloads are talking. It then transmits this information to the PCE. The PCE receives information from the VEN and creates a live visibility map of communication. This insight is used to build micro-segmentation policy. The PCE turns that policy into stateful firewall rules and transmits it to the VEN which then programs the native, host-based stateful firewalls within each workload. A VEN can program the following:

  • Layer 3/Layer 4 firewalls in the host operating system (Windows Filtering Platform, iptables for Linux, and IPFilter for AIX/Solaris)
  • Access control lists (ACLs) in load balancers (F5) and switches (Arista), containerized hosts, and cloud security groups (AWS, Azure, GCP)
  • MULTI-DIMENSIONAL LABELING

    The Illumio ASP policy model does not use network constructs like VLANs, zones, subnets, and IP addresses to tie security to the underlying network. Instead, you assign four-dimensional labels to workloads to identify: Role, Application, Environment, and Location.

  • A workload can be a bare-metal server, a virtual machine, a container, or a process running on a host.
  • Labeling is not based on IP addresses or subnets.
  • Labels can come from configuration management databases (CMDBs), IP address management (IPAM) tools, orchestration tools, and through workflows built into the Illumio ASP.
  • SIMPLIFIED POLICY DEVELOPMENT AND MODELING

    Policies can be written manually or by using Policy Generator, which simplifies policy creation by recommending the optimal micro-segmentation policies for applications based on historical traffic. Policy Generator accelerates security workflows to reduce the risk of human error when creating micro-segmentation policies. Illumio ASP’s real-time application dependency map, Illumination, allows you to model policies before going into enforcement.

    Policies can be modeled in the following ways:

  • Build mode: Superimposes a proposed policy against the collected traffic flows.
  • Test mode: Enables you to test and evaluate policy against existing traffic flows without enforcement—effectively turning each workload into a sensor that detects policy violations. In test mode, you receive alerts for any deviations from policy. These deviations may represent production traffic not previously viewed or unauthorized attempts to connect to workloads.
  • RICH REST APIs AND UI

    You can choose to interact with the PCE using the Illumio UI or via well-documented REST APIs. The Illumio ASP REST API allows you to interact with Illumio ASP from any application that can send an HTTPS request. All API access to the PCE is conducted through HTTPS and accessed through the same URL that is used to log in to the PCE web console. REST APIs enable you to automate key IT operations and IT security workflows.

    The Virtual Enforcement Node (VEN) is a lightweight agent that sends and receives information, programs pre-existing enforcement points, and detects policy violations.
    icon_secureconnect_white_circle
    A VEN can be installed on any workload, including virtual machines, bare-metal servers, public cloud instances, and containers. Think of a VEN as an antenna—it sends and receives information. The VEN collects information about which IP addresses the workload is talking to, tying the running processes on the workload to the ports and protocols. It then sends this telemetry to the Policy Compute Engine (PCE) to:

  • Create the real-time application dependency map, Illumination.
  • Inform the PCE if there is a change in the state on the workload; for example, a new interface or new process.
  • Once you author policies in the PCE, the PCE computes the corresponding stateful firewall rules. The VEN receives those rules and programs the native, stateful host-based firewall within the workload.

    BENEFITS

    GET LIVE VISIBILITY INTO WORKLOADS

    Each VEN provides visibility into the inner workings of the workload, which helps the PCE build an accurate application dependency map. The VEN programs the native enforcement capabilities that already exist within the workload and acts as a sensor that detects and alerts for policy violations.

    CONQUER HETEROGENEITY THROUGH A SINGLE CONTROL PLANE

    No matter the heterogeneity of your compute footprint, the Adaptive Security Platform® delivers live visibility and micro-segmentation from a single control plane. VENs can be deployed on workloads running a variety of operating systems, including Windows, Linux, AIX, and Solaris—agnostic of the underlying infrastructure such as bare-metal servers, virtual machines, public cloud instances, or containers, and irrespective of on-premise data center, public/private cloud, hybrid, or multi-cloud locations.

    AVOID COST AND COMPLEXITY BY USING YOUR EXISTING ENFORCEMENT POINTS

    The VEN takes the rules computed by the PCE and programs the existing native Layer 3/Layer 4 stateful firewall in the workload. This approach enables you to maximize your existing infrastructure investments instead of having to re-architect the entire environment and acquire new networking infrastructure or data center firewalls.

    ENSURE POLICIES FOLLOW THE WORKLOAD

    The PCE is in communication with each VEN and automatically re-calculates and transmits any firewall rule changes to the impacted VENs when the application changes (for example, IP changes, disaster recovery, or new versions). This ensures policies are enforced consistently and accurately in the face of a dynamic application environment.

    The Policy Compute Engine (PCE), the “brain” of the Adaptive Security Platform, creates an application dependency map and converts natural language policies into optimal stateful firewall rules for all workloads.

    The PCE collects telemetry from every Virtual Enforcement Node (VEN) to build an application dependency map that shows how workloads are communicating with one another as well as the interdependencies between applications. Based on the observed traffic, the PCE suggests policies that describe how workloads and applications should communicate. The PCE takes these label-based, natural language policies and computes the corresponding optimal stateful firewall rules for every workload. These rules are sent to the VENs, the agents installed on the workloads, which in turn use those rules to program the host-based native stateful firewalls.

    The PCE can be consumed as Illumio’s SaaS offering or deployed on premises or in public or private clouds. For significantly large global deployments with more than 25,000 managed workloads, you can deploy PCE Supercluster, which provides multiple independent PCE failure domains and centralizes visibility and policy management.

    BENEFITS

    GAIN UNPRECEDENTED VISIBILITY INTO HOW YOUR APPLICATIONS ARE COMMUNICATING

    Visualize how workloads are communicating in real time based on the application that they are part of; the environment they run in; and the location where they run.

    AVOID BREAKING APPLICATIONS: DESIGN, TEST, AND ENFORCE

    Get a live map showing all your application dependencies and use the dependencies to create policies. Test these policies and visualize the potential impact before moving to enforcement.

    ENSURE POLICIES ADAPT TO YOUR ORGANIZATION

    The PCE gets real-time updates from the VENs, so when there is a change in policy or in IP address, application scale, or addition or removal of interfaces, the PCE will automatically recalculate and transmit the updated firewall rules to the impacted VENs. This ensures consistent security posture is enforced in the face of a dynamic environment.

    SUPPORT IT OPERATIONS AND SECURITY OPERATIONS

    Illumio ASP’s REST APIs and out-of-the-box integration with third-party security partners, including SIEM, vulnerability management, orchestration, and IT operations, ensures that operations teams are able to monitor, alert, and react to changes in their application environment in a way that fits in seamlessly with their organization’s processes and operating procedures.