A Look at Illumio's Adaptive Security Platform
At VMworld about two months ago, we had the opportunity to meet with Alan Cohen, who is the Chief Commercial Officer at Illumio. We were also joined by PJ Kirner, CTO and co-founder at Illumio. Both of these gentlemen (as well as the rest of the Illumio leadership team) have a track record of building very successful companies. Many of you may be familiar with one of Alan’s previous companies, Nicira, which was acquired by VMware to help create what is now known as VMware NSX.
As you’ll hear Alan describe in the video at the end of this post, at its heart, Illumio is a security company. The platform that Illumio offers to customers provides microsegmentation and encryption to large, dynamic, hard-to-understand environments.
For a long time, IT security focused on the perimeter. Installing firewalls at the edge and keeping the bad guys out was the name of the game. But in this day and age, it’s not enough to just protect the perimeter. East-west traffic within the data center must also be secured. That’s the case in the enterprise, but it’s especially the case in service provider data centers and the like.
There are two primary challenges with east-west security in the data center: first, it’s extremely hard to keep track of rules and enforce them accurately because of the sheer number of them. The second challenge is even trickier than the first: it’s very hard to tell what rules even need to be written. There’s so much intra-application traffic in many modern applications that it’s quite hard to properly write rules by hand to cover all the various entity relationships. Illumio addresses both of these challenges and more.
Before demonstrating how this cool tool works, I think it’s important to provide a short overview of how the platform is deployed. Below is an architecture diagram as well as a description of a few of the important terms that you’ll likely see referenced multiple times in this article.
ASP – Adaptive Security Platform – This is the name of the software tool being described.
PCE – Policy Compute Engine – One of the two main parts of the Illumio architecture. The “controller” of sorts.
VEN – Virtual Enforcement Node – The other major component of the architecture. This is basically an agent, installed on an endpoint, which allows the PCE to hand down and enforce policies.
Visualizing Application Dependencies with Illumination
The star of the Illumio show is the “Illumination” dashboard, where users get a peek at the way various applications are communicating internally. Illumination displays all workload communications within and between applications in an interactive, graphical map. It’s from this map that users gain an understanding of their environment that would be incredibly difficult to understand in another way, and then begin to create enforcement policies to control this environment.
For the purpose of demonstration, we’ll zero in on one of the applications. (The oval boundary represents a single application.) Each node shown in this map represents a running workload where a VEN is reporting back to the PCE. We have already installed Illumio Virtual Enforcement Nodes (VENs) on all of the workloads in this application. The VENs are collecting context information (IP addresses, processes, open ports, etc.) from all the workloads and relaying that information to the PCE, which computes the graph of relationships between the workloads.
Once the relationships have been mapped out, a user can highlight any of the mapped relationships and immediately understand the relationship. For example, looking at the line between one of the load balancers and one of the web servers reveals that Tomcat is consuming services over port 8080.
Based on this example, it’s easy to see how quickly an IT organization could understand the relationships between their workloads (they often don’t) with a tool like the Illumination dashboard. VMware has offered a similar service for quite some time with the vRealize Infrastructure Navigator but, to be honest, it’s pretty clunky, and in my experience, it wasn’t all that accurate. The Illumination dashboard is what VIN should have been.
Declaring Policy Within Illumio ASP
The information derived before is interesting, but it’s only valuable if we can do something with it. The good news is that Illumio makes it easy to get down to business. Within Illumination, you can build policies using natural language without any dependencies on the underlying network.
How can it be that there are no dependencies on the underlying network? Because policy is enforced at the VEN, the policy has no relationship to the IP address, subnet, firewall zone, VLAN, or any other network construct. Therefore, all of those things can change and yet the adaptive security policy will remain the same, and in force.
Illumio uses a zero-trust, whitelist model. The red lines in the Illumination view indicate flows that have been detected but do not have policies defined to permit them. The green links indicate flows that are permitted based on configured rules. All it takes to create rules for the red lines and allow traffic to flow is to highlight the flow and use the Add Rule dialog to configure the rule appropriately.
It takes mere moments to take a red traffic flow (one which has not been whitelisted) and create an adaptive segmentation policy that will then approve that flow no matter what IP address or subnet or firewall zone that workload happens to utilize at a given time. Once the new policy is applied from the Provision screen (just a few more clicks), the flow is good to go.
This quick overview is barely scratching the surface of this powerful tool, but you’ve already seen how powerful it is. Many folks may ask: “I see some overlap with NSX. Is this a direct replacement for—and competitor to—NSX, or is it a complementary solution? Alan answers that question and some more questions in our interview with him at VMworld.
You can also get a free, live demo of Illumio just like I did HERE!