Does Security Belong Near Endpoints?
This is one of several blogs about the vendor presentations during Network Field Day 19, which took place November 7-9, 2018. This blog contains a summary of the vendor presentations and (of course) my comments or opinions (I’ll share at least some of them).
If this blog motivates you to greater interest in what the vendor had to say, you can find the cleaned up streaming video of their presentations at the Tech Field Day YouTube channel, specifically the NFD19 playlist, or by clicking on the vendor’s logo on the main #NFD19 web page (linked above).
Let’s talk about Illumio. Illumio perhaps had the best demos of NFD19, and maybe even the best ever!
Presentation by Matt Glenn, Vice President of Product Management, Illumio
Let’s go over the basics of what Illumio does, and then a bit about the demos. So, what does the Illumio product do?
Illumio’s Adaptive Security Platform (ASP) provides a rather different approach to micro-segmentation. ASP does enforcement via a Virtual Enforcement Node (VEN) agent at the workload level, providing host / process, VM, or container-based micro-segmentation and traffic visibility. Each agent acts as a sensor, tracking various KPIs including packets / flows.
The flows are collected by the Policy Compute Engine (PCE). The GUI provides application dependency mapping (ADM) and a multi-level zoomable diagram. You can then use the GUI to create application groups (e.g. web / app / DB tiers, or groupings of micro-services), propose a security policy for them based on observed flows. You may then edit and test or enforce the policy. When you do that, the PCE instantiates the policy in the endpoints.
From their web page, Illumio can also automate ACLs in load balancers and switches, but the #NFD19 presentations and demos didn’t go into that.
The centralized policies built in the ASP Policy Compute Engine (PCE) use labels rather than IP addresses. It is up to you to assign the labels to nodes.
In test mode, the deployed policy in effect ends with “permit any any log” and alerts you to any observed traffic that did not match an ACL rule. You then let the policy “cook” for some period of time to catch quarterly or annual-only application traffic flows, if you so wish. Enforce mode can also alert you to blocked flows.
The actual PCE is typically a cluster of VM’s.
Illumio announced that they now support a PCE SuperCluster. I’d say, “cluster cluster”, but that might give the wrong idea. Think hierarchical clustering. The idea is to replicate policy between regional PCE clusters to support a global, highly scalable, and highly available policy control mechanism.
Illumio also does vulnerability mapping, ID’ing vulnerabilities on the various workloads. This allows automated mitigation (after review / approval) to block inbound traffic to exploitable ports. Illumio obtains and integrates the vulnerability data for you.
Illumio spent most of their NFD19 session demonstrating. And what impressive demos!
Illumio had set up 3 regions as literal AWS regions (Virginia, California, Frankfurt), with 75,000 simulated workloads (OS instances) in each. A workload is bare metal, VM, or container. The SuperCluster then managed all of that.
The demos covered:
I’ll refer you to the videos for the details.
Teaser: if you pay close attention, you can see that the presenter, Matt Glenn, introduced each new topic by pulling on a new T-shirt over the existing shirt stack. That made it all hot stuff (at least for Matt)!
This is pretty cool stuff. It is automated leveraging of endpoints, rather than dedicated firewalls, to provide uniform micro-segmentation onsite or in the cloud. The focus is on the segmentation and policy, i.e. omits the connectivity and automation aspects of Cisco ACI and VMware. Put differently: platform vendor neutral.
Comments are welcome, both in agreement or constructive disagreement about the above. I enjoy hearing from readers and carrying on deeper discussion via comments. Thanks in advance!
Hashtags: #CiscoChampion #TheNetCraftsmenWay #Illumio #NFD19 #MicroSegmentation
Did you know that NetCraftsmen does network /datacenter / security / collaboration design / design review? Or that we have deep UC&C experts on staff, including @ucguerilla? For more information, contact us at firstname.lastname@example.org.
Does Security Belong Near Endpoints?
Replicating at Speed
Practice Safe BGP
Virgilio “Bong” has sixteen years of professional experience in IT industry from academe, technical and customer support, pre-sales, post sales, project management, training and enablement. He has worked in Cisco Technical Assistance Center (TAC) as a member of the WAN and LAN Switching team. Bong now works for Tech Data as the Field Solutions Architect with a focus on Cisco Security and holds a few Cisco certifications including Fire Jumper Elite.
John is our CTO and the practice lead for a talented team of consultants focused on designing and delivering scalable and secure infrastructure solutions to customers across multiple industry verticals and technologies. Previously he has held several positions including Executive Director/Chief Architect for Global Network Services at JPMorgan Chase. In that capacity, he led a team managing network architecture and services. Prior to his role at JPMorgan Chase, John was a Distinguished Engineer at Cisco working across a number of verticals including Higher Education, Finance, Retail, Government, and Health Care.
He is an expert in working with groups to identify business needs, and align technology strategies to enable business strategies, building in agility and scalability to allow for future changes. John is experienced in the architecture and design of highly available, secure, network infrastructure and data centers, and has worked on projects worldwide. He has worked in both the business and regulatory environments for the design and deployment of complex IT infrastructures.