• United States



Review: Achieving enlightened segmentation with Illumio

Feb 25, 20208 mins
Network Security

While segmentation is a powerful defensive tool, it’s also difficult to manage and can easily break applications that need to communicate with other services or the outside world. The Illumio platform solves many of these headaches.

In theory, segmentation is one of the best ways to protect a network. It defines desired workflows and then specifically allows communications that support it. Everything else is either flagged as potentially bad or is blocked.

While segmentation is a powerful defensive tool, it’s also difficult to manage and can easily break applications that need to communicate with other services or the outside world. The reason for most of the management problems is the fact that networks have traditionally been built from the ground up to streamline and foster communications, while the relatively new segmentation technology is designed to stop everything trying to communicate outside of a tightly defined workflow. And because networks today are made up of physical, virtualized, cloud and containerized assets, it only makes segmentation more difficult to manage.

Illumio has come up with a platform that solves many of the headaches associated with segmentation. It first builds a map of all of the compute, applications and connectivity within a network and then allows for segmentation based on policy. Illumio’s configuration and setup process for those policies is particularly good. It uses natural language and can also show what effect each suggested policy would have across a network if implemented.

Illumio Network Map CSO

One of the keys to Illumio’s success is its ability to create a network map showing assets broken down by location, type and communication dependencies.

The platform also has a very light touch. It uses a network’s existing infrastructure and devices for segmentation. So, all of a network’s hardware and software firewalls, switches, routers, cybersecurity defenses and other tools that already exist can be tapped for the purposes of segmentation. As such, Illumio not only works with any infrastructure or hybrid network, but also has very little complexity in terms of installation.

Illumio is comprised of two main components. The first part is called the Virtual Enforcement Node (VEN), though the name is misleading because it does not actually enforce anything. It’s more like an agent that sits on assets that need to be protected. Each VEN acts like an antenna that captures telemetry and communications data about the asset it’s protecting. It only looks at what the asset is communicating with and how, not the data itself. It does a little bit of parsing that information and then sends the overall details to the second part of the platform, the Policy Compute Engine (PCE).

The PCE is the brains of the platform; it’s where the application dependency map is created and where administrators create policies that will become the core of the segmentation plan. It also communicates with existing network devices to implement the segmentation deployment.

A single PCE can receive data from up to 25,000 VENs. If a large enterprise network has more than 25,000 VENs, the PCEs can use clustering to support everything. According to company officials, the largest Illumio installations to date are protecting about 120,000 assets.

Illumio is delivered as a service in most cases. However, highly secure organizations can opt for the fully on-premises version of the platform. In any case, pricing is based on the number of deployed VENs, since that represents the total number of protected assets.

Testing Illumio

For our evaluation, Illumio was deployed on a moderately sized test network consisting of several assets that were both geographically dispersed and also existed both physically and as part of Azure and Amazon Web Services. There were several user groups and about 100 workloads that needed to be protected through segmentation.

The first thing that Illumio does once installed is create a detailed map showing what communications are currently allowed or blocked across the network. Most networks will have existing firewalls and other protections, so quite a lot of things will already be restricted. The next step is to begin the process of creating true segmentation in order to lock out any possible exploits by unauthorized users or programs.

Illumio Overview CSO

In addition to an overall map, Illumio can show how and what an individual service is communicating with as part of the overall workflow.

In terms of setup, Illumio is clever in quite a few ways that help to make it much more efficient and easier to use than most other segmentation platforms. For starters, you have the communications map, which provides visualization of what is currently happening and what needs to be done to begin true segmentation. The map is easy to read with green arrows representing allowed communications and red ones showing what is blocked.

Illumio Rules CSO

Illumio can show what communications are allowed according to the rules set up for segmentation, and what is being blocked.

But the map is also intelligent and interactive. As new rules are proposed in the PCE console, Illumio will show how the implementation of those rules would affect network assets. That way, there will be no surprises where protecting one part of a workflow ends up breaking another application or unintentionally restricting a required process from operating.

To further prevent segmentation from accidentally breaking required functions, Illumio can be set to test mode. While in test mode, it will record all of the communications that would be halted by segmentation rules without actually blocking them. Reports can be sent back to the Illumio console or shared with third party management tools like Splunk. Technically, Illumio can be run in test mode forever and still provide a lot of value to an organization, because every time a communication would break a rule, it will get reported. Assuming the rules are well-designed, this would be a good indication that something bad is happening. Test mode is more practically used as an evaluation period to make sure that segmentation rules don’t accidentally block something important, like a required monthly process.

And it’s not just network administrators who can work on segmentation rules. At large organizations, there would never be enough staff to monitor and create rules for hundreds or thousands of applications and workflows. To help out, administrators can assign ownership of applications to the users who are responsible for them. That user would get a notification and then would see whatever applications they “own” when logging into Illumio. They can then propose segmentation rules regarding what they need their application to do.

The reason that users outside of network security teams can work on segmentation rules for their applications is because of the really well designed graphical interface on the Illumio console. It uses natural language and common sense to let application owners propose segmentation rules.

Illumio Policy Creation CSO

Setting up new segmentation rules is easy with Illumio. It uses natural language and a graphical interface. As a big bonus, Illumio will display what current communications would be blocked if a new rule were implemented, saving users from accidentally crippling services while trying to improve security.

For example, on our test network we acted as an application owner and told Illumio that our application needed to communicate with a specific database server and also to the outside world. Like when an administrator is using the Illumio console, we were shown how our proposed rules would affect existing communications and workflows on a graphical map and could modify our segmentation plan accordingly.

Application owners don’t actually have the power to implement their proposed rules in the production environment. Instead, once they are satisfied that their rules will both allow their asset to operate properly and protect it from unauthorized access, they submit it to a network or security team for approval. That way, those higher-level users can ensure that not only will the proposed rules work to properly protect an application or asset, but that doing so won’t negatively affect the rest of the network. They can modify those rules as needed, place them in test mode for a final check, or implement them and begin full segmentation.

For help with auditing or compliance checks, Illumio can provide detailed reports about what it is allowing or stopping on a network. We ran a check on PCI compliance as part of our evaluation and were shown, step by step, how segmentation was enforcing each aspect of PCI. It would be very easy for an auditor to see in great detail how a compliance requirement or standard is being properly implemented.

Illumio Report CSO

To help organizations work though compliance audits, Illumio will display a report that shows what its segmentation is blocking and what it is allowing. It would be easy for an auditor to see if a network or service is complying with specific standards like PCI or GDPR.

Illumio shines a light on the segmentation process, making it easier and less risky to implement than with other platforms or by trying to do it manually. It also democratizes the process by allowing application owners to propose segmentation rules to protect their assets, while keeping full control in the hands of trained administrators. Enterprise networks that need to segment all or part of their workflows as protection against advanced threats would be hard pressed to find a more effective or elegantly implemented toolset to support those efforts.