Adaptive Segmentationmicro-segmentation May 16, 2022

Fight Ransomware Faster: Centralized Visibility for Enforcement Boundaries

Christer Swartz, Principal Technical Marketing Engineer

A true Zero Trust Segmentation architecture pushes the trust boundary directly to individual application workloads. That's why Illumio's allow-list security model gives you the ability to allow only the traffic your workloads require — denying all else by default.

Illumio blocks or permits decisions made directly at the workload before a packet ever reaches the network plane or needs to reach any security tool in your network or cloud fabric. Full enforcement with Illumio means that you can accurately segment the traffic into and out of your workloads at high scale.  
 
However, in some cases, you might not always have enough information to know what traffic you want to allow to communicate with your workloads — but you might know what you don't want to allow to communicate.

Deny-list vs. allow-list segmentation models

Such situations call for the option to temporarily use a deny-list segmentation model, which blocks certain ports between workloads and allows all else by default.

It's important to note that this should be only a temporary solution. You'll want to use analytics tools to collect the required application dependency traffic behavior that's necessary to define an eventual allow-list policy model. Then, you can switch from the deny-list segmentation model to an allow-list approach and a Zero Trust security model.  
 
The flexibility becomes particularly important for ransomware protection. Most modern ransomware uses open ports on a workload’s network to move laterally across the environment. Take, for example, Remote Desktop Protocol (RDP) and Server Message Block (SMB). These ports are designed for workloads to access a small set of central resources, such as those managed by IT teams, and are rarely intended to be used between workloads. However, ransomware commonly uses them as easy "open doors" to propagate across all workloads.
 
To quickly solve this problem, you should have the ability to block RDP and SMB ports between all workloads at high scale. Then, create a small number of exceptions that allow workloads to access specific central resources. This is how Enforcement Boundaries work in Illumio Core.

Defining Enforcement Boundaries

Enforcement Boundaries are a set of deny rules applied to workloads that have been placed into "Selective Enforcement" mode. As opposed to "Full Enforcement" mode, which segments and enforces workload traffic under an allow-list policy, "Selective Enforcement" blocks only select ports and traffic you specify.

Illumio displays segmentation rules in three different workflows:

  • In the Rulesets and Rules menu where rules are created
  • In Explorer, where you can query historical traffic and events, and analyze and visualize all ports in all flows in a table or coordinate format
  • In Illumination, the real-time map from which you can see application dependencies and connectivity across all environments

Enforcement Boundaries were visible in the "Rulesets and Rules" section upon its initial release, and could be applied to all workloads in "Selective Enforcement" mode. You can also view Enforcement Boundaries in the Explorer tool — making it possible to see port behavior and whether flows are impacted by an Enforcement Boundary rule.

And with the latest release of Illumio Core, the Illumination map displays Enforcement Boundaries in all flows across all application dependencies. Centralizing Enforcement Boundaries in Illumination enables you to efficiently correlate events during a security breach.  

Visualizing Enforcement Boundaries and workflow traffic

You can visualize Enforcement Boundaries in Illumination via the menus displayed when you select a workload or a traffic flow.

policy-enforcement-boundaries

In the menu, you will see the familiar “brick wall” icon indicating the presence of an Enforcement Boundary next to traffic that will be impacted by it. This is the same method used to visualize Enforcement Boundaries in Explorer, allowing for a consistent visual representation and experience.  
 
This view displays all traffic between selected workloads, whether in "Selective Enforcement" mode or "Mixed Enforcement" mode, and which traffic flows will be impacted by an Enforcement Boundary.  

You can also see the type of traffic between workflows next to each flow as either unicast, broadcast or multicast traffic. Traffic types are indicated by the new “B” and “M” next to each flow (traffic with no letter next to it is unicast).

enforcement-boundaries-traffic

Centralizing Enforcement Boundary workflows in Illumination

In addition to displaying Enforcement Boundaries alongside workloads and traffic flows in Illumination, you can select and modify specific Enforcement Boundaries from directly within Illumination. By selecting the traffic and policy decision for a workload, you can display or edit that Enforcement Boundary.

view-enforcement-boundaries

This eliminates the need to jump back and forth between visualizing traffic in Illumination and accessing specific Enforcement Boundaries in different workflows. You can visualize both types of segmentation policies — allow-lists and deny-lists — as part of the application dependencies in Illumination.  

Enforcement Boundaries: The Illumio difference

Unlike many other security platforms, Enforcement Boundaries expand Illumio's capabilities to offer both allow-list and deny-list segmentation policy models. This allows you to take a granular approach to either security architecture and to implement a quick solution to ransomware. And you can do so safely, with the ability to analyze the effect of Enforcement Boundary rules on specific traffic patterns in Explorer and within application dependencies displayed in Illumination. You can now protect against what you want to allow and what you don’t want to allow — and see the effects in all three primary workflows.
 
Enforcement Boundaries also solve a long-standing problem with firewalls: rule ordering. Traditional firewalls read rules from top to bottom with an implicit "deny" at the end. Placing a new rule in an existing firewall ruleset is not for the faint of heart since putting one or more new rule statements in the wrong place, before or after some other existing rule, runs the risk of breaking dependencies.
This challenge requires a carefully defined change-control process during a planned change-control window. And if a dependency suddenly breaks during the change, you are required to roll back and try again later.

To avoid this problem, Illumio delivers a declarative model where the administrator defines the end state of any new segmentation rules or Enforcement Boundary and Illumio carefully implements the correct rule order. This means that the administrator defines the "what" and Illumio implements the "how."

Since the weakest link in any security architecture is a human typing on a keyboard, Illumio removes the risk of configuration errors, which remains the single most common source of weak security in any cloud or enterprise network. You can clearly define and visualize Enforcement Boundaries — and guarantee that you can safely and efficiently implement workload segmentation at scale.

To learn more about Illumio, the leader in Zero Trust Segmentation:

Adaptive Segmentationmicro-segmentation
Share this post: