Secret sounds like a good word to use when you want to protect your data. And whether your tastes are more Mission: Impossible or Austin Powers, who doesn't love a good secret agent movie?
When it comes to segmentation though, a secret agent is just about the last thing you want.
A cybersecurity agent's work is never done — it's essential
When we talk about agents at Illumio, we're usually not talking about Jason Bourne. Instead, we're talking about the endpoint agent, the workhorse of any segmentation deployment. Illumio's agent software is called the Virtual Enforcement Node or VEN and it runs on every workload that we protect.
Watch this overview to learn more about the Illumio VEN:
The agent has three main jobs:
- It maintains constant communication with the Policy Compute Engine (PCE), Illumio's central brain. Think Maxwell Smart, always talking into his shoe phone.
- It monitors what's happening on the workload, including the source and destination of every connection coming in or going out.
- It enforces the security policy that you've defined for your organization, allowing the connections you want and blocking the ones you don't.
The enforcement piece is critical when it comes to reducing the risk of data breaches. But it's also where a secret agent can get into a lot of trouble.
Get the details about Illumio's lightweight, dependable VEN here.
Secret agents sit inline of network traffic
A segmentation agent has a complex job: It needs to understand the security policy that applies to the workload, and it needs to check every inbound and outbound connection for compliance with that policy.
A connection that's mistakenly blocked can impact business operations, but allowing a risky connection is like opening the door for an attacker. The agent needs to make the right decision every time. It also needs to be 100 percent reliable, and it can't impact your application's performance or availability.
At a technical level, there are two main approaches when it comes to enforcement:
- An agent can sit in the middle of every connection and make decisions on the fly about what to allow or block.
- Or it can enlist the help of the operating system, its personal henchman, to do the dirty work.
We call the former an inline agent. This agent is a piece of software that hooks deeply into the kernel, the core of the operating system. Every packet of network traffic going in or out of the workload is handed off from the kernel to the agent. The agent has to inspect that packet and decide if it should be allowed, then pass it back to the kernel.
Agents that have full access to every packet can be very powerful because they have a lot of information they can use to assess whether the packet should be allowed. However, these agents can also be very risky. You have to wonder each time: Will your packet be safeguarded by James Bond, backed by Q's masterful inventions? Or will it be bumbled by Inspector Gadget?
2 reasons why inline agents can be unreliable
Unfortunately for many organizations, there's nothing funny about the analogy. Inline agents don't have a very good track record.
The first concern is typically performance: Inline agents can only apply simple rules and rudimentary inspection before they start to noticeably impact the workload. The effects of an overworked agent can include high CPU load and reduced network throughput. Security at the expense of poor application performance is not a very good tradeoff.
Beyond performance though, there are often questions about reliability. What happens when your agent fails at its mission? Maybe the wrist communicator goes down, or the agent gets an input that it didn't expect. Or maybe the agent just isn't up to the task, trained and tested in a simpler environment and ill-prepared for real-world conditions. Should the agent fail open, exposing you to unnecessary risk, or should it fail closed and disrupt your business?
These risks are all inherent to the job of a secret agent, operating in the shadows and using its own unproven methods. The more contact the agent has with each packet, the greater the risk of the agent causing an outage or degradation in performance.
Illumio's not-so-secret agent: The Illumio VEN
When it comes to agents, Illumio takes a different approach. We like to break the work of segmentation into two main parts:
- Talk about your security policy. Let's think about your risks and the types of assets you need to protect, and come up with a human-friendly security policy that safeguards your services and data.
- Enforce your security policy. This is where the VEN comes in, and ideally, it's the most transparent and least interesting piece of the puzzle.
Your business gives you enough to think about; the last thing you need is an agent that brings unnecessary drama.
To ensure a no-drama agent experience, Illumio takes a layered approach to VEN operations:
- The VEN periodically retrieves security policy updates from the PCE. If the PCE is unreachable (for a short time or a long time), the VEN already has everything it needs to protect your workload. There is no real-time dependency between the VEN and the PCE.
- Once the VEN receives its orders from the PCE, it hands off the enforcement to the operating system. This "enforcement-for-hire" service is provided by iptables on Linux or WFP on Windows (WFP is the Windows Filtering Platform, the low-level enforcer that Windows Firewall is built on top of). When it comes to complex distributed systems, the OS-level enforcement doesn't bring a lot of brains, but it packs plenty of muscle.
- Having received its direction from the VEN, the OS then does the enforcement completely on its own. In the unlikely event that anything goes wrong with the VEN, the OS can continue enforcing its most recent policy without any additional help. Like any good manager, the VEN can take a break if needed and everything will keep running smoothly.
Read more about how the Illumio VEN was developed to maintain its lightweight performance.
Advantages of Illumio's VEN
The key advantage of this approach is that the enforcement provided by the OS is extremely stable and high performing. On Linux, iptables was first released in 1998; development of WFP began around 2007. These services are mature, robust, and used on hundreds of millions of servers worldwide. Most potential issues that could conceivably impact the workload were found and fixed a long time ago.
And unlike inline agents, Illumio's VEN has a great reputation for being lightweight and dependable. Our VEN has a proven track record of blocking unwanted connections without impacting your business through added latency or service disruptions.
By focusing on your risk reduction goals and taking a "hands-off" approach to your packets, Illumio empowers you to think about security without worrying about whether the agent is doing its job effectively.
Ready to learn more about the Illumio Zero Trust Segmentation Platform? Contact us today for a consultation and demo.