Adaptive Segmentationmicro-segmentation January 29, 2015

Metcalf's Law and the Vulnerability of Connectivitay

Nathanael Iversen, Chief Evangelist

Long before computer networks became ubiquitous, Ethernet inventor Robert Metcalfe understood clearly how powerful computers networks would become. He formulated this understanding into Metcalfe’s law, which states that the value of a telecommunications network is proportional to the square of the number of connected users of the system.

Nathanael Iverson at whiteboard

Unfortunately, it didn’t take long for a second reality to emerge: The more connected a computer is, the more vulnerable it is to attack, compromise, and exploitation. In fact, the very networks that make servers useful also serve to expose hundreds, thousands, or tens of thousands of ports to remote exploitation.

The more connected a computer is, the more vulnerable it is to attack, compromise, and exploitation.

Predictably, since most attacks come via the network, it became common practice to fortify, filter, and monitor network connections for possible attack vectors. To make this easier, network subnets and VLANs provided the ability to consolidate networks behind firewall zones, and for many years, this has been the basic security model: Ensure there are only one or two ingress/egress points for a given network, and run everything through a central choke point.

As we move toward automated and distributed computing models, though, there is no single place to put a choke point, and manually provisioning network infrastructure simply doesn’t scale with the kinds of automation DevOps teams are deploying.

For this world, Illumio offers a powerful new model based on the workload itself.


In the last several years, both Linux and Windows operating systems have developed robust packet filtering technologies and placed them in the kernel. The Illumio Virtual Enforcement Node (VEN) sits on each workload and can program these stateful firewalls with instructions from the Policy Compute Engine (PCE). Because the VEN resides inside the Guest OS, it has the full context of what services are running, all network connectivity, IP addressing, etc.  As these variables constantly change, the PCE is made aware of the shifting context—and recomputes the rules as appropriate. In this way, the security apparatus continually receives context and can keep up with the dynamic pace of automated workload deployment and management.

By locating the security enforcement and Illumination (i.e., graphical visualization) point at the workload, enterprises receive several additional benefits:

  1. Because every workload is natively protected, security is effectively decoupled from the network architecture. Each workload has its own enforcement point, so there is no need to create layers of subnets and VLANs just for segmenting workloads. The VEN provides the ultimate degree of micro-segmentation—each workload is individually enforced.
  2. The workload enjoys true deployment flexibility, and can run on bare metal, in any hypervisor, or in any cloud provider and still enjoy an identical security policy.
  3. The VEN and PCE are built on top of a REST API that was architected to dovetail seamlessly with Ansible, Chef, Puppet ,and other automation and orchestration tools.  

The Illumio Adaptive Security Platform (ASP) provides the architecture needed to ensure that as cloud connectivity and distributed networks further marginalize traditional security architectures, the workloads themselves are safe, secure, and completely in sync with the current enterprise security policy.


Adaptive Segmentationmicro-segmentation
Share this post: