Adaptive Segmentationmicro-segmentation May 19, 2015

Network Security History Minute: A Tale from the On-Call Pager

Jason Graun,

It’s true: I have been in the IT field long enough to have carried an on-call pager. For those lucky enough not to recall “beepers” and the obnoxious noise they created, they were small, playing card–sized devices primarily carried by doctors. You can still see them in many movies of the 1980s and early 1990s. 

For IT professionals—well, at least for me—carrying the on-call pager was a source of anticipatory anxiety, increased blood pressure, and sleepless nights. Yes, it was that bad.

A Tale from the On-Call Pager

I remember one Saturday evening filled with friends, large quantities of pizza, and a Thunderdome-style tournament of Mario Kart on the Nintendo 64. (Remember I said this was back when pagers were in fashion.) While the tournament was in full swing, an NOC engineer paged me because the wealth management application was completely down. Of course this was a very important application to a large bank as the largest clients used it.

After a long discussion with the application support person, along with putting a bunch of filters on the firewall deny log and using two network sniffers simultaneously, the determination was: Something changed in the application that caused it to start using different TCP ports.

Now the network firewall was blocking traffic, so I had to perform an emergency change to the firewall rules to allow the application to function properly. To this day, making emergency changes to IT infrastructure that could affect other parts of the network does not give me a warm and fuzzy feeling.

In total, the application outage was five hours from initial report to issue resolution.

That was then, this is now

Fast-forward about 15 years. Enter the world of an Adaptive Security Platform (ASP)™, application visibility, and nano-segmentation℠—the world of Illumio. Now that we are living in a time where applications can be anywhere, in any data center or any cloud, and change at anytime, the need for anywhere security is imperative. I would have gotten a lot more sleep and logged a lot more Nintendo 64 hours if we had Illumio securing our network back then.

Illumio ASP includes a management console called the Policy Compute Engine (PCE), which visually shows users a very simple green or red line between the application tiers.  A green line means there is a firewall rule in place for said traffic and a red line means there isn’t. By clicking on the red line, the user can see which ports don’t have a defined rule. Now the NOC engineer has detailed information on what is happening between the layers of an application without parsing firewall deny logs or setting up multiple packet captures. Pretty easy, right?

So if we had Illumio back when I was lugging around the on-call pager and dealing with this application outage, I would have known in a matter of minutes that something had changed in the application processing layer and could have reported the technical details back on the conference bridge right away. Better yet, once we determined these new TCP ports had to be added to the firewall, I could have simply clicked the red lines for the associated ports, added them to the firewall policy, and then provisioned the new rules to the application servers. And I could have done it all in about five minutes.

From an operational and network impact viewpoint, I would have only made emergency changes to a very small part of the overall network, instead of making changes to a network firewall that could have 150,000 TCP connections going through it.


Actually, it could have been easier still

But the above scenario still assumes the use of static network firewall policies, which are too rigid and don’t have any dynamic flexibility. There’s a better way.

With nano-segmentation, Illumio can secure a multi-tier application’s communication down to the process level on the server. We are no longer bound by static rules. Because Illumio ASP can enforce which processes are allowed to communicate, and to whom, the applications can use whatever ports they desire and still maintain security. 

With this in mind, let’s go back to my original, pager-era scenario. But this time you need to free your mind like Neo in The Matrix. With Illumio ASP, when a development team needs to make a change to a multi-tiered application that affects the ports used for communication, the security adapts with that change. Just like there is no spoon, there is no outage.

Adaptive Segmentationmicro-segmentation
Share this post: