Adaptive Segmentationmicro-segmentation June 20, 2017

Cutting the Gordian Knot

Bryan Pelham,

The Gordian Knot is a legend associated with Alexander the Great and is often used as a metaphor for a complex or unsolvable problem (untying the impossible knot) solved easily by thinking outside of the box (cutting the Gordian knot). Its roots are traced back to Alexander the Great when he conquered the city of Gordium in modern day Turkey. 

Introducing Illumio SecureConnect Gateway

Recently, we encountered a customer wrestling with a "Gordian Knot." Their developers were using Amazon Web Services to host development workloads, and they needed a way to securely connect specific workloads back to their private data center. A site-to-site VPN solution – AWS DirectConnect – seemed to be the only option, but came with serious limitations preventing them from moving forward:

  • Unencrypted communications – communications in the cloud between workloads and from cloud workloads to the VPN gateway were not encrypted.
  • Increased exposure – all cloud workloads in the security group had direct access to all resources in the private data center, whether they needed to or not. 
  • Management overhead – required provisioning and management of multiple VPN gateways in the public cloud.
  • Reduced performance  introduced a performance chokepoint and single point of failure.

The customer shared this Gordian Knot with us, and working together we helped them solve this challenge with an innovative use of technology they already had in place.

What if secure connectivity was initiated directly from the workloads themselves? 

Rather than provision VPN gateways at the edge of the public cloud to secure connectivity, what if secure connectivity was initiated directly from the workloads themselves? Architecturally, it works the same way they provide VPN access for remote employees, so it was a concept already familiar to them. This approach eliminates the overhead of chokepoint appliances at the edge of the public cloud and ensures all data in transit is encrypted at the source when it leaves the workload. Even better, this novel approach takes advantage of capabilities they already have available in each workload. So how does it work?

Illumio introduced SecureConnect two years ago to secure data in motion directly between workloads without the headaches of manual configuration or expensive, complex hardware solutions. This capability provides policy-based encryption between Linux and Microsoft workloads using native OS IPsec capabilities such as strongSwan (Linux) and Windows IPsec (Windows).

SecureConnect Gateway animation

Building on top of this functionality, the Illumio SecureConnect Gateway feature enables hosts in the public cloud to securely access resources in the private data center by connecting through a VPN gateway such as the Cisco ASA Gateway. All communication between the hosts and the Cisco ASA Gateway is encrypted using IPsec tunnel mode. The Illumio software agent installed on a Linux or Windows host configures the OS to establish an IPsec tunnel from the host to the Cisco ASA Gateway. This enables a host outside of the corporate network (e.g., in Amazon Web Services) to securely connect back to the corporate network without requiring the complexity of a site-to-site VPN.

This novel approach enables select workloads in cloud environments like AWS, Azure, or Google Compute Engine to connect securely to a private data center while preventing the rest of the public cloud workloads from communicating with the data center. And it eliminates the need for a VPN gateway in the public cloud – no traffic chokepoints, performance, or HA challenges.

As part of announcing this feature, we’ve also joined the Cisco Solutions Partner Program. You can find us in the Cisco Marketplace Technology Solutions Catalog.

And you can learn more about SecureConnect and SecureConnect Gateway on the Illumio website.

Adaptive Segmentationmicro-segmentation
Share this post: