In this tutorial, we describe how to get started with Illumio ASP by creating managed workloads and applying application segmentation, also called application ringfencing, which separates individual applications, preventing cross-application communications.
Before you begin
This tutorial in the Illumio ASP Free Trial walks you through installing Illumio agents on hosts in your environment. The Illumio platform operates in a secure environment with secure communication between Illumio agents installed in your environment and the Illumio platform. The Illumio agents are lightweight and designed for low resource utilization.
Additionally, you will be creating and testing security policy for your workloads using Illumio’s Build and Test policy states. These policy states do not block network traffic to your workloads. They allow you to visualize the impact of the security policy that you create before you enforce it on your workloads.
Finally, Illumio recommends you operate this Free Trial using hosts running in your testing or staging environments.
About this tutorial
With Illumio ASP, you have the power to model and test segmentation policies at different levels: from course-grained to extremely fine-grained segmentation. Most Illumio customers start by applying application ringfencing to their high-value applications.
Unless the initial deployment must satisfy stated compliance or regulatory guidance, the best initial policies start with ringfencing. Ringfencing shrinks the security perimeter from a subnet or VLAN to a single application. It provides the largest impact with the least amount of work, requiring only one line of security policy per application to close off 90 percent of the potential attack surface for east-west traffic movement.
Additionally, application ringfencing provides the greatest flexibility to application owners and developers. Because there is a “permit-any” rule active within the ringfence, changes to the application’s internal communication will always work. An application ringfence allows all workloads within an application group to communicate over any port.
Before you begin this tutorial, you need to understand the following concepts.
Micro-segmentation: A security technique that enables fine-grained security policies to be assigned to applications, down to the workload level. It is built around two key principles: granularity and dynamic adaptation. The application of these principles makes micro-segmentation fundamentally different from conventional network segmentation.
Illumio Adaptive Security Platform (ASP) components: The relationship and basic architecture of the platform’s components—the Policy Compute Engine (PCE) and the Virtual Enforcement Node (VEN). Understanding the interaction between the PCE and VEN is essential to learning about Illumio technology.
Whitelist model: A whitelist policy follows a trust-centric model that denies everything and only permits what you explicitly allow—a better choice in today’s data centers. The list of what you do want to connect in your data center is much smaller than what you do not want to connect. This immediately cuts back, if not eliminates, false positives.
This tutorial requires you to have the following data, access, and systems.
5 to 20 hosts: Bare-metal servers or virtual machines (VMs) in your data center or a public cloud. They can be running Windows or Linux.
Installed packages: The hosts must have the required packages installed.
Development or test applications: The hosts need to have running applications that are generating traffic data. A distributed application is recommended.
Internet HTTPS access over TCP port 443: Illumio ASP needs an outward communication connection for HTTPS using TCP port 443.