The Illumio Adaptive Security Platform® (ASP) delivers real-time application dependency mapping and security segmentation to stop lateral movement inside data centers and cloud environments.

Illumio ASP provides visibility into the connectivity between workloads across heterogeneous compute environments, generates optimal security segmentation policies based on how workloads communicate, and programs the native stateful enforcement points in each host to enforce applicable firewall rules.

 

This all starts with a different approach to segmentation – at an architectural level. Illumio decouples security segmentation from network infrastructure. This foundation eliminates the limitations and challenges of network-based segmentation. Watch this video to learn more about what this means.

 

 

 


Illumio ASP Architecture

Architecture

Core Components

FLEXIBLE POLICY COMPUTE ENGINE DEPLOYMENT MODEL

You have several options for deploying the Policy Compute Engine (PCE):

  • Illumio ASP Cloud: Illumio hosts and manages the PCE in a multi-tenant SaaS infrastructure.
  • Illumio ASP On Premises:
    • PCE Virtual Appliance: Deployed as a virtual appliance in your data center or private cloud.
    • PCE Software: Deployed as software on the servers in your data center or private cloud.

PCE Supercluster enables centralized visibility and policy management for globally distributed environments at massive enterprise scale—environments with more than 25,000 managed workloads. PCE Supercluster supports a single administrative and visibility domain that spans multiple independent PCE regions. See it in action here.


VIRTUAL ENFORCEMENT NODES EVERYWHERE

A Virtual Enforcement Node (VEN) is installed in discrete operating system instances for which an organization wants complete visibility and enforcement. It can run on a bare-metal server, in a virtual machine, within a containerized host, and on public cloud instances.

 

A VEN is not an enforcement point—it collects telemetry from the workload such as the operating system type, interface IP addresses, running processes, and the IP addresses to which those workloads are talking. It then transmits this information to the PCE. The PCE receives information from the VEN and creates a live visibility map of communication. This insight is used to build the segmentation policy. The PCE turns that policy into stateful firewall rules and transmits it to the VEN which then programs the native, host-based stateful firewalls within each workload. A VEN can program the following:

  • Layer 3/Layer 4 firewalls in the host operating system (Windows Filtering Platform, iptables for Linux, and IPFilter for AIX/Solaris)
  • Access control lists (ACLs) in load balancers (F5) and switches (Arista), containerized hosts, and cloud security groups (AWS, Azure, GCP)

MULTI-DIMENSIONAL LABELING

The Illumio ASP policy model does not use network constructs like VLANs, zones, subnets, and IP addresses to tie security to the underlying network. Instead, you assign four-dimensional labels to workloads to identify: Role, Application, Environment, and Location.

  • A workload can be a bare-metal server, a virtual machine, a container, or a process running on a host.
  • Labeling is not based on IP addresses or subnets.
  • Labels can come from configuration management databases (CMDBs), IP address management (IPAM) tools, orchestration tools, and through workflows built into the Illumio ASP. 

SIMPLIFIED POLICY DEVELOPMENT AND MODELING

Policies can be written manually or by using Policy Generator, which simplifies policy creation by recommending the optimal security segmentation policies for applications based on historical traffic. Policy Generator accelerates security workflows to reduce the risk of human error when creating segmentation policies. Illumio ASP's real-time application dependency map, Illumination, allows you to model policies before going into enforcement.

 

Policies can be modeled in the following ways:

  • Build mode: Superimposes a proposed policy against the collected traffic flows.
  • Test mode: Enables you to test and evaluate policy against existing traffic flows without enforcement—effectively turning each workload into a sensor that detects policy violations. In test mode, you receive alerts for any deviations from policy. These deviations may represent production traffic not previously viewed or unauthorized attempts to connect to workloads.

RICH REST APIs AND UI

You can choose to interact with the PCE using the Illumio UI or via well-documented REST APIs. The Illumio ASP REST API allows you to interact with Illumio ASP from any application that can send an HTTPS request. All API access to the PCE is conducted through HTTPS and accessed through the same URL that is used to log in to the PCE web console. REST APIs enable you to automate key IT operations and IT security workflows.