Illumio ASP provides visibility into the connectivity between workloads across heterogeneous compute environments, generates optimal security segmentation policies based on how workloads communicate, and programs the native stateful enforcement points in each host to enforce applicable firewall rules.
This all starts with a different approach to segmentation – at an architectural level. Illumio decouples security segmentation from network infrastructure. This foundation eliminates the limitations and challenges of network-based segmentation. Watch this video to learn more about what this means.
You have several options for deploying the Policy Compute Engine (PCE):
PCE Supercluster enables centralized visibility and policy management for globally distributed environments at massive enterprise scale—environments with more than 25,000 managed workloads. PCE Supercluster supports a single administrative and visibility domain that spans multiple independent PCE regions. See it in action here.
A Virtual Enforcement Node (VEN) is installed in discrete operating system instances for which an organization wants complete visibility and enforcement. It can run on a bare-metal server, in a virtual machine, within a containerized host, and on public cloud instances.
A VEN is not an enforcement point—it collects telemetry from the workload such as the operating system type, interface IP addresses, running processes, and the IP addresses to which those workloads are talking. It then transmits this information to the PCE. The PCE receives information from the VEN and creates a live visibility map of communication. This insight is used to build the segmentation policy. The PCE turns that policy into stateful firewall rules and transmits it to the VEN which then programs the native, host-based stateful firewalls within each workload. A VEN can program the following:
The Illumio ASP policy model does not use network constructs like VLANs, zones, subnets, and IP addresses to tie security to the underlying network. Instead, you assign four-dimensional labels to workloads to identify: Role, Application, Environment, and Location.
Policies can be written manually or by using Policy Generator, which simplifies policy creation by recommending the optimal security segmentation policies for applications based on historical traffic. Policy Generator accelerates security workflows to reduce the risk of human error when creating segmentation policies. Illumio ASP's real-time application dependency map, Illumination, allows you to model policies before going into enforcement.
Policies can be modeled in the following ways:
You can choose to interact with the PCE using the Illumio UI or via well-documented REST APIs. The Illumio ASP REST API allows you to interact with Illumio ASP from any application that can send an HTTPS request. All API access to the PCE is conducted through HTTPS and accessed through the same URL that is used to log in to the PCE web console. REST APIs enable you to automate key IT operations and IT security workflows.