Virtual Enforcement Node
The Virtual Enforcement Node (VEN) is a lightweight agent that sends and receives information, programs pre-existing enforcement points, and detects policy violations.
A VEN can be installed on any workload, including virtual machines, bare-metal servers, public cloud instances, and containers. Think of a VEN as an antenna—it sends and receives information. The VEN collects information about which IP addresses the workload is talking to, tying the running processes on the workload to the ports and protocols. It then sends this telemetry to the Policy Compute Engine (PCE) to:
- Create the real-time application dependency map, Illumination.
- Inform the PCE if there is a change in the state on the workload; for example, a new interface or new process.
Once you author policies in the PCE, the PCE computes the corresponding stateful firewall rules. The VEN receives those rules and programs the native, stateful host-based firewall within the workload.
Get live visibility into workloads
Each VEN provides visibility into the inner workings of the workload, which helps the PCE build an accurate application dependency map. The VEN programs the native enforcement capabilities that already exist within the workload and acts as a sensor that detects and alerts for policy violations.
Conquer heterogeneity through a single control plane
No matter the heterogeneity of your compute footprint, Illumio Core delivers live visibility and micro-segmentation from a single control plane. VENs can be deployed on workloads running a variety of operating systems, including Windows, Linux, AIX, and Solaris—agnostic of the underlying infrastructure such as bare-metal servers, virtual machines, public cloud instances, or containers, and irrespective of on-premises data center, public/private cloud, hybrid, or multi-cloud locations.
Avoid cost and complexity by using your existing enforcement points
The VEN takes the rules computed by the PCE and programs the existing native Layer 3/Layer 4 stateful firewall in the workload. This approach enables you to maximize your existing infrastructure investments instead of having to re-architect the entire environment and acquire new networking infrastructure or data center firewalls.
Ensure policies follow the workload
The PCE is in communication with each VEN and automatically re-calculates and transmits any firewall rule changes to the impacted VENs when the application changes (for example, IP changes, disaster recovery, or new versions). This ensures policies are enforced consistently and accurately in the face of a dynamic application environment.