4. It says ‘no’ to strangers
A side effect of the policy-based methodology is that it can use white-list logic. That is, the network will only do things that the PCE specifically says are permitted; anything else gets rejected.
Put another way: Anything that’s weird gets ignored.
In theory, that makes the system trickier to fool. It’s a way to combat the “chewy insides” problem, where an attacker who’s penetrated the hard, crunchy shell of the network can wander freely around the unguarded interior.
This is just a side effect of the whole policy thing. If you’re running a declarative, policy-based network, it will ignore anything it doesn’t understand. That’s a lesson first imparted on me by the folks at Noiro Networks, the group inside Cisco that’s working with open source projects such as OpenDaylight, and it speaks well to security for the declarative network model in general.
5. It installs itself, kind of
You do have to do something to get Illumio installed. Namely, the creation of the VENs has to become part of the virtual machine bring-up process. The PCE has to be installed someplace, too.
But once the installation is done, every workload will be born with a VEN and will speak its first words to the PCE, thus joining the security tribe. You don’t have to do anything to make sure a new workload is protected.
6. It does some of what ACI and NSX do
ACI, as mentioned, uses the declarative model as well. If you’re using ACI throughout the network, I’m not sure you need Illumio. But ACI “doesn’t live everywhere,” Illumio CCO Cohen says. “It doesn’t live in most of the networks in the world.”
VMware‘s NSX might have more of a problem with Illumio’s existence. NSX essentially places a firewall on every node; that’s the microsegmentation architecture that’s become NSX’s primary use case. Illumio would seem to obviate the need for that.
In fact, Illumio theoretically removes the need for interior firewalls anywhere in the network (although Cohen notes that most networks don’t do this in the first place).
7. It creates one fat target to attack
This one isn’t a “feature,” but it’s an unavoidable observation: The graph that the PCE draws sounds like one sweet target for anybody trying to create any mischief.
The graph is certainly not an off-the-shelf spreadsheet. It’s a policy-calculating brain that supposedly scales massively (one trick being that it only computes the fraction of the graph that’s impacted by any changes). But if you somehow gain control of it, you’d be able to white-list yourself into any part of the network. There are a lot of “ifs” in that statement, but it’s a clear goal to set if you want to cause trouble.
The PCE, and therefore the graph, can be kept on-premises. Illumio also offers a hosted option. I’m guessing it’s heavily guarded.
So, What’s It All Mean?
Security is a many-faceted area — in fact, I like to think it’s not a single thing, but a combination of processes. That’s what makes it so difficult.
Illumio seems to be targeting many of those facets at once. It’s an ambitious goal, but the company’s ideas show a lot of promise, Infonetics analyst Howard says.
“I would have doubts if they didn’t have some very big customers,” he says. (Yahoo and Plantronics are among those listed on Illumio’s web site.) “With NFV, SDN, and virtualization, the world is changing very rapidly. Policy is going to get more and more involved in operations, whether it’s the data center or the carrier network. I think these guys are pretty aware of what’s changing, what’s coming down the pike.”