Fresh faced startup Illumio is bringing a new twist on an old technique to create something simple and powerful.
Take host-based firewalls–in Linux, Windows, containers–that already exist and control them with centrally managed policy.
In case you don’t immediately grab why this is an excellent idea, I’ll break it down for you.
Let me be clear at the outset: I love what Illumio purports to do. I can see the potential because it uses something that I already know works and makes it scale. Illumio isn’t a magic bullet, but it is wonderfully complementary.
Once upon a time, host-based firewalls were all we had. You can still configure one now, because Windows, OSX, Linux, and pretty much every operating system out there has a built in firewall capability. The trouble is, managing the configuration of lots of host-based firewalls is a scale problem that gets worse as you add more hosts.
You can’t just apply a blanket set of rules to all hosts, because different applications need to talk to each other on different ports. Add in the mobility inherent in modern apps with load-balancing, high-availability, and disaster-recovery, and if your rule changes can’t keep up with what’s needed, security becomes a stifling bottleneck.
Anyone who has had to wait weeks for a change to firewall rules for your new application will know what I mean. And the result is as predictable as it is maddening: security is compromised in the name of agility.
Putting a choke-point–a firewall–between two areas and securing this one point is easier than trying to secure the dozens (or hundreds!) of servers within a particular zone. You can designate everything in the webserver zone are only webservers, and they can only talk to the app tier over this specifically enumerated set of ports.
Oh, except for these ones that use some special vendor product that has to talk over its own port. Oh, and this new service we have to turn on today that we didn’t tell you about, and there’s nowhere else to put it because the zone it’s supposed to go in won’t be ready for another month.
Yes, I have the scars.
But hold on, we have all sorts of things providing centralised management of distributed systems these days. It’s a core design principle behind Cisco ACI and VMware NSX, not to mention the DevOps methods using Chef, Puppet, Ansible, etc. Why not do the same for host firewalls?
And that’s what Illumio does. While I haven’t personally tested it (yet) I did have a great chat with CTO and Co-Founder, PJ Kirner, and Chief Commercial Officer, Alan Cohen about the software. they were clearly pleased to have someone grok what they’re trying to do so quickly.
Illumio runs an agent on the host (so bake it into your standard build in your DevOps workflow) which sends telemetry data to a central cluster of policy engine. The policy engine, in turn, configures firewall rules on the hosts by communicating with the agent.
If the application on the host is in a particular grouping, it can talk to certain other hosts and applications, and nothing else. If it tries to–if someone does breach your perimeter and starts sniffing around for their next hop, say–then the telemetry data will help the policy engine notice. You can then quarantine the affected host/app and follow your security breach procedures.
The graphical directed–graph display makes it easy to see what things are talking to what, and to highlight things that aren’t normal.
Putting security rules closer to the applications themselves, on the hosts they run on, means we get closer to the assume breach mentality of modern information security. Now we don’t have a hard, crunchy shell of a perimeter that gives way to the soft, gooey (and delicious!) middle if someone finds their way through the firewall. Which isn’t exactly a rare thing when we have seemingly constant notification of breaches, like the recent ones from Juniper and Cisco.
A tool like this is also fabulous for security audits. Don’t fill in a form to tell us which ports and IPs your application needs to communicate over, we’ll just point Illumio at it in test and it will tell us. And then you can’t lie to us and have it break when it goes into production.
Illumio are also adding, in the latest version, integration with Active Directory so that you can extend Illumio from managing servers to end-user computing devices, at this point desktops. I asked about mobile, and got the expected “that’s on the roadmap” startup response. But with AD integration, now Unix admins can only see the Unix hosts they’re supposed to be looking after. Contractors can only see the application they’re here to help with.
Again, it doesn’t solve all your problems, but it reduces the overall attack surface of your environment and helps to protect against people who are already inside. It’s an additional tool for CISOs to manage the ever-growing threat, and quite frankly, they need all the help they can get at the moment.
Illumio is one of those rare times I see a new product and immediately go “Yes. YES! I want one. Oh man, the things I could do with this!” and then shortly afterwards think “Why doesn’t this already exist?”
This article first appeared in Forbes.com here.