/
Illumio Products

Little-Known Features of Illumio Core: Virtual Services

In this ongoing series, Illumio security experts highlight the lesser known (but no less powerful) features of Illumio Core.  

With the value of exfiltrated data dropping on the black market, hijacking critical resources and holding their data ransom has dramatically increased in value — and has become a very successful criminal business model. Today, disrupting an organization’s infrastructure is a very tempting target for bad actors.  

Infrastructure resources can be hijacked and disrupted at the host and application layers, and both types of resources must be visualized and enforced independent of each other and on a granular scale.  

In this blog post, learn how to leverage Illumio Core’s virtual services to secure your hosts and their applications and processes with and without an agent. This delivers an end-to-end Zero Trust architecture with no blind spots.

Illumio Core’s agentless approach to workload security

Illumio Core manages workloads directly on the OS by deploying the Illumio VEN agent which then pairs with the Illumio PCE. This enables Illumio to visualize and enforce application-centric traffic using firewall capabilities which are native to each OS, independent of traditional security solutions. Workload-centric segmentation requires a solution that’s agnostic to the underlying hosting environment.

While this approach of pushing the workload security solution directly onto the workload is the most ideal, there are other kinds of workloads that need to be included in workload visibility and enforcement architectures but don’t allow third-party agents to be deployed, such as load balancers, IoT, and OT devices.  

Agentless security solutions are often associated with public cloud platforms which Illumio enables with Illumio CloudSecure. In an on-premises environment, there are various private cloud solutions which have different security options, but most of these solutions are dependent on hypervisors or virtual, overlay-network architectures. Creating segments in a hypervisor or overlay-network environment is still a network-centric solution, whereas workload-centric segmentation requires a solution which is agnostic to the underlying hosting environment. How can Illumio enable this without the VEN agent?

3 ways Illumio Core secures environments without an agent

Illumio Core extends its visibility and enforcement solution beyond managed workloads with these agentless entities:  

  • Unmanaged workloads
  • Virtual servers
  • Virtual services
Unmanaged workloads

Illumio can identify unmanaged workloads without a VEN agent by using its hostname and IP address. Illumio then assigns labels to that workload which enables Illumio to visualize and enforce access to it from all other managed workloads.  

Illumio is not receiving telemetry from that unmanaged workload since there is no VEN agent deployed on it. Instead, Illumio can see which managed workloads it is communicating with, allowing Illumio to fully include these unmanaged, agentless workloads in its Illumination Map and policy model.

Illumio manages both managed and unmanaged workloads the same:

Illumio displays and enforces traffic on Unmanaged Workloads, with no agent.
Illumio displays and enforces traffic on Unmanaged Workloads, with no agent.
Virtual servers

A virtual server is used to enforce traffic through a load balancer. Illumio defines each virtual server by the VIP being exposed on the F5 or AVI load balancer. Illumio also creates labels for pool members deployed behind the load balancer associated with that VIP.  

Illumio’s Network Enforcement Node (NEN) module helps to read and write security policy directly onto the load balancer using an API-driven workflow. This enables Illumio to visualize and enforce traffic to and from virtual servers through a load balancer without relying on deploying a VEN agent.  

Illumio enforces virtual services by configuring load balancer and managing pools.
Illumio enforces virtual services by configuring load balancer and managing pools.

Caption: Illumio enforces virtual services by configuring load balancer and managing pools.

Virtual services

A virtual service is used to label and define policy to one or more specific processes or applications residing on the same host, with each virtual service being independent of the underlying host’s labels and policy. For example, if two applications are deployed on a single host, Illumio will create two different virtual services, each enforcing distinct policy from each other and the underlying host.  

When Illumio uses a virtual service to define a specific process or application as a workload, independent of the host it is deployed on, it will “bind” that virtual service to the ports used by that process. A virtual service can map to either a single process or a collection of specific TCP ports on a host.  

Illumio can assign different labels to different applications on one host. For example, if one host has deployed both a database process and a postgres instance on port 5678, Illumio can create two different virtual services and bind each one to the relevant ports used by each process. Then, Illumio will label them using the same multi-dimensional labeling as used with managed workloads.  

Different policies can then be defined against each application label, distinct from the labels and policy defined to the underlying host:

 

Illumio enables granular policy specific to different processes deployed on one host.
Illumio enables granular policy specific to different processes deployed on one host.

If the service or application moves from one host to another, which can happen in private cloud platforms, the policy defined for that application in Illumio doesn’t need to change. Illumio will dynamically re-calculate the rules on the updated workload, such as the new IP address on the host the application has migrated to, in order to allow this virtual service to bring its application-centric policy with it during the migration.  

This enables applications to dynamically migrate across different VMs, for example. Application policy will remain stable, not requiring security change-control processes to follow along with application migrations, regardless of how dynamically applications migrate between hosts.  

Virtual services on managed and unmanaged workloads

Virtual services are commonly used on managed workloads, but they can also be used on unmanaged workloads. If an unmanaged workload has multiple processes or applications deployed on it, Illumio can associate each of them with a different virtual service and will label and enforce each one distinct from the other.  

This allows security teams to define very granular policy specific to processes and applications across different types of workloads. As a result, visualization and policy aren't only limited to an OS/host workload model.  

This is where Illumio’s high scale of supported workloads becomes important — following this model at scale can create an explosion of entities to visualize and enforce which Illumio can easily manage.

Secure against threats targeting hosts and applications

Illumio enables the enforcement of application and host network dependencies, delivering clear visibility of who is talking to what and the ability to lock down lateral movement between resources without complexity. Illumio secures your hosts and their applications and processes with and without an agent. This delivers an end-to-end Zero Trust architecture with no blind spots.

To learn more about Illumio ZTS, contact us today for a free consultation and demo.

Related topics

Related articles

Little Known Features of Illumio ASP – Broadcast and Multicast Filters
Illumio Products

Little Known Features of Illumio ASP – Broadcast and Multicast Filters

In this edition of the Little Known Features of Illumio ASP series, we highlight broadcast and multicast filters.

The Hidden Flaw in Data Center Security: Endpoint Connectivity
Illumio Products

The Hidden Flaw in Data Center Security: Endpoint Connectivity

Learn how to stop lateral movement between endpoints and the data center with the Illumio Zero Trust Segmentation Platform.

Illumio Endpoint Demo: Getting Quick Endpoint Segmentation ROI
Illumio Products

Illumio Endpoint Demo: Getting Quick Endpoint Segmentation ROI

Watch this Illumio Endpoint demo to learn how endpoint segmentation with Illumio offers quick ROI.

Little-Known Features of Illumio Core: SOAR Platforms Integrations
Illumio Products

Little-Known Features of Illumio Core: SOAR Platforms Integrations

Learn how Illumio Core's integrations with third-party SOAR platforms ensures new and unknown malware can't spread through your network.

Little-Known Features of Illumio Core: Analyzing Network Flows With Mesh
Illumio Products

Little-Known Features of Illumio Core: Analyzing Network Flows With Mesh

Learn how Mesh shows multiple data dimensions at once to provide a clearer picture of how each data point interacts with its environment.

10 Reasons to Choose Illumio for Zero Trust Segmentation
Zero Trust Segmentation

10 Reasons to Choose Illumio for Zero Trust Segmentation

Learn why organizations are adopting Zero Trust Segmentation as a foundational and strategic pillar of any Zero Trust architecture.

Assume Breach.
Minimize Impact.
Increase Resilience.

Ready to learn more about Zero Trust Segmentation?