Illumio Live Demo at VMworld 2018

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

Captions

[Music] Matthew Glenn I'm the vice president of product management at alumi oh we're gonna do a bunch of live demonstrations of the loomio adaptive security platform we're gonna build up a live application dependency map I then want to take that live map to build up a micro segmentation policy and then we'll show you how we can basically coordinate how your security can recover as fast as you can should addy our situation occur now if you don't know anything about a loomio we keep some really good company we have the largest micro segmentation deployments on earth companies like Salesforce users globally on the core Salesforce application Morgan Stanley City BMP parable they all use us to do micro segmentation because regardless of what type of networking you're using you could be using nsx not using nsx you could be flat it doesn't matter what you're running we could do micro segmentation on top of it so before we get in my live demonstrations I just want to quickly orient you to our architecture so we fundamentally believe that you may be in a software-defined data center today running on ESX you might be in public cloud tomorrow and you may have bare metal servers VMs or containers so rather than going to where your network or your infrastructure is to do segmentation invisibility we go to where your computers to do segmentation and visibility so the first part of our solution is somebody call a venn or a virtual enforcement node the venn is not an enforcement point it's not inline it doesn't crack packets one of our customers describes it as an antenna and I actually think it's the best way to describe it cuz when it's in antenna do is it sense and receives information it's gonna tell us what IPS a host is talking to and what IP is that hose is talking to that host it's gonna send it up to this thing in the middle of this screen right here called the policy compute engine I want you to think about this as the brain and what it lives to do is to very magical things the first thing it's gonna do is it's gonna build a live application dependency map and this can do micro segmentation policy so how do you do that you describe in natural language how you want things to communicate like for my ordering application and what the web tier to talk to the app tier the app tier talk to my database tier and that brain that policy compute engine is going to compute layer three layer four firewall rules for every one of your workloads no matter where they're running and it's gonna send it back down to those vens those agents that I talked about but the agent in no way shape or form enforces any form of policy so the question is what the heck is it doing and the answer is it's activating the enforcement points that you already have you already have a stateful firewall and every one of your linux hosts it's called IP tables you already have a stateful firewall and all of your Windows hosts it's called the Windows filtering platform you have the same thing in Solaris and AIX your load balancers could be enforcement points your switch ports can be enforcement points we believe you have all the enforcement points you've ever needed you shouldn't have to upgrade your infrastructure to get to them you just didn't have a way to activate them now before I get into my final demonstration I just want to quickly orient you to these people on the screen why are they important because as I Drive through my demo I'll talk about all the people that that may get a benefit out of our product and I will actually describe them people from security platform operations you know auditors all those types of people I will talk about when I Drive to my demo now Janani here's to be my demo DJ she's gonna be spinning the records I'll be doing the wrapping and we'll see what happens here okay so we're gonna start off in illumination in illumination we build this live real-time application dependency map and right now we're looking at a location view you'll notice that there's circles and lines the circles represent individual application instances running inside of that data center the number inside of those circles corresponds so the total number of workloads that are currently categorized as part of that application let's do a quick Vulcan mind-meld in our vernacular what is a workload a workload could be a bare metal server a workload could be a VM a workload could be containers and we'll demo all that as we drive to the demo through this demonstration the lines here represent inter application traffic okay I'm not gonna have Janani drilled down into the ordering application and now we're almost looking at like the Google Streetview this is all the flows for this one ordering application and you're going to notice that there's red lines and green lines and red line indicates that we've detected traffic and you've not yet written a policy that would have allowed that traffic a green line indicates that we've detected traffic and you've already written a policy that would have allowed that traffic now here is the magic of this what we allow you to do is to incrementally build up your policy without breaking your applications anybody who's provision of firewall rule and then got a phone call from the application teams it's because you didn't have that word yeah you're shaking your head it's because you don't have the workflow that I'm about to show you okay so what happens is you deploy those vens and you'll start off with what we call build mode and two nannies brought it up in build mode we're sitting by passively and just collecting the flows it's sending them up to that brain that policy compute engine and we're gonna deliver you this application dependency map okay you'll start writing policy and will overlay the policy on top of all the flows we seem if you have red lines that means you've missed a set of flows and you can incrementally add them on top when you feel like you have all of your policies in place you can migrate any workload or an entire application to what we call test mode in test mode will actually write all the rules down to the host but the last rule is permit any any log alert what that means is I've turned all my workloads into points of visibility but in this test mode if something breaks policy you're not going to be blind to it we'll send you an alert but the alert is not good it's gonna be IP address 10.6 dot 4.3 just had a policy violation we would say the database of the ordering application the production environment in California just had a potential policy violation and and so you're gonna give you a little bit more telemetry what that means it's a something's going wrong or B you need to add another policy to this what this is allowing us to do is to incremental e build up a zero trust policy but without breaking your application who protect your crown jewels but without breaking them which is always an important point and when janani's ready teach you can migrate it to fully enforced mode and that mode we drop off to permit any any log alert and now you've basically protected one of your crown jewel applications okay now I'm gonna have Janani look at a different application something that's a little bit more interesting because that was a little bit idealistic let's look at this one a cell application because I think it's a little bit more accurate to what you'll see your applications do not sit on the island of misfit toys they usually talk across data centers and across applications this application this point-of-sale applications is actually sitting in two different data centers why is that geo diversity creates resilient applications why if one datacenter goes down your application continues to run so from an obscene perspective I realize I've created a resilient architecture for how this has been deployed but this might not be the right way to look at it I'm now gonna swap over from the operations team view to the application owner view so janani's gonna log in and I can actually assign this view to Janani so you could log into the console and look at her individual application instance and so be a sam'l I could say like Janani owns the point-of-sale application in the PCI environment let me show you what you're looking at here so what you'll notice is there's squares on these octagons these octagons are actually containerized workloads ok they could be deployed you think kubernetes or whatever and they're talking into a processing tier in a persistence layer at the bottom now the other thing which I quickly can see here what I'm going to have Janani do is a test to all the workloads that are part of our application and there's one workload that looks like a redheaded stepchild it's this web workload why is it there because it's been tagged in vCenter or it's been tagged or classified in the CMDB as part of this application okay so when I ultimately write policy I'm not gonna write policy using IP address subnet zones or VLANs I'm gonna write policy via the tags that we could use so I'm gonna make her attest to all the workloads in a part of her application she can plainly see that someone has classified this so she can open a particular service now and haven't reclassified or sent a ticket to the VMware team to have it reclassified or in this case for theater she'll just drag it down to the actual application it's supposed to be part of okay and using this simplified workflow which ultimately doing is you're cleaning up your CMDB okay and you sold something you have a good CMDB as a good output from this any questions about what I'm showing you so far the question is what do we do if there's an advanced persistent threat remember how I talked about you could be in this targeted monitoring or this test mode if something breaks policy and tries to move laterally within the environment we're gonna send you an alert because what we're turning every workload into a point of visibility we're also turning them into a sensor now if any tries to move laterally in the environment and you're gonna know about it and if you're fully enforced we'll block that lateral movement okay let's go back to June Ani so janani's cleaned up her application now the question is how do we actually write a micro segmentation policy for it and the answer is we're gonna kick off a workflow called policy generator let's just quickly review Janani attested to the workloads in a part of her application we cleaned up vCenter or the CMDB now what I'm gonna have Janani do is a test of the flows that are part of her application and Janani knows best cuz it's her app it's not my app it's her app okay so let's kick off policy generator what policy generator does is it's going to look at the flows we've seen and suggest the optimal micro segmentation policy we don't have to send gennadi to firewall school to write policy here what she's gonna do is look at the flows and this tool which is integrated into the application the pan see map is gonna suggest the perfect policy based on the flows that we've detected so she could choose between putting everything into a big bubble if you will micro segmentation she could do tier based segmentation and watch this if there's a flow that she doesn't think she'd be part of policy she could choose to exclude it I've had her a test of the workloads that are part of her application and now I'm having her attest to the flows that are part of her application if she can choose to exit it or she can choose to include it or she could do port processed protocol based segmentation and when she feels like she has the right policy she can move on to the next step in our workflow here and let's pay attention cuz this is where things are gonna get really magical for the point-of-sale application in the PCI environment and let's remember this is PCI I want the web tier to talk to the processing tier the processing tier is going to talk to the database and the databases are gonna synchronize I can understand that but here's what's cool Janani attested to the workloads and how they're classified here okay we've cleaned up the CMDB we've also had her a test of the flows so let's she's now going to go ahead and provision that policy and we'll go back to look at that application and voila all of our lines have turned green okay but remember this is a PCI application and remember in PCI the otters show up I'll do my little Dempsey hammer don't don't it's out of time okay so the auditor shows up and the question is what do you normally have to do you have to go find all the flows that are inside that application so you're spelunking through logs okay and then you have to take those flows and match it up to your firewall and make sure that those things actually map let me show you how we help solve that their problem for us use a tool called explore what Explorer does is this gonna present all the traffic in that application and we're doing in a couple different ways the first thing we show you is this parallel coordinate view and what janani's done is she's asking questions based on those tags you'll notice at the point-of-sale application and the PCI environment isn't the we're asking questions about what's talking into it we're presenting the information in a couple ways the first thing we do is wet from the outside is talking into that application here you'll see what ports are actually talking on and then here are all the processes that are sitting on the other side of those ports that's probably not the right way to present it to the auditor let's go ahead and do that so I need to get pulled up a tabular view of all the flows and now this is actually what you pass off to the auditor and let me show you what you're looking at you'll show you what that traffic was allowed or blocked by policy it'll tell you who in this year to the workload not just the IP address but the host name but here's how we make your auditors life easier okay we're gonna tell you what tags how they were so actually any auditor could actually understand what these IP address is because we're gonna actually have the tags as part of the compliance report what it was talking to what poor process and protocol was talking on how many times we've seen the flow during the audit period when we first saw the flow and when we last saw the flow that's how you actually would satisfy an audit and rapid fashion and now we basically produced the audit report so the next time I was gonna do for you how to deal with disaster recovery we don't wish it upon anybody so it's very frequently difficult to plan for but at some point maybe something bad it's gonna happen you're gonna lose a site okay maybe you're using VMware Site Recovery Manager maybe you're not but in order to be segmentation and visibility without a Lumia you have to faithfully replicate the infrastructure upon which the application ran with a loomio we've seen customers use like Amazon as a dr site because you don't have to worry about the network right but still maintain security let me show you how this works so what janani's gonna do is she's brought up this New York data center and she's gonna kill that pod that that PCI application is running on and when she kills it it's gonna pop up in a dr site but here's the beauty of it the same policy when it actually gets migrated actually thought Forks up when it comes up in the new location because your security policy works at the same speed you can so you don't have to worry about the network being replicated because the minute those applications come up in the dr site the security policy actually travels along with it so we basically just activated it there it's the same exact policies so literally the policy compute engine that brain recomputed and push policies down to those workloads now we've done a bunch of demonstrations for you we built a large-scale application of hansi map then we did disaster recovery and we also built micro segmentation so janani's can now going to bring up the same application but now we're gonna look at a vulnerability map where does it boulder ability map that's where we import a third-party scan maybe it squalus rapid7 nasa's tenth flash tenable whatever third party scan you use and we're looking at this application it's a naughty import of the vulnerabilities and now it looks a little bit different why the workloads are color coded to the highest severity vulnerability on those hosts the green indicates it's low and informational orange is medium and reds are high there's nothing that are critical or else that would show up as a different color the next thing you're gonna notice here is that there's clouds on some of the workloads those clouds indicate that there's a port with a vulnerability on it and that port is exposed to the outside world what do we do with that we could basically tune your IDs or IPS or make or whap and make them a little bit better ok the next thing you'll notice is that there's grey lines and orange lines a grey line indicates there's traffic from host to host and that traffic is not connecting into a port with a vulnerability on it an orange line indicates there's traffic from host to host or from tier to tier and that traffic is directly connecting into a port with a vulnerability on it let me put it another way we're showing you how you're inheriting risk across your applications or within your applications via this color and tying it to the vulnerabilities that we imported the other thing that we do and only a loomio has this is we're going to show you we're gonna compute what we call an east-west exposure score what is that that is the total number of other workloads within your environment that by micro segmentation policy are allowed to connect in to the vulnerabilities on port you want to drive that number lower only to those hosts that need to be able to connect in lease privilege right so what can you do with this the best way to reduce that number is to patch the workload you don't have to worry about the vulnerabilities there's sometimes you can't pass maybe you're in a production freeze maybe there's no patch available maybe you have a crotchety application team and so how can I get this 540 hosts down lower how can we mitigate those vulnerabilities we're gonna kick off this mitigate vulnerabilities workflow that's built into the product okay and we're gonna go back to our policy generator workflow but it's gonna look a little bit different than it did before the thing you're going to notice is that there's this grid on the right all the vulnerabilities in this application are shown in the grid criticals are on your far-right high medium low and informational a constrained vulnerability is we're going to put a firewall rule in front of the port with the vulnerability to reduce the number of hosts that could connect in and exploit the vulnerability a block vulnerability is if we are on a host we've never seen traffic going into or out of a port we can safely block that port but without breaking the application okay so like classic example developer downloads lamp stack they're using MySQL but they're not using apache so we can safely block the apache port without breaking the application right now it's tuned around critical vulnerabilities there are no critical vulnerabilities in janani's application watch what happens when she moves it over the Left she's now going to tune the microsegmentation to mitigate the high vulnerabilities on the application when she did that our panel basically recalculated the number of mitigated vulnerabilities based on micro segmentation and you'll also notice that our rules down here changed okay if she drags it over the left it'll actually change one more time and if she Mouse's over any one of these rules it'll show you by policy which vulnerabilities were actually being addressed so what have we done we've tied application to pantsy mapping vulnerability management to create a vulnerability map and now we're using micro segmentation as a compensating control and only a loomio has this capability built into it with janani's feeling good about it things she can move to the next step in our workflow and if we look at it the policy is still a natural language policy and we're gonna show you before and after she provisions the policy the risk right here per tier basis is in this column afterward is right there so let's go ahead and save them provision that and let's go back and look at our application again mr. nanny so before the processing tier still has 14 vulnerabilities on it because we didn't pass those operating systems what we did is we reduced the number of workloads that could potentially connect into exploit those vulnerabilities down to 10 but what's critical those are the 10 that need to be able to connect in to make sure that that application functions correctly there's many other demonstrations we can do for you if you get your badge scan we're giving away these cool blue t-shirts I'm happy to answer any more questions I run product management for the company and thank you very much you

Info

Channel: Illumio

Views: 3,072

Rating: 4.3684211 out of 5

Keywords: Illumio, VMworld, micro-segmentation

Id: TjascOKajGY

Channel Id: undefined

Length: 18min 56sec (1136 seconds)

Published: Sun Sep 16 2018