Finally, a New Way to Secure Windows Servers

DARREN WOLSTEIN, Microsoft Subject Matter Expert, Illumio

Windows operating systems are some of the most installed in the world, so it’s understandable they would be an attractive target for hackers. Other than traditional antivirus and malware protection, what else can be done to secure these computers and the networks they live on?

Even the most experienced security experts have chosen not to remove a firewall rule out of worry for its unintended effect.

Adding security hardware to your network can help repress, alert you to, or thwart an attack completely. VLANs and firewall-based network segmentation are some of the most effective network security strategies to date, but they have a few major drawbacks, including maintenance and their inability to scale quickly.

Keeping up with the number of VLANs and firewall rules needed to properly segment a network can overwhelm a security team’s resources. This approach can also fall apart over time since it relies human intervention to keep policies in sync with changes. Even the most experienced security experts have chosen not to remove a firewall rule out of worry for its unintended effect.

As firewall rules increase, they become much harder to manage — eventually reaching ridiculously high numbers. I’ve personally seen large enterprises with millions of firewall rules, some of them older than a decade.

The Trouble with Port-Based Rules

Windows operating systems present a unique problem when trying to secure with traditional firewalls. Those firewalls use port-based rules, so a port from a specific IP address is allowed to talk to another port on a different IP address.

This strategy lends itself to UNIX and Linux, which typically have a single process running on a single port or ranges of ports. But in Microsoft operating systems, it’s common to have a group of processes using a single port, or group of ports, which may be dynamically assigned. Hence you may not know what port they want to use ahead of time. So how do you know if you should allow a port if you don’t know the process using it or what port it will use?

Enterprises are treating the symptoms of the problem, but not the core issue: today’s security is static and just can’t keep up with the rate of change.

Dynamic ports are assigned at random out of a pool of commonly agreed upon “high ports.” As you can imagine, not knowing what port will be used causes a wide swath of port ranges to be opened on the segmenting firewalls so the Windows machines can talk to each other. Conversely, you can restrict these port ranges, but you would then need to change registry keys and reboot all your Windows hosts.

This leaves us in the non-ideal position of trying to manage an unmanageable amount of firewall rules, or restricting our host’s native port ranges.

Keeping Up with the Rate of Change

Companies are trying to help by creating software to manage firewall rules, adding application awareness to their firewalls, and generally assisting with one aspect or another of a frustrating situation. But they all treat the symptoms of the problem, and not the core issue: today’s security is static and just can’t keep up with the rate of change.

It’s now possible to achieve granular application segmentation, even in cloud migrations.

Enter the Illumio Adaptive Security Platform (ASP), an entirely new approach to securing your Windows (and Linux) workloads with a dynamic, adaptive security model. Illumio ASP uses the native security enforcement services provided by the operating systems, the Windows Filtering Platform, and iptables. It then adds on an intuitive labeling system that eliminates the need for IP addresses and ports to write rules.

Thus, as new or modified hosts check in, Illumio ASP reads its assigned labels and configures its security profile automatically. The same applies if a host moves IP addresses: The change is seen and all appropriate polices are recalculated in seconds.

Defining your environment via labels means you can group an applications security. When you spin up or down components of your application, security follows, with no need to modify firewall rules or manage VLANs.

What does this mean? We now can achieve granular application segmentation, even in cloud migrations.

The Policy Compute Engine, or PCE, is the “brains” of the operation.

With the addition of process-based enforcement in Windows environments, Illumio will finally remove the question of how to deal with dynamic high ports. You define the approved process, and Illumio allows it to talk on whatever ports it wants, securely.

What makes this happen? The Policy Compute Engine, or PCE, is the “brains” of the operation. Using a lightweight agent called a Virtual Enforcement Node (VEN), the PCE instantly recognizes when a change has occurred and corrects the affected systems within seconds. This dynamic policy engine not only allows you to quickly write natural-language security policies, it also displays an interactive, live map of your application structure called Illumination. A very effective tool for communicating complex security postures to just about anyone.

Securing Windows servers just got really interesting.


Originally published at www.illumio.com.