IDENTITY-BASED MICROSEGMENTATION DOCUMENTATION

Enforcer

The enforcer is an agent that runs on a virtual machine or as a DaemonSet and applies any policies which you have defined in Microsegmentation Console. Once deployed, the enforcer connects to the Microsegmentation Console API using credentials just as any other client does, and it is bound to API authorizations. The role of the enforcer agent is to protect any unit of computation called processing units.

Protection diagram

The enforcer can protect traffic between processing units at different layers of the network stack. At layer 3, it automatically adds the processing unit’s cryptographically signed identity during the SYN/SYN->ACK portion of TCP session establishment (or by using UDP options in the case of UDP traffic). At layer 4, it exchanges identities after a TCP connection is established, but before any data traffic is allowed to flow. In this case, it utilizes TCP Fast Open to minimize the round-trip times needed to complete a robust authorization.

The addition of these cryptographically signed tags allows Microsegmentation to exchange and verify the identity of both processing units and validate if there is a network policy which will allow or deny traffic between the two endpoints. Once the authentication and authorization is complete, the enforcer allows both processing units to communicate directly.

At layer 7, the enforcer operates as a full API proxy and injects authorization information on every API call. In this case, it can perform per API endpoint authorization between processing units as well as between users and processing units.

Enforcement

The content of traffic is never visible to Microsegmentation Console or the enforcer. The enforcer’s role is to allow or drop the connection depending on the network policies it has received from Microsegmentation Console.

The enforcer can be installed as a:

  • Kubernetes DaemonSet
  • Linux service
  • Windows service