Identity-Based Microsegmentation Guide
LAST UPDATED: November 8, 2021

Enforcer

The enforcer monitors and controls traffic to and from processing units. You deploy it as a service on a virtual machine and as a DaemonSet on a cluster. It connects to the Microsegmentation Console API to retrieve network rulesets and to send flow and DNS resolution logs.

host enforcerservice enforcerDaemonSet pod pod pod networkrulesets flow &DNS logs MicrosegmentationConsole flow &DNS logs networkrulesets

For virtual machines on AWS, GCP, or Azure, we recommend configuring the enforcer to use short-lived tokens from the cloud provider to authenticate to the Microsegmentation Console. Otherwise, you can configure the enforcer to use an app credential.

The enforcer can control traffic between processing units at different layers of the network stack. At layer 3, it automatically adds the processing unit’s cryptographically signed identity during the SYN/SYN->ACK portion of TCP session establishment (or by using UDP options in the case of UDP traffic). At layer 4, it exchanges identities after a TCP connection is established, but before any data traffic is allowed to flow. In this case, it utilizes TCP Fast Open to minimize the round-trip times needed to complete a robust authorization.

The addition of these cryptographically signed tags allows Microsegmentation to exchange and verify the identity of both processing units and validate if there is a network ruleset which will allow or deny traffic between the two endpoints. Once the authentication and authorization is complete, the enforcer allows both processing units to communicate directly.

Enforcement

At layer 7, the enforcer operates as a full API proxy and injects authorization information on every API call. In this case, it can perform per API endpoint authorization between processing units as well as between users and processing units.

The content of traffic is never visible to Microsegmentation Console or the enforcer. The enforcer’s role is to allow or drop the connection depending on the network rulesets it has received from Microsegmentation Console.