Years ago, enterprises owned their computing infrastructure and protected it with tightly controlled physical and perimeter-based network controls. Firewalls and routers were used to segment data center networks into different zones of trust. The network segmentation was mostly designed to restrict North–South traffic between the Internet and the data center, or between user workstations and the data center.
In recent years, there has been a growing need to control East—West traffic. Advanced threats often bypass traditional firewalls, gain a foothold and then move laterally within the network. Recent well-publicized attacks on several large enterprises all had one thing in common: Once the perimeter was breached, the attackers were able to propagate laterally from server to server with essentially no security controls in place to stop them.
If your organization is moving to a flat network topology and/or a cloud environment, traditional network segmentation strategies will be complex or impossible to apply. As servers are rapidly provisioned and decommissioned, IP addresses change frequently, and it becomes difficult to continuously reprogram ACLs in routers, firewalls and switches.
Halo Segment solves the problem elegantly and efficiently. Halo Segment uses micro-agents that can be applied to every workload in every operating environment—traditional data centers, private and public clouds.
The first thing that Halo agents do is provide visibility to the traffic patterns between your workloads. Halo tracks workloads on the basis of application type; this means that IP addresses of the underlying server can change without affecting your ability to see the traffic flowing between applications, sources and destinations.
Halo Segment provides tabular and visual tools to help you understand traffic patterns at both macro and granular levels. By understanding the traffic patterns on an application level, Halo lets you 1) detect potential malicious activity, and 2) design and enforce microsegmentation policies that are effective for each type of application. (See below.)
Host Firewall Orchestration
As stated above, the traditional tools to segment data centers—firewalls, routers and switches—are not well suited to control traffic in dynamic data center and cloud environments. As servers are rapidly provisioned and decommissioned, the number of changes to IP addresses becomes large, and it becomes difficult to continuously reprogram ACLs in routers, firewalls and switches.
Halo Segment solves the problem in an elegant, efficient fashion. Halo Segment uses micro-agents that can be applied to every workload in every operating environment—traditional data centers, private and public clouds. These micro-agents allow you to deploy fine-grained traffic control at the workload level. This is often called microsegmentation.
Microsegmentation lets you logically divide your data center into distinct security segments based on application and workload. This restricts an attacker’s ability to move laterally in your data center, even after your perimeter has been breached — much like safe deposit boxes in a bank vault protect the valuables of individual bank customers, even if the safe has been cracked.
Halo Segment has the following unique advantages:
- Halo Segment is independent of your infrastructure and portable between multiple infrastructures. Halo Segment works across all types of workloads—virtual machines, physical servers, and containers—and in any operating environment—data centers, public or private clouds.This is a tremendous advantage over network security products that are available from large infrastructure vendors. Their products are tied to their specific infrastructure and they require policies to be written in the language of that infrastructure. This results in inflexible policies, an explosion of network components, vendor lock-in, and a barrage of tools that you need to use to manage security.
- Halo Segment can be provisioned fast, using the same tools and processes that IT resources are provisioned. The rise of DevOps automation and orchestration practices is driving faster application life cycles and better quality. Security needs to take advantage of the same types of automation processes. Security must be baked into the application development pipeline, not bolted on at the end.
- Halo Segment lets you design security policies based on exactly what the application needs for normal operation, and nothing more. To assist you in designing these policies, Halo Segment includes visualization tools that let you understand flow patterns, set policies and monitor for deviations.
- Halo Segment can scale elastically at the same pace as your infrastructure because Halo Segment is delivered as an on-demand service. There are no appliances to install, no servers that you need to manage.
Multi-factor Network Authentication for Remote Network Access
This feature lets you keep your server ports and IP addresses hidden and secure while allowing temporary on-demand access for authorized users. Halo supports secure remote network access using two-factor authentication (using one-time passwords via SMS or email or with YubiKey®) with no additional software or infrastructure.