Agentless Micro Segmentation: How Does ShieldX Do It?

Ratinder Ahuja

Ratinder Ahuja

December 21, 2018

At a recent trade show, I was asked: “How does ShieldX implement agentless micro segmentation?”  Not coincidentally, Gartner recently published a research note (login required) and called ShieldX out for its agentless technology, correctly calling us “microservices-based micro segmentation.”

How do we do it? ShieldX deploys a network-based architecture where we insert in multi-cloud environments to collect and inspect infrastructure traffic for visibility, analytics and security control, instead of relying on end points (agents). We implement agent-less network traffic inspection using an overlay network. Insertion is handled by Segment Interfaces (SI) microservice. In VMware ESXi environment, we use SI on trunk tap for Tap Mode and Layer2 VLAN Bridging to SIs for Inline and Microsegmentation Mode. In Azure environment, we use Flow Inspectors (FI), placed inline as a NAT provider for N/S traffic and route traffic between workloads via User Defined Routes (UDR) for E/W traffic. In AWS environment, we use the FI as a NAT provider for N/S traffic and use Network encapsulation and route entries for E/W traffic. This ensures we are placed in the “Goldilocks Zone”: not on the system (too close) where it makes deployments, upgrades, testing and maintenance more difficult, but also not removed from the network at the perimeter only (too far), where traffic cannot be rerouted and steered in a timely and effective way. This makes ShieldX the “just right” solution for all of your micro segmentation and cloud security needs.

But what is the most important impact?  Friction-less deployment and maintenance with no additional testing at every upgrade.  I always say the proof is in the pudding: in their review of ShieldX, Alaska Airlines noted: “We evaluated vArmour and Illumio. They didn’t meet our requirements. ShieldX is a superior solution.”  We deploy in just a few hours or less, and immediately begin to provide a full set of security controls and automated micro segmentation.  Longer term, managing perpetual flux on an ever changing network means—with machine learning—making changes to a micro segmented network is easy.  Again, noting our customer: “The Adaptive Intention Engine is fantastic. It allows us to develop security policies using the language of our internal customers. It’s machine-learning applied to security workflows. That allows us to much more easily construct the policies that will protect those workflows.”