Embed Size (px)
Citation preview
C O M PA R I S O N G U I D E
Compare Illumio Core to Guardicore Centra
C O M PA R I S O N G U I D E
22
Compare Illumio Core™ to Guardicore Centra
Inline agents, multi-tiered deployment models, and cumbersome rulesets make host-based segmentation deployments needlessly complex and risky. Guardicore’s host-based segmentation solution offers capabilities that help you achieve the goal of segmentation, but with hard-to-manage rulesets and more complex agent and deployment models, achieving Zero Trust and segmentation is not possible.
ILLUMIO CORE GUARDICORE CENTRA
MICRO-SEGMENTATION
Policy workflow• Policy creation workflow is streamlined based on
the application, with easy actions based on live flows in the map.
• Policy must be designed manually to start – rules are written manually like a traditional firewall.
• Interactive rule writing from map and flows is complex and difficult to track.
• Rules with IP lists program workloads as well, making policy writing difficult.
Rule limits • No feasible limit since you are leveraging native stateful firewall.
• 1k rules per endpoint.
• 12k objects per rule.
Ruleset design
• Scoped rulesets are specific to applications, environments, and locations.
• True Zero Trust allowlist policy model.
• Label-based rules for ease of understanding.
• Monolithic ruleset which is evaluated sequentially in sections.
• Label-based rules are possible, but operationally it can become difficult to keep track of where rules apply as the rules get longer.
Policy revisioning • Full revisioning with details on every change made with each revision.
• No revision details. Versioning is present but contains no details on changes made.
Enforcement• Programs the host’s native stateful firewall.
• Does not impact data path.
• Proprietary stateless firewall uses kernel hooks to collect data and enforce rules.
• Agent is inline with traffic, making it a point of failure for security – if it goes down, it will take all the security with it.
Automated rule writing
• Use Policy Generator to generate optimal rulesets in minutes.
• Semi-automated rule writing is operationally hard to use with the custom maps.
• Ringfencing or micro-segmentation only – no automated tier-to-tier segmentation.
• No ability to exclude rules during the automated creation.
100% confident ruleset creation
• Yes – discrete deployment modes include build, test, and enforce to ensure confidence in the ruleset.
• No – requires adjusting ruleset to attempt validation.
Non-disruptive deployment modes
• Three individual modes – build, test, and enforce – allow testing and modeling the entire policy before enforcing. This ensures no loss of communications during deployment.
• Agents are always enforcing. To validate rules, they need to be moved around the ruleset. This adds increased complexity and risk.
C O M PA R I S O N G U I D E
3
Compare Illumio Core to Guardicore Centra — Continued
ILLUMIO CORE GUARDICORE CENTRA
VISIBILITY
Maps
• Live high-fidelity global map with automated application grouping for precise visibility.
• Ability to overlay vulnerabilities from scanners and quantify risk.
• Static map that must be based on traffic criteria and filters.
• Map data may be delayed or stale at time of generation.
Network logs
• Robust and precise Explorer-based queries to collect exactly what details you need on live traffic flows.
• Visually represent flows in parallel graphic to easily understand.
• Saves searches for repeated use.
• Filter-based queries.
• Can save filters for repeated use.
Workloads
• Single view of all workloads and details, and can filter on labels.
• Create unmanaged workloads to monitor flows at will for hosts without the agent.
• Single view of all workloads and details, and can filter on labels.
• Unmanaged workloads require third-party API integration, so if the integration goes down, the workload disappears, which can impact rules and security.
OPERATIONS
Role-based access control (RBAC) • Full RBAC and application owner control. • RBAC is present but limited application owner
views as a result of single monolithic ruleset.
Agent • Lightweight agent on the host. • Heavyweight agent that manipulates the kernel and needs safeguards to stop CPU/MEM spikes.
Architecture• Centralized control and distributed enforcement.
• Hosts communicate directly with the Policy Compute Engine.
• Centralized control and distributed enforcement, however all agents must communicate through a proxy to report flows and receive policy.
OS support Wide-ranging Windows, Linux, AIX, Solaris. • Wide-ranging Windows, Linux, AIX, Solaris (specific kernel versions are required).
Performance impact • Lightweight – near zero footprint.• Heavyweight – if guardrails are not put in place,
depending on traffic profile, the agent could overrun the system.
Labeling • Four-dimensional, business logic labels to provide the most application context.
• “Infinite” number of labels, however no ability to stack labels (multiple roles).
Dynamic labeling • Static labels can be ingested from trusted source or created in the platform itself.
• Based on hostname or IP address.
• The labels will constantly change, so if IPs are changing or device hostname changes, it will automatically lose or gain labels and, as a result, may lose critical security policy.
4
C O M PA R I S O N G U I D EW H I T E PA P E R
Follow us on:
About Us
Illumio enables organizations to realize a future without high-profile breaches by preventing the lateral movement of attackers across any organization. Founded on the principle of least privilege in 2013, Illumio provides visibility and segmentation for endpoints, data centers or clouds. The world’s leading organizations, including Morgan Stanley, BNP Paribas, Salesforce, and Oracle NetSuite, trust Illumio to reduce cyber risk. For more information, visit www.illumio.com/what-we-do.
The GARTNER PEER INSIGHTS Logo is a trademark and service mark of Gartner, Inc. and/or its affiliates and is used herein with permission. All rights reserved. Gartner Peer Insights reviews constitute the subjective opinions of individual end users based on their own experiences and do not represent the views of Gartner or its affiliates.
Illumio, Inc. 920 De Guigne Drive, Sunnyvale, CA 94085, Tel (669) 800-5000, www.illumio.com. Copyright © 2020 Illumio, Inc. All rights reserved. This document is protected by U.S. and international copyright and intellectual property laws. Illumio’s products and services are protected by one or more U.S. and international patents listed at https://www.illumio.com/patents. Illumio® is a trademark or registered trademark of Illumio, Inc. or its affiliates in the U.S. and other countries. To review a list of Illumio’s trademarks, go to https://www.illumio.com/trademarks. Third-party trademarks mentioned in this document are the property of their respective owners.
See what customers have to say about Illumio.
