AdminConnect
Relationship-based access control rules often use IP addresses to convey identity. This authentication method can be effective. However, using IP addresses to establish identity in certain environments is not advisable.
When you enforce policies on servers for clients that frequently change their IP addresses, the policy enforcement points (PEPs) must continuously update security rules to accommodate IP address changes. These frequent changes can cause performance and scaling challenges, and the IP sets of protected workloads can become unstable.
Additionally, using IP addresses for authentication is vulnerable to IP address spoofing. For example, server A can connect to server B because the PEP uses IP addresses in packets to determine when connections originate from server A. However, in some environments, bad actors can spoof IP addresses and impact the PEP at server B, causing it to mistake a connection from server A.
Illumio designed its AdminConnect (Machine Authentication) feature with these environments in mind. Using AdminConnect, you can control access to network resources based on Public Key Infrastructure (PKI) certificates. Because the feature is based on the cryptographic identity associated with the certificates, and not IP addresses, mapping users to IP addresses (common in firewall configurations) is not required.
With AdminConnect, a workload can use the certificate-based identity of a client to verify its authenticity before allowing it to connect.
Features of AdminConnect
Cross Platform
Microsoft Windows provides strong support for access control based on PKI certificates assigned to Windows machines. Modern data centers, however, must support heterogeneous environments. Consequently, Illumio designed AdminConnect to support both Windows and Linux servers, as well as Windows laptop clients.
AdminConnect and Data Encryption
When AdminConnect is the only feature enabled, data traffic does not utilize ESP encryption. This ensures that data is in clear text even though it is encapsulated in an ESP packet.
The ESP packets are encrypted when AdminConnect and SecureConnect are enabled for a rule.
Ease of Deployment
Enabling AdminConnect for identity-based authentication is easy because it is a software solution that does not require deploying network choke points, such as firewalls. It also does not require you to deploy expensive solutions such as Virtual Desktop Infrastructure (VDI) or bastion hosts to control access to critical systems in your data centers.
AdminConnect Prerequisites and Limitations
Prerequisites
You must meet the following prerequisites to use AdminConnect:
Limitations
You cannot enable AdminConnect for the following types of rules:
Rules that use All services
Rules with virtual services in sources or destinations
Rules with IP lists as sources or destinations
Stateless rules
AdminConnect is not supported in these situations:
AdminConnect does not support “TCP -1” (TCP all ports) and “UDP -1” (UDP all ports) services.
You cannot use Windows Server 2008 R2 or earlier versions as an AdminConnect server.
Windows Server does not support more than four IKE/IPsec security associations (SAs) concurrently from the same Linux peer (IP addresses).