Integrate the NEN with the NVIDIA BlueField®-3 DPU featuring OVS
Note
In the NEN Guide, the term "switch" refers to both switches and routers.
This solution integrates the NVIDIA® BlueField®-3 Data Processing Unit (DPU), featuring Open vSwitch (OVS), with Illumio’s visualization tools and policy engine to prevent lateral movement and contain threats in real time to and from managed host VMs or within operational technology (OT) environments.
How it works
For configuration details, see OVS integration steps.
Deploy the Illumio Network Enforcement Node (NEN) on a CentOS or RHEL workload within the supervisory layer of your OT environment, and pair it with your Policy Compute Engine (PCE).
Configure the NEN to receive flow data from the OVS running on the DPU. The NEN forwards this data to the PCE, where you can visualize it using built-in tools.
Use the PCE’s visualization tools to analyze traffic flowing through the switch and define your security policy. The NEN translates this policy into Access Control Lists (ACLs) for distribution to the OVS for enforcement.
After the NEN-generated ACLs are loaded onto the OVS, enforcement occurs at the DPU to control traffic at the switch interface.
The DPU’s hardware offload capabilities accelerate policy enforcement, enabling OVS to apply security rules with high efficiency and minimal latency.
Key benefits
Integrating the NEN with OVS enables visibility and policy enforcement for traffic within and between IT and OT layers, allowing you to visualize all traffic to and from OT systems. Illumio’s flexible labeling architecture helps you understand how your assets communicate. NEN-generated ACLs convert your segmentation policies into ACLs that you install on the OVS to secure your OT/IT infrastructure.
Integrating the NEN with OVS through the PCE API is simple: enter the IP address and credentials for the OVS switch (see note below) and the NEN automatically discovers the switch configuration, programs flow monitoring on the switch, discovers and creates workloads in the PCE, and programs the ACLs on the OVS.
Important
The user credentials you provide for the OVS must allow access to the
ovs-vsctlandovs-ofctlcommands either through the user login or password-lesssudoaccess.Microsegmentation and policy enforcement tasks are offloaded from the CPU to the DPU to minimize the impact on application performance.
Limitation
Only generates IPv4 port, protocol, and IP address rules.
Prerequisites
Illumio NEN release 2.7.0 (or later)
NVIDIA® BlueField®-3 DPU with OVS configured and running
Review the topics Overview of Switch Integration and Supported Switches and Configurations.
Specifications
Supported flow data monitoring protocols:
sFlow
NetFlow (beginning in NEN 2.7.0)
IPFIX (beginning in NEN 2.7.0)
OVS integration steps
Install the NEN on a Centos or RHEL workload in your OT environment. See Install and Activate the NEN.
Pair and activate the NEN. See Obtain a Pairing Key and Activate the NEN.
Configure OVS to communicate with the NEN.
Important
The user credentials you provide for the OVS must allow access to the
ovs-vsctlandovs-ofctlcommands either through the user login or password-lesssudoaccess.See: Configure Switches for the NEN or NEN Switch Configuration Using REST API.
Define security policy, generate ACLs, and send ACLs to the OVS. See Apply Policy for Switches.