Skip to main content

Security Policy User Guide 21.5

Manage Enforcement Boundaries

The topics in this section explain how to set up and manage Enforcement Boundaries in your data center.

Prerequisites and Limitations

Prerequisites

  • VENs must be installed on the workloads (must be “managed”); Enforcement Boundaries are not supported for NEN-controlled or other unmanaged workloads.

  • The VEN must be at release 21.2.0 or later.

  • Workloads must be in the Selective Enforcement state for Enforcement Boundaries to apply to them.

Limitations

  • Illumination

    In reported view, Illumination displays the traffic within the scope of an Enforcement Boundary as blocked traffic versus potentially blocked traffic. Specifically, the lines for that traffic are display in red versus yellow. In draft view, you won't see any change to the traffic and you won't see what traffic is being potentially blocked.

    Tip

    In Illumination, you can detect when a workload is in the Selective Enforcement state because its icon is a dashed line around the workload. Workloads impacted by an Enforcement Boundary must be in the Selective Enforcement policy state.

  • Explorer

    In reported view, you can detect that traffic is blocked; however, Explorer does not distinguish between traffic that is blocked because of full enforcement or because an Enforcement Boundary is in place.

  • Virtual Services

    Enforcement Boundaries do not apply to virtual services directly. Virtual services are enforced at the workload level. As a result, Enforcement Boundaries do not affect virtual services directly; instead, they affect the workloads that virtual services are comprised of.

FQDN-based Rules and Enforcement Boundaries

In Illumio Core, the PCE doesn't prevent you from creating IP lists containing FQDNs. In the PCE, you can create a segmentation rule for a consumer and an IP list. For example, you create the following IP list and segmentation rule in the PCE:

IP list 1:10.2.1.0/24

Rule 1:*.dev.illumio.com

Rule scope: IP list 1 ¬ 80 TCP ¬ Environment: Production

Result: Workloads in the Production environment will allow 80/tcp traffic outbound to both 10.2.1.0/24 and *.dev.illumio.com (whatever are the IP addresses that FQDNs matching the pattern resolve to).

FQDN-based rules are not fully supported in Enforcement Boundaries. The PCE doesn't prevent you from adding FQDNs to an IP list impacted by an Enforcement Boundary. You can use the IP list in an Enforcement Boundary. However, the PCE drops the FQDN component when an Enforcement Boundary results in an outbound deny rule to an IP list with FQDNs and the PCE writes a policy error to its log file.

Based on the example above, the Enforcement Boundary only denies traffic not previously allowed by the segmentation rule to 10.2.1.0/24 and not to FQDNs matching the *.dev.illumio.com pattern. Instead, the PCE generates the error message “partial policy delivered.”

Workflow for Deploying an Enforcement Boundary

To implement an Enforcement Boundary in your data center, complete the following tasks:

  1. Install VENs on the workloads you want to protect with an Enforcement Boundary.

    An Enforcement Boundary will only block traffic for managed workloads in the PCE. For information about installing a VEN on a host, see Workload Setup Using PCE Web Console. See also VEN Installation and Upgrade Guide for detailed information about installing VENs on hosts.

  2. Assign the correct labels to each workload.

    For exampl, you must correctly assign the Environment label to all necessary workloads to block traffic from your development environment to your production environments. See Labels and Label Groups for information.

    Tip

    Using an Enforcement Boundary to accomplish the security mandate for traffic between dev and prod is more efficient than deploying a full allowlist model because you need to roll out only the Environment label rather than defining all four label types for your workloads and in your segmentation ruleset scopes.

  3. Create segmentation rulesets and rules for the workloads you want to protect with an Enforcement Boundary.

    See Segmentation Rulesets and Rules for information.

    Warning

    Before creating an enforcement boundary, you must create the necessary segmentation rulesets and rules because traffic crosses the boundary and when you create it before putting rules in place, the PCE will drop the workload traffic until the rules are in place.

  4. For the workloads you want to block traffic, move them into the Selective Enforcement state.

    See Place a Workload in Selective Enforcement State.

  5. Create an Enforcement Boundary that specifies the labels or IP lists (any IP range or subnet) to identify which workloads will be impacted by the boundary. Additionally, the boundary specifies specific services (or all services) to block traffic for.

    See Add an Enforcement Boundary for information.

    Important

    If you have not created any segmentation rules when you add an Enforcement Boundary, the PCE web console displays a message that the boundary has 0 segmentation rules. You need to correct this issue as soon as possible.

Add an Enforcement Boundary

  1. From the PCE web console menu, choose Rulesets and Rules > Enforcement Boundaries.

  2. Click Add.

    The Create Enforcement Boundaries page appears.

  3. Enter a name for the Enforcement Boundary. Names can contain up to 255 characters.

  4. Specify the consumers and providers of the connection. For a definition of “providers” and “consumers,” see Rules.

  5. In the Providing Services field, select services to block or select Port or Port Range and enter the port numbers.

    The drop-down list contains a list of all services you have created in the PCE. See Services for the steps to add services to the PCE.

    Tip

    When selecting a providing service, you can select a specific service (or set of services) from the drop-down list. Alternatively, you can select “All Services” from the drop-down list; effectively blocking all traffic from the traffic provider. For example, you might want to block all traffic from your development environments reaching production and you'd select “All Services” for that Enforcement Boundary. See the example below.

  6. Click Save. A progress bar appears while the PCE saves the boundary.

    The Enforcement Boundary page refreshes and displays the workloads that will be impacted by the boundary once you provision it. The Workloads in Scope section also provides information about which workloads you must move to the selective enforcement state for the boundary to protect them.

  7. Provision the change. See Provisioning for information.

Example: Enforcement Boundary that blocks traffic between development and production

enforcement-boundaries-1.png

Example: Enforcement Boundary that blocks traffic originating from the WannaCry service

The following boundary blocks communication for the four ports that are part of the WannaCry service for all workloads from all the workloads.

enforcement-boundaries-2.png
Place a Workload in Selective Enforcement State

  1. From the PCE web console menu, choose Workloads and VENs > Workloads.

    The Workloads page appears.

  2. From the Enforcement state drop-down list, choose Selective.

    A confirmation dialog box appears listing the impacted workloads.

  3. Click OK.

  4. To apply the enforcement state change to these workloads, provision the state change.

Remove an Enforcement Boundary

  1. From the PCE web console menu, choose Rulesets and Rules > Enforcement Boundaries.

  2. Select the enforcement boundary you want to remove.

  3. Click Remove.

    A confirmation dialog box appears.

  4. Click Remove again to permanently delete the enforcement boundary from the PCE.

    The Enforcement Boundaries page reappears. An icon appears beside the enforcement boundary indicating that the deletion is pending.

  5. Provision the change.

See also: