Segmentation Templates
Applications can be a complex set of services and processes that have different components which communicate with other applications. For example, you might find an application in your Illumination map that has many processes communicating through several ports to connect to and receive connections from Active Directory. Some of these processes, such as Netlogon, can use 10,000 or more dynamic ports as it’s communicating with Active Directory. The ports that are used at any given time can be unpredictable. Creating security policy for these types of applications is a complex and time consuming endeavor.
Overview of Segmentation Templates
To deliver Segmentation Templates, Illumio leveraged our knowledge of enterprise applications, such as Active Directory, Exchange, and SharePoint, because we know the services and the different processes that these applications use.
Illumio Segmentation Templates provide prepackaged, tested security policies that provide all the rules needed for common enterprise applications. They can be deployed in minutes; thereby reducing the time it takes to protect key computing assets. They simplify the definition and implementation of security policy while reducing errors and preventing security gaps for widely-used, business critical applications.
Each Segmentation Template serves two purposes. Illumio customers can see an example of how to add the security policies required to protect the application in question. Secondly, customers can use the Segmentation Template as designed to secure the application quickly in their organization.
When you install a Segmentation Template, the PCE web console automatically adds the necessary policy objects (such as services, rulesets, and labels) to allow the communication required for that application.
Catalog Retrieved from Support Portal
When you go to the Segmentation Templates page, the PCE web console automatically retrieves the latest Segmentation Templates catalog from the Illumio Support portal and displays it in the web console.
To manually locate the catalog on the Illumio Support portal:
From the PCE web console menu, choose Policy Objects > Segmentation Templates.
A dialog box appears prompting you to log into the Illumio Support portal. (While you are logged into the PCE web console, you only have to log into the Illumio Support portal once.)
Click Log In and, if prompted, enter your Illumio Support portal username and password. (Illumio Secure Cloud customers are automatically logged into the Illumio Support portal.)
Note
Internet connectivity is not required to use the Segmentation Templates. When you are connecting to the PCE web console from a device that does not have internet connectivity, you must access the Illumio Support portal from another device that has internet connectivity and download the templates locally to that device before you can use them.
The Illumio Support portal automatically redirects you back to the Segmentation Templates page and the templates appear in the page. The templates are organized by operating system.
To view the contents of a Segmentation Template, click its name or icon.
The Segmentation Template details page describes the template and lists all the policy objects that belong to the template. Policy objects appear as hyperlinks when they have already been installed by another template. (Templates can share policy objects.)
Features of Segmentation Templates
Features of Segmentation Templates
Segmentation Templates share the following key features.
Template Contents
Each Segmentation Template adds an associated group of unique, non-overlapping, predefined services, and an contain any of the following policy objects:
Labels
Label groups
IP lists
Rulesets
Some templates contain all of the rulesets, services, and labels needed to secure a given application. Other templates contain port-based service definitions only.
Dynamic Processes and Ports
Using Segmentation Templates is especially useful in Microsoft environments, which must accommodate a range of dynamically used ports for RPC. Other Microsoft applications, such as Active Directory, require opening dynamic port ranges. Rather than opening only the ports in use, network-based solutions leave open an entire range of ports, effectively leaving the security environment wide open.
The Illumio PCE is service and process aware. Because of this, installing Segmentation Templates can protect against dynamic processes (like Netlogon) and add the correct policy to open only the ports that are active at a time.
Segmentation Templates are designed to use the specific processes and path used by the server rather than dynamic ports and apply the exact set of fine-grained rules required for protection.
Sharing Policy Objects
Services, labels, label groups, and IP lists can be used by more than one Segmentation Template. However, a ruleset is never used by multiple templates.
Identifying Policy Objects Added by Templates
You can identify all objects added to the PCE that are part of Segmentation Templates. In the External Data Set field of the object's details page, the PCE identifies these policy objects by labeling them using the following convention:
IST - type_of_object
(Where IST stands for Illumio Segmentation Template)
Additionally, the PCE provides full names to increase readability. For example, "IST - [AD] - Client to Domain Controller" appears as "IST - Active Directory Client to Domain Controller."
Segmentation Templates
Applications can be a complex set of services and processes that have different components which communicate with other applications. For example, you might find an application in your Illumination map that has many processes communicating through several ports to connect to and receive connections from Active Directory. Some of these processes, such as Netlogon, can use 10,000 or more dynamic ports as it’s communicating with Active Directory. The ports that are used at any given time can be unpredictable. Creating security policy for these types of applications is a complex and time consuming endeavor.
Overview of Segmentation Templates
To deliver Segmentation Templates, Illumio leveraged our knowledge of enterprise applications, such as Active Directory, Exchange, and SharePoint, because we know the services and the different processes that these applications use.
Illumio Segmentation Templates provide prepackaged, tested security policies that provide all the rules needed for common enterprise applications. They can be deployed in minutes; thereby reducing the time it takes to protect key computing assets. They simplify the definition and implementation of security policy while reducing errors and preventing security gaps for widely-used, business critical applications.
Each Segmentation Template serves two purposes. Illumio customers can see an example of how to add the security policies required to protect the application in question. Secondly, customers can use the Segmentation Template as designed to secure the application quickly in their organization.
When you install a Segmentation Template, the PCE web console automatically adds the necessary policy objects (such as services, rulesets, and labels) to allow the communication required for that application.
Catalog Retrieved from Support Portal
When you go to the Segmentation Templates page, the PCE web console automatically retrieves the latest Segmentation Templates catalog from the Illumio Support portal and displays it in the web console.
To manually locate the catalog on the Illumio Support portal:
From the PCE web console menu, choose Policy Objects > Segmentation Templates.
A dialog box appears prompting you to log into the Illumio Support portal. (While you are logged into the PCE web console, you only have to log into the Illumio Support portal once.)
Click Log In and, if prompted, enter your Illumio Support portal username and password. (Illumio Secure Cloud customers are automatically logged into the Illumio Support portal.)
Note
Internet connectivity is not required to use the Segmentation Templates. When you are connecting to the PCE web console from a device that does not have internet connectivity, you must access the Illumio Support portal from another device that has internet connectivity and download the templates locally to that device before you can use them.
The Illumio Support portal automatically redirects you back to the Segmentation Templates page and the templates appear in the page. The templates are organized by operating system.
To view the contents of a Segmentation Template, click its name or icon.
The Segmentation Template details page describes the template and lists all the policy objects that belong to the template. Policy objects appear as hyperlinks when they have already been installed by another template. (Templates can share policy objects.)