Illumio Policy Enforcement Model
Illumio employs an allowlist security model. By default, workload-to-workload communication is blocked unless explicitly permitted by defined Illumio policy rules. Administrators create these explicit rules to allow only necessary traffic, significantly enhancing security.
Why Use Selective Enforcement?
Deploying the allowlist model universally and simultaneously can be challenging or disruptive. Illumio addresses this by providing selective enforcement, an intermediate enforcement state that allows a gradual security rollout.
Selective Enforcement provides:
Gradual Security Implementation: Smooth transition from open ("Idle" or "Visibility-only") states to full enforcement ("Full Enforcement").
Targeted Visibility: Enforcement focused on selected services and ports via labels or groups while other services remain in visibility mode.
Rapid Threat Response: Immediate enforcement on vulnerable or critical ports/services without impacting entire workloads.
Applying Selective Enforcement
Selective Enforcement mode is configured per workload using labels or groups of labels.
When Selective Enforcement is activated:
Enforced Ports and Services: Active enforcement of security rules; explicitly permitted inbound traffic only.
Visibility-Only Ports and Services: No active blocking, but communication is monitored and logged.
Workload behavior under Selective Enforcement:
Enforced Ports: Permits only explicitly allowed inbound traffic according to defined policy rules; all other traffic is blocked.
Visibility-Only Ports: Traffic remains unblocked but is actively monitored and logged
How Selective Enforcement Works
Selective enforcement is applied individually per workload through labels or label groups.
When enabled:
Enforced Ports/Services: Security rules are actively enforced; only explicitly permitted traffic passes.
Other Ports/Services: Remain in visibility-only mode; traffic is monitored but not blocked.
Workload Behavior under Selective Enforcement:
Selective Enforcement (Enforced Ports): Only explicitly permitted inbound traffic is allowed. All other inbound traffic to these ports is blocked.
Visibility-only (Other Ports): Traffic continues normally but is monitored and logged.
Enforcement Progression Model
Selective Enforcement is a crucial step in Illumio's structured enforcement progression:
Idle (Visibility-only) → Selective Enforcement → Full Enforcement
where
Idle: Visibility and monitoring are only; there is no enforcement.
Selective Enforcement: Partial enforcement on chosen ports/services.
Full Enforcement: Complete allowlist enforcement on all ports/services.
This structured approach simplifies secure policy implementation and offers flexibility in managing risk and operational complexity.
Use Cases and Limitations
Basic use cases for Selective enforcement are:
Incremental Policy Rollout: Enables gradual policy introduction, reducing risks to critical systems.
Rapid Security Response: Quickly enforce specific critical or vulnerable ports/services policies.
Selective enforcement only applies to inbound (provider-side/ingress) traffic, controlling incoming requests to protected workloads. It does not control outbound traffic from workloads.
Selective Enforcement Mode Limitations
Limitations of Selective Enforcement are grouped as follows:
Directional Enforcement, where Selective enforcement operates only on inbound traffic.
Inbound Policy (Destination-centric): Manages incoming traffic to workloads.
Outbound Policy (Source-centric): Manages outgoing traffic from workloads.
Support for Managed Workloads is available only because selective enforcement is available for workloads managed directly by Illumio.
Managed workloads are supported.
Unmanaged workloads or workloads managed via Network Enforcement Nodes (NEN) cannot utilize selective enforcement.
Impact on Virtual Services: Selective enforcement does not apply directly to virtual services as a single entity.
Instead, policies must target individual workloads within virtual services. Enforcement is applied at the workload level within virtual services.
Virtual services themselves are not directly enforced.
Workload Enforcement States
Workload policy modes determine how Illumio rules impact workload network communications. Illumio provides four policy modes.
The enforcement state displayed in the Policy Compute Engine (PCE) indicates the desired state for the next policy update. Failure to apply this state successfully will result in a Policy Sync error.
Idle Enforcement State
This state is typically used during initial VEN installation or activation. Its characteristics are:
No firewall rule enforcement.
Collects and reports network traffic data every 10 minutes.
Reports OS compatibility every four hours.
Immediately reports network interface configuration changes.
SecureConnect Rules and Visibility-Only State
Note
SecureConnect rules are only applied to workloads where the VEN is in a non-idle enforcement state.
However, unlike other rules, SecureCionnect requires matching rules to be applied to workloads on both sides of any connection. Therefore, SecureConnect traffic is not supported between two workloads where a VEN on either side is in an idle state.
For SecureConnect rules in visibility-only state, it is essential to keep in mind that these rules are:
Applicable only to workloads in an enforced state (Visibility-only, Selective, or Full Enforcement).
Matching rules are required on both source and destination workloads.
Unsupported for workloads in Idle state.
The visibility-only state offers no enforcement and represents continuous monitoring and reporting of network traffic. It is ideal for initial policy planning and traffic analysis. However, it may disrupt applications dependent on NAT or IP forwarding.
Blocked + Allowed Logging Mode
This mode provides detailed logging of:
Allowed traffic (explicitly permitted by rules).
Blocked traffic (explicitly denied or not explicitly permitted).
Unlocked traffic (permitted without explicit rules).
Visibility Options by Enforcement Mode
These options are available for the selective and full enforcement modes:
Selective Enforcement Mode
Selective enforcement provides:
Off—There is no logging. The VEN does not collect any information about traffic connections. This option provides no Illumination detail and demands the least amount of system resources from a workload.
Blocked—Logs only blocked traffic. The VEN collects only the blocked connection details (source IP, destination IP, protocol, and source port and destination port), including all dropped packets. This option provides less Illumination detail but demands fewer system resources from a workload than high detail.
Blocked + Allowed – Logs both allowed and blocked traffic. The VEN collects connection details (source IP, destination IP, protocol, source port, and destination port). This applies to both allowed and blocked connections. This option provides rich Illumination detail but requires some system resources from a workload.
Full Enforcement Mode
Full enforcement blocks all non-explicitly allowed traffic, providing the highest security level.
Visibility options mirror Selective Enforcement:
Off
Blocked
Blocked + Allowed
Enhanced Data Collection – Detailed logs with traffic flow metadata.
Full enforcement is recommended after successful testing and validation of the allowlist model.
Enhanced Data Collection
Enhanced data collection is available only in the Full enforcement mode.
Enhanced Data Collection allows the VEN to log byte counts and connection details for Allowed, Blocked, and Potentially Blocked traffic.
Note
SecureConnect rules are only applied to workloads where the VEN is in a non-idle enforcement state.
However, unlike other rules, SecureCionnect requires matching rules to be applied to workloads on both sides of any connection. Therefore, SecureConnect traffic is not supported between two workloads where a VEN on either side is in idle state.