Types of Illumio Policy
This section explains the differences between adaptive and static policy in the Illumio Core
Scopeless Policies
Scopeless policies are used in special cases where a rule needs to be applied broadly across all or large groups of workloads in a network.
You can write rules freely using specific labels without restrictions. If labels are excluded in a category, it defaults to "All" to include workloads without labels.
Scopeless policies require caution, as mistakes can open broader communications than intended. For example, a Default ruleset might permit specific ports for all workloads.
Scope-based Policies
Scope-based policies can be broad or specific and are the preferred method for writing policy rules.
Scope-based policies restrict how broadly rules are applied, limiting the impact of mistakes. However, the restrictive scope also limits how broadly rules can be written.
Single Scope Policies
Single-scope policies are the most commonly used policy type.
They narrow the list of workloads rules apply to and allow cross-communication within the scope.
Single-scope policies are commonly used to write rules for:•
Specific app group
Broader policy such as a core service policy for an environment
Broader policy for a location
Advanced Scope Policies
Advanced scope policies can be grouped into:
Multi-Scope Policies
These policies apply the same rules to many different groups of workloads, each scope as an independent policy.•
They apply the same set of rules to multiple groups of workloads, one scope at a time. Then, they proceed to the next scope and repeat the process for the remaining scopes.
Single-scope Policies
These policies narrow the list of workloads to which the rules apply and allow cross-communication within the scope.
Static and Staged Policies
This section explains the static and staged policy in the Illumio Core.
Static Policy
Static Policy allows administrators to stage policy updates on workloads matching a defined label-based scope. These workloads will receive but not apply new firewall rules until manual approval (via Apply Policy action in the UI or API).
For most of your workloads, adaptive security is the best method for protecting them from the lateral spread of threats. By default, the Illumio Core implements adaptive security for your workloads in all roles, all applications, all environments, and all locations. S
However, in certain scenarios, you might want to control when the VENs apply new or changed OS-level firewall rules to workloads. Using labels, you designate which workloads are impacted by static policy. See Apply Static Policy for the steps to configure static policy using labels.
When you configure the Policy Update Mode for workloads to use static policy, you control when the Illumio VENs running on the workloads apply new OS-level firewall rules that they received from the PCE. The Illumio Core blocks the immediate application of new firewall rules that result from users provisioning policy changes in the PCE and from dynamic updates to firewall rules (adaptive policy) when your environment changes. For example, you add a new rule to a ruleset in the PCE and provision the change, or a change occurs in your environment, such as a workload changing its IP address. In both cases, the VENs for your impacted workloads receive the new OS-level firewall rules from the PCE but they do not apply them until you explicitly select the workloads and click Apply Policy in the PCE web console.
See Staged Policy for information about how it uses static policy and stages OS-level firewall updates rather than applying them immediately.
You should view static policy as a Security Setting rather than a type of security policy because configuring workloads to use static policy is a mechanism to control when VENs apply new or updated OS-level firewall rules to affected workloads. You can use the static policy setting to establish an audit trail of which Illumio users apply new OS-level firewall rules to workloads and when they apply them.
Use Cases for Static Policy
By default, the PCE is set to apply security policy updates dynamically through adaptive policy. However, scenarios occur where you want to control when updates to the OS-level firewall rules are applied to workloads.
For example, you might want to control when these updates occur in the following scenarios:
Corporate policy for business-critical applications requires oversight on when updates to the OS-level firewall rules are applied to workloads.
For example, a financial institution requires that its security team explicitly control security updates to its transaction processing application. The security team authorizes the date and time of the update and applies it in the Illumio PCE.
The corporate IT team has established policies for applying security updates during disparate maintenance windows.
The IT team utilizes distributed maintenance windows to lessen the up-time impact on applications; for example, half the application is upgraded during the first maintenance window and the second part during the second maintenance window to keep the application running and minimize risk.
The central security team sets the security policy static for certain environments and adaptive for others.
For example, the security policy is adaptive for workloads running in the development environment (using the labels All Applications, Development Environment, and All Locations). However, workloads in the production environment (All Applications, Production Environment, and All Locations) require the static policy.
See Caveats for guidance on choosing when to configure workloads with static policy.
Example: Static Policy Workflow
The security team for an internet retail application has strict requirements for updating their production environment. They require that all updates to the OS-level firewall rules for their Database tier running in production be applied during maintenance windows. For their Illumio-managed workloads, they configure a static policy with the following labels: Role: Database, Applications: All, Environment: Production, Locations: All.
A spike in customer demand occurs, and the production environment automatically scales by adding servers to the Web tier. The Illumio PCE detects the web servers connecting to the Database tier workloads and re-computes their security policy to include rules for the web servers. The PCE re-computes the OS-level firewall rules for those workloads and sends them to the VENs running on the Database workloads. The VENs stage the updates locally but do not apply them to OS-level firewalls.
A maintenance window opens, and a security team member filters the Database workloads in the PCE to determine which ones have staged security policy. She selects these workloads and applies the staged changes.
The VENs request the latest OS-level firewall rules from the PCE to ensure that all changes are included. The PCE sends the latest OS-level firewall rules to the VENs, who apply them.
Static Policy Prerequisites, Limitations, and Caveats
Before configuring your workloads to use static policy, review the following prerequisites and limitations and consider the following caveats.
Prerequisites
You must be a member of the Global Organization Owner or Global Administrator role to manage security settings and add static policy.
The VENs on affected workloads must be running version 17.2 or later. Earlier versions of VENs cannot stage static policy. They will apply security policy updates immediately to workloads even though you configured them to use static policy.
Limitations
You should provision label groups before adding them to the static policy.
In the following situations, a VEN will apply a security update immediately and will not stage it even though the workload on which the VEN is running is configured to use static policy:
When you pair a new workload, the VEN immediately applies the policy it receives from the PCE.
When a VEN detects tampering, it requests security updates from the PCE and applies them immediately.
A VEN is offline when a user applies changes to their workloads. When the VEN returns online, it connects to the PCE and receives updated OS-level firewall rules. The VEN applies the revised rules to the workload even though it is configured to use a static policy.
Note
When a VEN goes offline and online, its OS-level firewall rules can become out of sync with other VENs that remain online.
See Staged Policy for an explanation of how the VENs stage policy.
Because a VEN may apply security updates immediately, Illumio recommends that you do not provision security policy updates until they are final. Keep the updates in the Draft state until you complete them.
To maximize performance, the PCE transmits 5,000 updated OS-level firewalls to the VENs until all updates are sent.
Caveats
Illumio recommends implementing a static policy for special cases, and advanced users should oversee the process.
The Illumio Core is designed to ensure that the latest versions of your security policy across your environment protect your workloads. Users provision policy changes, or the PCE responds dynamically to environmental changes. In both cases, the PCE re-computes new OS-level firewall rules incorporating the changes and sends them to the VENs to be applied immediately.
However, when configuring workloads to use static policy, you override this design by controlling when the VENs apply the security update to the workloads. As a result, you can have inconsistent security policies across your managed environment, which can cause communication disruptions between workloads.
Troubleshooting communication issues is difficult when the workloads within a scope use different security policy versions.
Illumio recommends keeping the number of workloads in your environment that utilize static policy as low as your business processes allow.
Apply Static Policy
By default, the Illumio Core implements adaptive security for your workloads in all roles, all applications, all environments, and all locations.
However, you might want to add static policy to control when updates to OS-level firewall rules are applied to your workloads.
You designate which workloads use static policy by configuring the Policy Update Mode in the Security Settings. To configure the Policy Update Mode, you specify the role, application, environment, and location labels. Any workloads within the scope of the selected labels will use a static policy. You can add multiple scopes. The overlap between the scopes does not affect how workloads use static policy.
Label groups are currently not supported by static policy. To create scopes using multiple labels from the same type, add them as separate scopes. For example, four Role labels are added to the PCE: Web, Database, API, and Mail. You want to add a static policy for the Web and Database roles only, so you add two scopes.
See Static Policy Prerequisites, Limitations, and Caveats for information before you complete this task.
To add static policy:
From the PCE web console menu, choose Settings > Security > Static Policy
To define the scope, click Add.
A dialog box appears where you set the static policy's scope.
Select labels to select workloads for static policy (Role, Application, Environment, Location)
Click OK.
The static policy appears in the list.
Click Provision from the PCE web console toolbar.
Staged Policy
When a workload matches a defined Static Policy filter, its state appears as Staged, indicating that policy updates have been delivered to the VEN but are not yet enforced. This policy requires you to define a policy that matches the workload’s Static Policy filter."Workloads that match the Static Policy scope will show the Staged policy state after provisioning. This means the VEN has received updated rules but has not applied them yet. For this to happen, active policy rules (e.g., rulesets or services) must affect those workloads.
Understanding the distinction between using static policy to stage updates to OS-level firewall rules and provisioning security policy is important because the actions differ in crucial ways.
When you configure workloads to use static policy, the PCE sends the new OS-level firewall rules for Linux iptables or the Windows Filtering Platform (WFP) to the VENs, who stage them locally. The VENs do not apply the new firewall rules immediately. You must select the workloads and explicitly click Apply Policy in the Workloads page to activate the staged OS-level firewall rules.
Configuring a set of workloads to use static policy does not eliminate the requirement to provision policy updates for those workloads. Through provisioning, you update the PCE's version of your security policy.
When you provision security policy changes, you trigger the PCE to apply these changes to the workloads. When the workloads are set to use static policy, the VENs on the workloads will stage the changes until you explicitly click Apply Policy. However, under certain circumstances, the VENs could apply the latest changes before you explicitly click Apply Policy. See Static Policy Prerequisites, Limitations, and Caveats for information.
Tip
The orange badge on the Provision button (top toolbar) indicates the number of changes you need to provision.
In addition to rulesets and rules, you must provision changes to the Illumio policy objects, such as services, IP lists, and label groups. Illumio supports including re-usable policy objects in intra- and extra-scope rules to make security policies easier to maintain and update. When you update a policy object, all the rules using the object are updated without you needing to change each rule where the object is included.
When you provision changes to rulesets and policy objects, the PCE saves your security policy as a new version. It recomputes the OS-level firewall rules for all the workloads affected by the change and instructs the VENs to download the updated OS-level firewall rules.
See the following topics related to provisioning:
Overview of Policy Objects, for a description of each type of policy item
Provisioning for the policy items that require provisioning
Active vs Draft Versions to learn how provisioning establishes the active version of the policy
Determine When Workloads Have Staged Policy
Workloads Page
The Workloads page displays each VEN's current state in the Policy Sync column. You can filter your workloads by this column to determine which ones have staged OS-level firewall rules.
Active (Syncing): The PCE sends a new policy to the VEN. This process typically takes only a few seconds.
Note
Workloads configured for adaptive and static policy can appear in the active (syncing) state while the PCE sends a new policy.
Staged: The VEN has received the latest OS-level firewall rules but has not applied them.
Active: The VEN has received, applied, and confirmed all policies sent from the PCE. (Active workloads have a green dot icon.)
For more information about the VEN Policy Sync states, see “VEN Policy Sync” in VEN Installation and Upgrade Guide.
Workload Details
The Workload details page provides important information about when and how your workloads received staged policy.
The General section indicates whether the workload is configured to use static policy (Policy Update Mode field) and displays the date and time the VEN staged the policy (Last Policy Staged field).
The VEN section includes the Policy Sync state, which can be active (syncing), staged, active, error, warning, and suspended.
Note
When all your workloads are configured to use adaptive policy, these fields will not appear in the General or VEN sections.
Apply Staged Policy
See Static Policy Prerequisites, Limitations, and Caveats for information before you complete this task.
From the PCE web console menu, choose Workloads.
The Workloads page appears.
(Optional) Filter by Policy Mode:
Use the Workload property filter: Policy Update Mode > Static Workloads
To apply staged policy to specific workloads:
Note
Select the workloads with staged changes.
Click Apply Policy to enforce the staged rules.
To apply a policy to all workloads with a staged policy, choose Apply Policy > Update All Workloads.
Note
If you filter workloads by label and choose Update All Workloads, the PCE applies the staged updates to all the workloads matching that label scope, not just the workloads appearing on the PCE web console page.
The Apply Policy dialog box displays the number of workloads to which the staged policy will be applied.
Click OK.
The VEN applies the staged policy and displays the status of the update.