VEN Firewall Tampering Detection
The PCE distributes the latest policy applicable to each workload to ensure that the VEN receives the latest policy updates. The VEN internally creates and maintains a set of meta information of these rules, which it uses to detect tampering.
Automatic History of Firewall Changes
Changes to the firewall on a workload are historically recorded for an audit trail. Up to 10 changes to the firewall history are saved. The history is viewable via the PCE Support Reports.
Host Firewall Tampering Protection
If a host firewall is tampered with, firewall tampering protection start firewall validation procedure. If the outcome detects any of the Illumio-added rules have been tampered, then the restoration procedure starts.
The procedure attempts to fetch a new security policy from the PCE, but if it fails due to a network connectivity issue, you can try to recover your last known good copy of a policy stored locally. The last step is validating the policy against the meta information of the policy. The tampering attempt is reported to the PCE as an agent.tampering event.
A host firewall tampering event occurs when another administrator or an attacker:
Adds a firewall rule to the Illumio firewall compartment.
Modifies a firewall rule added by Illumio.
Deletes a firewall rule added by Illumio.
Deletes all firewall rules (flush) added by Illumio.
The norm is that Illumio tries to detect tampering attempts only to Illumio firewall policy only and not to others.
Workload OS | Tampering Detection |
|---|---|
Linux | The VEN monitors any underlying iptables, ipset, and IPsec changes. Once the VEN detects a tampering attempt, it validates the snapshot of iptables/ipset/IPsec against the firewall policy validation meta information. |
Windows | The VEN monitors any changes in the Windows Filtering Platform (WFP) layer and the runtime IPsec policy. If it detects a change, it starts the validation and restore procedure. |
AIX/Solaris |
|
Host Firewall Tampering Alerts
Host firewall tampering alerts can be viewed:
On the host VEN.
In the PCE web console.
In the return from a call to the
/eventsIllumio Core REST API.In the return from a query in Splunk or other SIEM software.
View Tampering Alerts on VEN Host
Workload OS | Procedure |
|---|---|
Linux | As root, separately execute the following commands: Tail the VEN log file to see suspected tampering events and hash comparisons: tail -f /opt/illumio_ven_data/log/platform.log INFO: Possible tamper detected... INFO: FW iptables checksums ... (compares security policy hashes to see if anything changed) |
Windows | Check NoteThis alter displays "Filtering Platform Policy Change" when a tampering event is detected. Double-click the alert for detailed information. |
View Tampering Alerts Sent to PCE
PCE Web Console
To view agent.tampering events in the PCE web console, navigate to Troubleshooting > Events.
Double-click an agent.tampering event to see its details.
Illumio Core REST APIs
To return all tampering events for an organization, execute the following command using your organization URI. For more information, see Events in the REST API Developer Guide.
Example Curl Command to Get Information for All agent.tampering Events:
curl -i -X GET https://pce.example.com:8443/api/v2/orgs/1/events/?event_type=agent.tampering -H "Accept: application/json" -u $KEY:$TOKEN
Example Curl Command to Get Information for a Specific agent.tampering Event:
curl -i -X GET https://pce.example.com:8443/api/v2/orgs/1/events/some_event_ID -H "Accept: application/json" -u $KEY:$TOKEN
Example JSON Response Body from Getting an agent.tampering Event:
{
"href": "/orgs/1/events/some_event_ID",
"timestamp": "2019-06-17T05:42:10.419Z",
"pce_fqdn": "someName.someDomain",
"created_by": {
"agent": {
"href": "/orgs/1/agents/xxxxx",
"hostname": "someHostname"
}
},
"event_type": "agent.tampering",
"status": "success",
"severity": "err",
"action": {
"uuid": "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx",
"api_endpoint": "FILTERED",
"api_method": "PUT",
"http_status_code": 204,
"src_ip": "xx.xxx.xx.xx"
},
"resource_changes": [],
"notifications": [
{
"uuid": "yyyyyyyy-yyyy-yyyy-yyyy-yyyyyyyyyyyy",
"notification_type": "workload.oob_policy_changes",
"info": {
"tampering_revert_succeeded": true,
"beginning_timestamp": "2019-06-17T05:42:10Z",
"ending_timestamp": "2019-06-17T05:42:10Z",
"num_events": 1
}
}
]
}Splunk or Other SIEM Software
If you send VEN events received by the PCE to Splunk or other SIEM software, query for agent.tampering events in accordance with the SIEM vendor's query procedures.