Skip to main content

Illumio Core 25.2.10 Administration Guide

VEN Tampering Protection

In Illumio Core and Illumio Endpoint 22.5.10 and later releases, you can protect the following types of VENs from unintended actions and tampering:

  • Windows and Linux VENs running on servers

  • Windows VENs running on endpoints

This feature protects the VEN itself from tampering versus protecting the workload host that the VEN is running on from being tampered with. For information about how the VEN detects tampering with the host firewall, see VEN Firewall Tampering Detection.

About Tampering Protection

Note

Before using this feature, complete the tasks in Requirements for Using Tampering Protection.

This feature protects VENs from unintended, accidental invocation of VEN CLI actions and installer commands that impact VEN functionality, and malicious attempts (including from System Administrators) to disable or uninstall the VEN, or otherwise render the VEN unusable.

Using this feature, you control the ability to run the following VEN administrative actions with the VEN CLI:

  • Stopping the VEN. See Shut Down VENs.

  • Restarting the VEN. See Start Up VENs.

  • Suspending the VEN. See VEN Suspension.

  • Deactivating the VEN. See Deactivate Using VEN Command Line.

  • Unpairing the VEN from the PCE. See Unpair Using VEN Command Line.

  • Upgrading the VEN on the server or endpoint. See the topics for managing the VENs using the CLI.

    Note

    Providing a maintenance token is not required when upgrading VENs by using the PCE web console.

  • Uninstalling the VEN from the server or endpoint. See the topics for managing the VENs using the CLI.

    Note

    Providing a maintenance token is not required when uninstalling VENs from workloads by using the PCE web console.

This tampering protection restricts VEN CLI commands issued by all users, including the users who have administrative or root access to the VEN hosts (servers and endpoints).

Requirements for Using VEN Tampering Protection

To use this feature, you must complete the following requirements:

  1. Enable the feature for your organization. See Enable VEN Tampering Protection.

  2. Generate a maintenance token for all VENs or for specific VENs that you want protected. See Generate VEN Maintenance Token.

    To generate this token, users must be part of one of the following Illumio Authorization roles:

    • Global Organization Owner

    • Global Administrators

    • Workload Managers (only for the workloads to which the users have access)

      When you are part of the Workload Manager role, you can set up tampering protection for the VENs you have access to. See "Workload Manager Role" in the PCE Administration Guide for information.

  3. Include the token when running VEN CLI commands. See Manage VEN When Tampering Protection Enabled.

Enable VEN Tampering Protection

Before you can generate maintenance tokens for VENs or use the tampering protection feature, you must enable it in the PCE web console for your organization.

  1. From the PCE web console main menu, go to Settings > VEN Operations.

    Important

    To access the Setting page for VEN Operations, you must be a memember of the Global Organization Owner role. You cannot enable the VEN tampering protection feature without this level of Illumio authorization.

  2. Click Edit.

  3. In the Tampering Protection section, select Yes to require a maintenance token when running VEN commands on the VEN CTL.

  4. Click Save.

Generate a VEN Maintenance Token

Note

Before you generate a VEN and Endpoint maintenance token, you must enable the feature for your organization.

You can generate maintenance tokens for all your VENs or for a specific VEN.

  1. Go to Workloads and click the VENs tab.

    • To generate support tokens for all of the VENs, click Generate Maintenance Token.

    • To generate a token for a specific VEN, click the name of a VEN to open the details page for that VEN, and then click Generate Maintenance Token.

      A Generate Maintenance Token dialog box appears where you can generate tokens for all VENs or the specific VEN you selected.

      Note

      If the tampering protection feature is enabled for the PCE, the page includes a Generate Maintenance Token button. If the page does not include this button, you must enable the feature for your PCE. See Enable VEN Tampering Protection.

  2. Specify the time period for the token: unlimited (will never expire or need to be regenerated) or a set time period. By default, the dialog box specifies 7 days for the time period.

  3. Click Generate.

    When ready, the dialog refreshes with the text string for the maintenance token and the timestamp for when the token was generated.

  4. Copy the text string for the token and store it in a secure location. You will need to provide this string on the command line when you run VEN commands using the VEN CLI.

  5. Click Done to close the dialog box.

Manage a VEN when Tampering Protection Is Enabled

When you've enabled tampering protection for a VEN, you must include the new parameter maintenance-token <token> on the VEN command line after the action you want to run. See the following examples. On Windows, include one dash with the parameter (-maintenance-token <token>); on Linux, include two dashes (--maintenance-token <token>) to run the parameter.

When enabled, running the VEN actions without specifying the token will fail.

Note

Not all VEN actions support using a maintenance token for tampering protection. See About Tampering Protection for the list of supported actions.

When enabled, the VEN validates the maintenance token and the token expiration date, and runs the commands as usual.

When the token expires, you can regenerate it in the PCE web console.

Example: Windows Command Line to Run Protected VENs

<VEN Installation Directory>\illumio-ven-ctl.exe stop
Maintenance token is required for this operation.
<VEN Installation Directory>\illumio-ven-ctl.exe stop 
-maintenance-token eyJhY3Rpb25zIjpudWxsLCJleHBpcmVzX2F0IjpudWxsLCJhZ2VudF9p
ZHMiOm51bGwsIm9yZ19pZCI6MX0=.MGUCMHSfLNS8yGHgFY0D3CuFvi+L8m6VUVI9FHRzT31sn37F+
GsKecpSnbR8abYuSoz2wgIxALhrtjAXZNN8unxLuN8WO/kcLONz7gwboRCT/Sc2FdwXAkLvioh+9
jyU8OBeAj5poA==Stopping venAgentMonitorSvc
Stopping venPlatformHandlerSvc
Stopping venVtapServerSvc
Stopping venAgentMgrSvc
Success
<VEN Installation Directory>\Illumio>

Example: Linux Command Line to Run Protected VENs

[root@localhost illumio_ven]# ./illumio-ven-ctl unpair open noreport
Maintenance token is required for this operation.
[root@localhost illumio_ven]# ./illumio-ven-ctl unpair --maintenance-token 
eyJhY3Rpb25zIjpudWxsLCJleHBpcmVzX2F0IjpudWxsLCJhZ2VudF9pZHMiOm51bGwsIm9yZ19pZCI
6MX0=.MGUCMHSfLNS8yGHgFY0D3CuFvi+L8m6VUVI9FHRzT31sn37F+GsKecpSnbR8abYuSoz2wgIxAL
hrtjAXZNN8unxLuN8WO/kcLONz7gwboRCT/Sc2FdwXAkLvioh+9jyU8OBeAj5poA== open noreport
Stopping venAgentMonitor:    ...done.
Stopping venVtapServer:    ...done.
Stopping IPSec:    ...done.
Stopping venPlatformHandler:    ...done.
Stopping venAgentMgr:    ...done.
Checking agent state
   ...done.
 * Flush IPv4   ...done.
   ...done.
Unloading modules   ...done.Illumio VEN is being uninstalled...
2023-01-17T12:51:01-0800 Uninstalling Illumio ............
2023-01-17T12:51:04-08:00 Stopped all daemons
2023-01-17T12:51:04-08:00 Init scripts disabled
2023-01-17T12:51:04-08:00 VEN state on uninstall: enforced
2023-01-17T12:51:04-0800 Deactivating Illumio VEN .......
2023-01-17T12:51:05-0800 Agent 15 Org 1 successfully deactivated
2023-01-17T12:51:05-0800 Deactivation complete
2023-01-17T12:51:05-08:00 /opt/illumio_ven/system/etc/init.d/illumio-firewall 
disable -w workload/c3364c6d-43f7-43fd-a4e4-9eb6258808b4/current
2023-01-17T12:51:07-08:00 Firewall Rules successfully restored
2023-01-17T12:51:07-08:00 Removed ilo-ven user entries
2023-01-17T12:51:07-08:00 Removed data distribution tree from /opt
2023-01-17T12:51:07-08:00 Removed binary distribution tree from /opt
2023-01-17T12:51:07-0800 Uninstall successful
VEN has been SUCCESSFULLY unpaired with Illumio
[root@localhost illumio_ven]#
Windows VEN Installer Changes

When you enable the VEN tampering protection feature, the Windows VEN installer can include the new MAINTENANCE_TOKEN parameter for the upgrade, uninstall, and repair commands, as shown in the following examples.

Upgrade a VEN

ven_installer.exe /install /quiet /log ven_install.log MAINTENANCE_TOKEN=xxx

Uninstall a VEN

ven_installer.exe /uninstall /quiet /log ven_uninstall.log MAINTENANCE_TOKEN=xxx

Repair a VEN

ven_installer.exe /repair /quiet /log ven_repair.log MAINTENANCE_TOKEN=xxx