Core Services Detector
Core services (DNS, Domain Controller, NTP, and LDAP) are essential to your computing environment and run on one or multiple workloads. The Core Service Detector feature helps you identify these core services and suggests an appropriate label for them. The Illumio PCE can detect 51 core services. Identifying and labeling these workloads is essential because they are centrally connected, and other applications depend on them.
Application owners sometimes lack sufficient knowledge about core services or the ability to identify them. Additionally, different teams may manage core services, and application owners must coordinate with these teams to secure their applications. When you use the Core Services Detector to label and write policies for core services, you can save time on application policies and progress to policy enforcement faster.
Note
The Core Services Detector is available only on the leader PCE in the Supercluster.
For information about using the REST API to manage core services, see "Core Services Detection" in REST API Developer Guide.
Enabling Core Services Detection
The Core Services Detector is not enabled by default because it is optional. Organizations already working extensively with labeling their core services might not be interested in this feature.
Important
To enable Core Services detection, you must be an Illumio Org Administrator.
To enable this feature, follow these steps:
To access the Core Services feature in the PCE, update the value for the following parameter in the PCE
runtime_env.ymlfile:core_services_enabled: true.Log in to the PCE web console and choose Settings > Core Services.
The Core Services feature appears in the settings.
Select Enabled.
The menu option will now appear in the PCE web console main menu under , and you can use the Illumio REST API to manage Core Services.
Managing Core Services
Core Services Detector uses a three-step process to identify and manage core services:
Detect: The detection tool runs in the backend to recommend potential core services (workloads running core services).
Review: Review recommendations provided by the detection tool and accept or reject them.
Label: Label accepted recommendations for core services.
Detection Methods
The PCE uses three methods to detect core services:
Port Matching: Rule-based model based on connections to specific ports.
Port-based ML: Machine learning model based on connections to specific ports.
Process-based ML: Machine learning model based on processes running on the server.
Note
The PCE's method to detect a core service is not configurable.
All three algorithms run continuously.
The core services detection for Microsoft Active Directory uses a machine learning (ML) model.
Detection methods can be such as Port-based ML, 93% confidence
Identifying and Reviewing Core Services
From the PCE web console main menu, choose Infrastructure> Core Services.
The landing page for core services displays all services detected by the detection tool during the most recent run.
It also tabulates the workloads recommended for running that particular core service, along with the ones previously accepted or rejected for that service.
Click the link for any of the listed core services. The page refreshes and displays the detailed status of that service.
The details page for a core service provides the following information:
Status: This shows whether the recommendation is new.
Detection Model: Indicates with the method the PCE used to detect the service.
Server: Displays the IP addresses and workloads recommended for that core service. The column includes either a defined workload or an unknown IP address.
Labels: For a defined workload, displays the existing labels.
To view the service's details, click either the detection method or the value in the column.
Accept or reject the core service by clicking the buttons on the right.
Accept: If the core service is from an unknown IP address, clicking Accept creates an unmanaged workload, such as 35.251.68.112.
Note
Illumio encourages customers to create unmanaged workloads, install VENs on them so they become managed, and then label them to allow enforcement.
Reject: When you reject the recommendation, that IP address is no longer recommended as a Destination of the detected core service.
Follow Up: If you are unsure whether to accept the recommendation, note your reasons to help in later decision-making.
Labeling the detected Core Services
Once you have accepted a recommendation to label a service, select the tab on the Core Services page.
Each service type has its own recommended label.
Click Edit Labels to see the current labels. The screen shows the current labels on the left and the recommended labels on the right. The labels shown include All, Role, Application, Environment, Location, and any custom label types you have defined using flexible labels.
Click Accept to accept the recommended labeling.
The page refreshes and displays the labels added for the core service.
When required for your network environment, change the default labels by selecting Edit Default Settings and modifying the labels as necessary.
Important
You must be an Illumio Org Administrator to change the default label assignments.
Note
Changing the default label assignment does not change any previously edited workload labels.
Scanner Detection
Scanners running in a network can be automatically detected, just as services are detected.
Important
Scanner detection by default is not enabled. You must manually enable scanner detection on the Core Services page. After being enabled, scanner detection runs every 24 hours to detect scanner traffic.
After a scanner is detected, the src_port can be used to create a collector-side traffic filter so that traffic originating from that src_port will be dropped and not stored in the PCE.