Illumio Policy Enforcement Model
Illumio employs an allowlist security model. By default, workload-to-workload communication is blocked unless explicitly permitted by defined Illumio policy rules. Administrators create these explicit rules to allow only necessary traffic, significantly enhancing security.
Why Use Selective Enforcement?
Deploying the allowlist model universally and simultaneously can be challenging or disruptive. Illumio addresses this by providing selective enforcement, an intermediate enforcement state that allows a gradual security rollout.
Selective Enforcement provides:
Gradual Security Implementation: Smooth transition from open ("Idle" or "Visibility-only") states to full enforcement ("Full Enforcement").
Targeted Visibility: Enforcement focused on selected services and ports via labels or groups, while other services remain in visibility mode.
Rapid Threat Response: Immediate enforcement on vulnerable or critical ports and services without impacting entire workloads.
Applying Selective Enforcement
The Selective Enforcement mode is configured per workload using labels or groups of labels.
When Selective Enforcement is activated:
Enforced Ports and Services: Active enforcement of security rules; explicitly permitted inbound traffic only.
Visibility-Only Ports and Services: No active blocking, but communication is monitored and logged.
The Workload Behavior under Selective Enforcement:
Enforced Ports: Permits only explicitly allowed inbound traffic according to defined policy rules; all other traffic is blocked.
Visibility-Only Ports: Traffic remains unblocked but is actively monitored and logged
How Selective Enforcement Works
Selective enforcement is applied individually per workload through labels or label groups.
When enabled:
Enforced Ports/Services: Security rules are actively enforced; only explicitly permitted traffic passes.
Other Ports/Services: Remain in visibility-only mode; traffic is monitored but not blocked.
Workload Behavior under Selective Enforcement:
Selective Enforcement (Enforced Ports): Only explicitly permitted inbound traffic is allowed. All other inbound traffic to these ports is blocked.
Visibility-only (Other Ports): Traffic continues normally but is monitored and logged.
Enforcement Progression Model
Selective Enforcement is a crucial step in Illumio's structured enforcement progression:
Idle (Visibility-only) → Selective Enforcement → Full Enforcement
where
Idle: Visibility and monitoring are in place, but there is no enforcement.
Selective Enforcement: Partial enforcement on chosen ports/services.
Full Enforcement: Complete allowlist enforcement on all ports and services.
This structured approach simplifies the implementation of secure policies, offering flexibility in managing risk and operational complexity.
Use Cases and Limitations
Basic use cases for Selective enforcement are:
Incremental Policy Rollout: Enables the gradual introduction of policies, reducing risks to critical systems.
Rapid Security Response: Quickly enforce specific, critical, or vulnerable port and service policies.
Selective enforcement only applies to inbound (source-side/ingress) traffic, controlling incoming requests to protected workloads. It does not control outbound traffic from workloads.
Selective Enforcement Mode Limitations
Limitations of Selective Enforcement are grouped as follows:
Directional Enforcement, where Selective enforcement operates only on inbound traffic.
Inbound Policy (Destination-centric): Manages incoming traffic to workloads.
Outbound Policy (Source-centric): Manages outgoing traffic from workloads.
Support for Managed Workloads is available only because selective enforcement is available for workloads managed directly by Illumio.
Managed workloads are supported.
Unmanaged workloads or workloads managed via Network Enforcement Nodes (NEN) cannot utilize selective enforcement.
Impact on Virtual Services: Selective enforcement does not apply directly to virtual services as a single entity.
Instead, policies must target individual workloads within virtual services. Enforcement is applied at the workload level within virtual services.
Virtual services themselves are not directly enforced.
Workload Enforcement States
Workload policy modes determine how Illumio rules impact workload network communications. Illumio provides four policy modes.
The enforcement state displayed in the Policy Compute Engine (PCE) indicates the desired state for the next policy update. Failure to apply this state successfully will result in a Policy Sync error.
Idle Enforcement State
This state is typically used during initial VEN installation or activation. Its characteristics are:
No firewall rule enforcement.
Collects and reports network traffic data every 10 minutes.
Report OS compatibility every four hours.
Immediately reports network interface configuration changes.
Note
SecureConnect rules are only applied to workloads where the VEN is in a non-idle enforcement state.
However, unlike other rules, SecureCionnect requires matching rules to be applied to workloads on both sides of any connection. Therefore, SecureConnect traffic is not supported between two workloads where a VEN on either side is in idle state.