Skip to main content

Illumio Security Policy Guide 25.4

  • Illumio Security Policy Guide 25.4
  • About Rules
  • FQDN-Based Rules

FQDN-Based Rules

Applications in data centers and cloud environments generate significant east-west traffic due to communication between various workloads, such as bare-metal, virtual machines, and containers. Additionally, these applications often need to interact with external services like SaaS, PaaS, or registries, which are accessed via frequently changing IP addresses or URLs. This creates a security challenge as traditional security policies rely on IP addresses or subnets. While administrators might allow broad outbound communication to mitigate this issue, it poses a security risk. To address this, Illumio has introduced FQDN-based visibility and enforcement in Illumio Segmentation for Data Centers

Benefits of FQDN-Based Rules

Implementing FQDN-based rules has the following benefits:

  • Deeper visibility: Delivers visibility into communications from workloads to any workload reachable via a URL. For example, when a workload needs to pull an image from an unmanaged repository or use Amazon RDS for database services, Illumio provides visibility to those FQDNs, not just the IP addresses behind them.

  • Natural language policy: Automatically generate or write allowlist policies that allow workloads to consume services from FQDNs rather than IP addresses or subnets.

  • Adaptive security: Using distributed DNS snooping at the workload, PCE dynamically conforms policy to any changes, such as a domain name resolving to a new IP address.

  • Lock-down outbound communications and reduce risk: With FQDN-based enforcement, you decide which outbound services should be allow-listed for your application rather than allowing all outbound communications. This ability mitigates the risk of applications potentially communicating with a malicious IP address or domain name.

  • Wildcard support: Enables you to write FQDN-based policy using wildcards, such as *.redhat.com.

dns-based1_19-1.png

Features of FQDN-Based Rules

Distributed DNS Snooping

The VEN snoops DNS responses each time a workload sends a DNS request, gathering data and storing it in its DNS cache without generating DNS requests. It tracks DNS responses, avoiding repeated requests.

DNS Visibility

The VEN reports flow data such as IP addresses, ports, and protocols to the PCE. It also maps FQDNs to outbound flow data and reports DNS-based traffic flows in near real-time and for historical data retention.

DNS Enforcement

Security teams can create allowlist policies for FQDNs, specifying which DNS hostnames or FQDN workloads can communicate with them without knowing the associated IP addresses.

Wildcards

Illumio Segmentation for Data Centers supports wildcards in FQDNs, such as *.google.com, to simplify rule creation. For optimal performance, Illumio recommends limiting it to around 100 entries.

FQDN-Based Rule Requirements and Limitations

FQDN-based visibility and enforcement are subject to the following requirements and limitations:

  • Supported for any Linux OS supported with the Illumio VEN 19.1.0 release.

  • Supported for any Windows OS supported with the Illumio VEN 19.1.0 release.

  • Supported for any Mac OS supported with the Illumio endpoint VEN 23.2.0 release.

  • Solaris and AIX workloads are not supported.

  • Visibility and enforcement for DNS-based traffic when the source is a DNS hostname are not supported.

  • FQDNs can be described in IP lists or virtual services, but not in an unmanaged workload interface.

  • Only one FQDN (wildcard supported) can be specified when using virtual services. IP lists can support a list or a group of FQDNs.

  • A mix of virtual services and IP lists is supported.

  • A period character is not supported in a wildcard. For example, www.server*.mycorp.com matches www.server1.mycorp.com but not www.server1.farm2.mycorp.com.

  • A wildcard-only entry (specifying only “*”) is not allowed.

Important

A wildcard will not cover subdomains. For example, *.mycorp.com will not match host1.downloads.mycorp.com

Warning

A workload can receive more than 100+ FQDN entries. However, problems can occur once there are more than the maximum of 100 FQDN rules in a single IP list.

For better performance, when you write FQDN-based rules, limit the number of rules to around 100 entries.