Segmentation Templates

Applications can be a complex set of services and processes that have different components which communicate with other applications. For example, you might find an application in your Illumination map that has many processes communicating through several ports to connect to and receive connections from Active Directory. Some of these processes, such as Netlogon, can use 10,000 or more dynamic ports as it’s communicating with Active Directory. The ports that are used at any given time can be unpredictable. Creating security policy for these types of applications is a complex and time consuming endeavor.

Overview of Segmentation Templates

To deliver Segmentation Templates, Illumio leveraged our knowledge of enterprise applications, such as Active Directory, Exchange, and SharePoint, because we know the services and the different processes that these applications use.

Illumio Segmentation Templates provide prepackaged, tested security policies that provide all the segmentation rules needed for common enterprise applications. They can be deployed in minutes; thereby reducing the time it takes to protect key computing assets. They simplify the definition and implementation of security policy while reducing errors and preventing security gaps for widely-used, business critical applications.

Each Segmentation Template serves two purposes. Illumio customers can see an example of how to add the security policies required to protect the application in question. Secondly, customers can use the Segmentation Template as designed to secure the application quickly in their organization.  

When you install a Segmentation Template, the PCE web console automatically adds the necessary policy objects (such as services, rulesets, and labels) to allow the communication required for that application.

Catalog Retrieved from Support Portal

When you go to the Segmentation Templates page, the PCE web console automatically retrieves the latest Segmentation Templates catalog from the Illumio Support portal and displays it in the web console. 

Segmentation Templates from the Support Portal

To manually locate the catalog on the Illumio Support portal:

  1. From the PCE web console menu, choose Policy Objects > Segmentation Templates.

    A dialog box appears prompting you to log into the Illumio Support portal. (While you are logged into the PCE web console, you only have to log into the Illumio Support portal once.)

  2. Click Log In and, if prompted, enter your Illumio Support portal username and password. (Illumio Secure Cloud customers are automatically logged into the Illumio Support portal.)

    NOTE:

    Internet connectivity is not required to use the Segmentation Templates. When you are connecting to the PCE web console from a device that does not have internet connectivity, you must access the Illumio Support portal from another device that has internet connectivity and download the templates locally to that device before you can use them. See Upload a Segmentation Template.

    The Illumio Support portal automatically redirects you back to the Segmentation Templates page and the templates appear in the page. The templates are organized by operating system.

  3. To view the contents of a Segmentation Template, click its name or icon.

    The Segmentation Template details page describes the template and lists all the policy objects that belong to the template. Policy objects appear as hyperlinks when they have already been installed by another template. (Templates can share policy objects.)

Features of Segmentation Templates

Segmentation Templates share the following key features.

Template Contents

Each Segmentation Template adds an associated group of unique, non-overlapping, predefined services, and can contain any of the following policy objects:

  • Labels
  • Label groups
  • IP lists
  • Rulesets

Some templates contain all the rulesets, services, and labels needed to secure a given application. Other templates contain port-based service definitions only.

Dynamic Processes and Ports

Using Segmentation Templates is especially useful in Microsoft environments, which must accommodate a range of dynamically used ports for RPC. Other Microsoft applications (such as Active Directory) require opening dynamic port ranges. Rather than opening only the ports in use, network-based solutions leave open an entire range of ports, effectively leaving the security environment wide open.

The Illumio PCE is service and process aware. Because of this, installing Segmentation Templates can protect against dynamic processes (like Netlogon) and add the correct policy to open only the ports that are active at a time.

Segmentation Templates are designed to use the specific processes and path used by the server rather than dynamic ports and apply the exact set of fine-grained segmentation rules required for protection.

Sharing Policy Objects

Services, labels, label groups, and IP lists can be used by more than one Segmentation Template.  A ruleset, however, is never used by multiple templates.

Identifying Policy Objects Added by Templates

You can identify all objects added to the PCE that are part of Segmentation Templates. In the External Data Set field of the object’s details page, the PCE identifies these policy objects by labeling them using the following convention:

IST – type_of_object

(Where IST stands for Illumio Segmentation Template)

Additionally, the PCE provides full names to increase readability. For example, “IST - [AD] - Client to Domain Controller” appears as “IST - Active Directory Client to Domain Controller.”

Segmentation Template Prerequisites and Limitations

Segmentation Templates are bound by the following prerequisites and limitations.

Internet Connectivity

Internet connectivity is not required to use the Segmentation Templates. For example, you might be connecting to the PCE web console from a device that does not have internet connectivity. 

Illumio stores the Segmentation Templates on the Illumio Support portal. When the device from which you are connecting to the PCE web console does not have internet connectivity, you can connect to the Illumio Support portal over the internet using another device and download the Segmentation Templates locally, then upload them to the PCE web console from that device. 

When you choose Policy Objects > Segmentation Templates from the PCE web console, you are prompted to log into the Illumio Support portal to download the templates. When you do not have internet connectivity from your device and have already downloaded the templates to another device, you can skip this step. 

See Catalog Retrieved from Support Portal for information.

Upgrade Policy Object Installed by Segmentation Templates

The PCE recognizes when policy objects are installed by Segmentation Templates from the values in the External Data Reference field. Therefore, if you installed a Segmentation Template prior to 17.2 or you modified the contents of this field for an object, the PCE cannot recognize that a template installed the object and you cannot update it while updating the template.

Unique Names for Labels, Label Groups, and IP Lists

In the PCE web console, the names of policy objects must be unique. For example, when you have an existing label, label group, or IP list that has the same name as a label, label group, or IP list in a template, the template installation will end and prompt you to change the name of the policy object in your organization.

NOTE:

In Segmentation Templates, policy objects are named using the following convention: IST – type_of_object

Delete Labels Associated with Segmentation Templates

When you have provisioned a ruleset or label group associated with a template, the labels associated with the template cannot be removed until the rulesets and label groups are removed and the removal is provisioned.

About Editing Segmentation Templates

Installing a Segmentation Template adds a predefined set of services and can add labels, label groups, IP lists, and rulesets.

Editing a policy object associated with a Segmentation Template is no different from editing any other policy object in the PCE web console. Also, the display and designation of a Segmentation Template does not change in the PCE web console after you edit the policy objects associated with it.

However, before you edit the policy objects installed by a Segmentation Template, you should be aware of the following caveats.

Edit the Names or IDs of Policy Objects

The PCE assigns each policy object associated with a template an ID number, which the PCE web console displays in the Description and External Data Reference fields of the object details or Summary pages.

The PCE tracks all objects associated with Segmentation Templates by their names. In Segmentation Templates, these policy objects are named using the following convention:

IST – type_of_object

Changing the policy object name does not affect the PCE validation that it is installed; however, using the Illumio API to edit the External Data Reference field does affect the PCE validation that it is installed.

NOTE:

Illumio strongly recommends you do not change the IDs in the External Data Reference fields. 

Delete Policy Objects or Editing Their Attributes

Deleting policy objects associated with templates or editing their attributes is subject to the following caveats:

  • When you remove a policy object associated with a template after the template is installed, the PCE will re-add the object when the template is updated.

    For example, you remove the common LDAP service, which is associated with a Segmentation Template. When Illumio releases an update for the template, installing that update will re-add the common LDAP ports to the PCE.

  • When you edit the attributes of policy objects associated with a template (for example, edit the ports or protocols of a service, or the scope or rules of a ruleset), the PCE web console will prompt you to specify whether to preserve or overwrite your changes when you update the template to the next version.

Install a Segmentation Template

  1. Retrieve the Segmentation Template Catalog.

    When a template has not been installed, an Install button appears on the page.

  2. Click Install.

    The end user licensing agreement (EULA) appears.

  3. Accept the EULA and click Continue.

    Before the PCE installs the template, it checks that the policy objects required by the template don’t conflict with any existing policy objects in your organization. The time that the check takes depends on the number of policy objects in your organization. When f the PCE finds any conflicts during the check, it cancels the installation and doesn’t install any policy objects. You are prompted to rename the conflicting objects.

    When the check is successful, the PCE adds the included policy objects in Draft mode so that you can review or edit them before provisioning them. See Provisioning for more information.

    As the policy objects are added, links to the objects appear in the template details page.

    NOTE:

    Global policy objects—such as All Services and Any (0.0.0.0/0 and ::/0)—don’t include links in the Segmentation Template details page to the objects.

Upload a Segmentation Template

Internet connectivity is not required to use the Segmentation Templates. However, Illumio stores them on the Illumio Support portal. When you are connecting to the PCE web console from a device that does not have internet connectivity, you can retrieve the templates using another device (which has internet connectivity), then manually upload then to the PCE web console so that you can install or update them.

When you download a Segmentation Template from the Illumio Support portal, you save the template locally as a JSON file. 

  1. Log into the Illumio Support portal with your Illumio Support username and password.
  2. Click Tools > Illumio Segmentation Templates.
  3. Navigate to the Segmentation Templates and download them locally.

  4. Log into the PCE web console and choose Policy Objects > Segmentation Templates.

    The Segmentation Templates dialog box appears.

  5. Click Load File.

    A dialog box appears prompting you to specify the Segmentation Template file to upload.

  6. Click Choose File.

    A file explorer appears.

  7. Navigate to the file and click Open.

    The Segmentation Templates dialog box reappears.

  8. Click Load.

    The page refreshes and a tile for the Segmentation Template appears in the page.

Update a Segmentation Template

Updating a Segmentation Template to a later version can edit or add services, rulesets, labels, label groups, or IP lists. However, updating a template never removes policy objects added by a previous version.

NOTE:

Later versions of templates are fully backwards compatible with previous versions.

  1. Retrieve the Segmentation Template Catalog.

    When a new version of a Segmentation Template is available for a template that you have installed, the template has an Update button.

  2. Click Update.

    If you edited the Segmentation Template after installing it, a dialog box appears prompting you to specify how to install the new version. For example, you added a new port and protocol to a service added by the template. You can revert the template to the Illumio list of ports and protocols for that service or keep your changes.

  3. If necessary, choose how to handle template changes:
    • Overwrite: The PCE replaces the policy objects that you edited with the version in the new template and removes the word “edited” after the ID number in the External Data Reference field.
    • Preserve Changes: Your changes to the policy objects added by the template are kept. 
NOTE:

If you have edited multiple policy objects associated with a template, you must choose whether to overwrite or preserve all your changes. You cannot overwrite some and preserve some.

The PCE updates the version numbers of all policy objects associated with the template even when the new template changes only a subset of the objects associated with the template.

NOTE:

Segmentation Templates can share policy objects; therefore, a policy object can have a later version than a template it’s associated with because the object was updated by another template. For example, you can have version 1 of a template installed and it includes version 2 of some policy objects. 

Uninstall a Segmentation Template

  1. Retrieve the Segmentation Template Catalog.

    After you install a Segmentation template, an Uninstall button appears on the page.

  2. Click Uninstall.

    When you uninstall a Segmentation Template, the PCE removes all the policy objects that are associated with that template except when an object is in use. Policy objects that are shared with other installed templates are not removed. Policy objects that are added to other policy objects are not removed. For example, you added a service associated with a template to a ruleset.