Unified Policy

This topic explains the unified policy capability of the Illumio Zero Trust Platform.

Overview

Three policy tabs are available in the Policies menu:

  • All Policies: This tab includes all policy types, described below
  • Organization Policies: Considered guardrail policies, they prevent application policies from allowing undesired traffic. These policies apply to all scopes. See Writing Organization Policy.
  • Application Policies: Security teams can drive segmentation policies to control network traffic using Illumio labels, services, and IP/IP lists to define what can talk to applications, what data can be transferred from an organization's network, and so forth. Creating application policies is critical to minimizing an attacker's lateral movement. See Writing Application Policy.

For distinctions between organization and application policy, see Organization Policy versus Application Policy.

From each of the above tabs, you can write policies for policy objects that span both the cloud and the datacenter:

  • Services
  • IP Lists
  • Labels
  • User Groups
  • Label Groups
  • Virtual Services
  • Virtual Servers

Illumio allows or denies traffic between applications using policies that you write. In order to write application policies, you must create rules for the policy. Illumio has the following types of rules for application policies:

  • Override Deny Rules

    This rule type is typically used to deny communication between sources and destinations that might inadvertently be given allow rules by another administrator. Override Deny rules take precedence over all other types of rules.

  • Allow Rules

    You can write rules that allow communication between sources and destinations.

  • Deny Rules

    You can write rules that deny communication between sources and destinations.

  • Custom IPtables Rules
    You can write rules for Linux workloads.

Notices

  • Scopes and role-based access control (RBAC) remain the same as in previous releases

  • Allow rules function the same as in previous releases

  • Override Deny rules are now supported

  • Override Deny rules take precedence over Allow Rules. They block traffic with no exceptions.

  • Deny rules can be scoped and support RBAC

  • Deny rules are introduced in policies to support scope and RBAC

  • “Global” Deny rules (also known as enforcement boundaries) will be deprecated. Illumio recommends that you move legacy deny rules into policies. See the Guidelines section of Writing Organization Policy.