Unified Policy
This topic explains the unified policy capability of the Illumio Zero Trust Platform.
Overview
Three policy tabs are available in the Policies menu:
- All Policies: This tab includes all policy types, described below
- Organization Policies: Considered guardrail policies, they prevent application policies from allowing undesired traffic. These policies apply to all scopes. See Writing Organization Policy.
- Application Policies: Security teams can drive segmentation policies to control network traffic using Illumio labels, services, and IP/IP lists to define what can talk to applications, what data can be transferred from an organization's network, and so forth. Creating application policies is critical to minimizing an attacker's lateral movement. See Writing Application Policy.
For distinctions between organization and application policy, see Organization Policy versus Application Policy.
From each of the above tabs, you can write policies for policy objects that span both the cloud and the datacenter:
- Services
- IP Lists
- Labels
- User Groups
- Label Groups
- Virtual Services
- Virtual Servers
Illumio allows or denies traffic between applications using policies that you write. In order to write application policies, you must create rules for the policy. Illumio has the following types of rules for application policies:
-
Override Deny Rules
This rule type is typically used to deny communication between sources and destinations that might inadvertently be given allow rules by another administrator. Override Deny rules take precedence over all other types of rules.
-
Allow Rules
You can write rules that allow communication between sources and destinations.
-
Deny Rules
You can write rules that deny communication between sources and destinations.
-
Custom IPtables Rules
You can write rules for Linux workloads.
Notices
-
Scopes and role-based access control (RBAC) remain the same as in previous releases
-
Allow rules function the same as in previous releases
-
Override Deny rules are now supported
-
Override Deny rules take precedence over Allow Rules. They block traffic with no exceptions.
-
Deny rules can be scoped and support RBAC
-
Deny rules are introduced in policies to support scope and RBAC
-
“Global” Deny rules (also known as enforcement boundaries) will be deprecated. Illumio recommends that you move legacy deny rules into policies. See the Guidelines section of Writing Organization Policy.