The Illumio Xpress Policy Model

Illumio Xpress gives you the option to manage your security policies by using either adaptive or static policy. Choosing how to implement security policy is possible because of the Illumio Xpress policy model. 

About the Illumio Xpress Policy Model

The Illumio Xpress security policy for securing workloads differs from traditional network security policies. Traditional security policies use network constructs, such as VLANs, zones, and IP addresses to tie security to the underlying network infrastructure.

In contrast, the Illumio Xpress security policy uses a multidimensional label system to sort and describe the function of workloads. By describing workload functionally, policy statements are clear and unambiguous. Illumio Xpress users assign four-dimensional labels to their workloads to identify their roles, applications, environments, and locations. Additionally, users specify labels for rulesets and in the providers and consumers components of rules, which allows the workloads in their organization to communicate with each other.

Together, labeling workloads and creating the corresponding rulesets and rules define the security policies for workloads. The PCE converts these label-based security policies into the appropriate rules for the OS-level firewalls of the workloads.

See the following related topics:

• Labels and Label Groups for a description of each label type
• Workloads in the PCE for information about how workloads use labels and for the steps to assign labels to workloads
• Rulesets and Rules for information about using labels in rulesets and rules

Enforcement States

After creating a ruleset, you can preview the effects in Illumination using the Draft View. This view shows you the changes that will be enacted by your policy when it is enforced.

• Visibility Only: After refining your initial policy, most of the traffic lines in Illumination should be green. No traffic will be blocked and you can check your policy's accuracy. Any new traffic will be displayed as a red line.
• Selective Enforcement: Enables you to protect applications or processes on workloads while other services and ports function as if the workloads are in the Visibility Only enforcement state. By using selective enforcement, you can gradually expand the enforcement of policy on your workloads. Using the selective enforcement state is useful for temporarily enforcing security for specific ports in case a vulnerability is detected and action must be taken quickly. Using the selective enforcement state enables security enforcement before you are able to create complete allowlists of what traffic is allowed to reach your workloads.
• Full Enforcement: It is useful to move workloads to the Full Enforcement state in stages. This action can be done by workload, by application, by environment, or by data center. Start with less critical applications or workloads, stabilize them, then move on to more sensitive systems. This approach minimizes issues to a smaller number of affected workloads.

Understanding Rulesets and Rules

Rules are an integral component of the Illumio Xpress security policy. A set of rules is known as a “ruleset” and it specifies the allowed traffic in your network. Create the rules using labels that identify your workloads. See Labels and Label Groups for more information.

The Illumio Xpress allowlist model The allowlist model means that you must specifically define what traffic is allowed to communicate with your managed workloads; otherwise, it is blocked by default. It follows a trust-centric model that denies everything and only permits what you explicitly allow—a better choice in today’s data centers. The list of what you do want to connect in your data center is much smaller than what you do not want to connect. for security policy uses rules to define the allowed communication for two or more workloads. For example, if you have two workloads that comprise a simple application — a web server and a database server — to allow these two workloads to communicate, you must write a rule that describes this relationship.

For example, in the following diagram: 

The relationships between the tiers (or workloads, as they are known in Illumio Xpress) in this example are:

• The Web workload can initiate communications with the App workload (Web → App).
• The App workload can initiate communications with the Database workload (App → Database).

In Illumio Xpress, the relationship in the diagram above is expressed as two separate rules:

• The Web workload can initiate communications with the App workload.
• The App workload can initiate communications with the Database workload.

To build your network security policy, create a ruleset for each of your workloads. Use labels to identify your workloads and to apply the rulesets to multiple workloads at once. For more information, see Labels and Label Groups and Rulesets

Overview of Policy Objects

The PCE contains the following policy objects that help you write your security policy:

• Labels and Label Groups: Group similar labels together and use the label groups in rule writing.
• Services Allow you to define or discover existing services on your workloads. When a workload is paired with the PCE (has a VEN installed), it is scanned for any running processes, which are then displayed in the Services list.
• Virtual Services: Allow you to label processes or services on workloads. Virtual services can either be used directly in rules or the labels applied to virtual services can be used to write rules.
• IP Lists: Create IP lists (allowlists) so you can define IP addresses, IP ranges, and CIDR blocks that should be allowed access to your applications.
• Pairing Profiles and Scripts: Configurations that allows you to apply certain properties to workloads as they pair with the PCE, such as applying labels and setting workload enforcement.