VEN Firewall Tampering Detection

The PCE distributes the latest policy applicable to each workload to ensure that the VEN receives the latest policy updates. The VEN internally creates and maintains a set of meta information of these rules, which it uses to detect tampering.

Automatic History of Firewall Changes

Changes to the firewall on a workload are historically recorded for an audit trail. Up to 10 changes to the firewall history are saved. The history is viewable via the PCE Support Reports.

Host Firewall Tampering Protection

If a host firewall is tampered with, firewall tampering protection start firewall validation procedure. If the outcome detects any of the Illumio Xpress-added rules have been tampered, then the restoration procedure starts.

The procedure attempts to fetch a new security policy from the PCE, but if it fails due to a network connectivity issue, you can try to recover your last known good copy of a policy stored locally. The last step is validating the policy against the meta information of the policy. The tampering attempt is reported to the PCE as an agent.tampering event.

A host firewall tampering event occurs when another administrator or an attacker:

Adds a firewall rule to the Illumio Xpress firewall compartment.
Modifies a firewall rule added by Illumio Xpress.
Deletes a firewall rule added by Illumio Xpress.
Deletes all firewall rules (flush) added by Illumio Xpress.

The norm is that Illumio Xpress tries to detect tampering attempts only to Illumio Xpress firewall policy only and not to others.

Workload OS	Tampering Detection
Linux	The VEN monitors any underlying iptables and ipset changes. Once the VEN detects a tampering attempt, it validates the snapshot of iptables/ipset against the firewall policy validation meta information.
Windows	The VEN monitors any changes in Windows Filtering Platform (WFP) layer. If it detects a change, it starts the validation and restore procedure.
AIX/Solaris	On AIX (all versions) and Solaris (versions before 11.4) , the VEN monitors any underlying ipfilter changes. Once the VEN detects a tampering attempt, it validates the snapshot of ipfilter against the firewall policy validation meta information. On Solaris versions 11.4 and later, the VEN checks packet filter. On AIX and Solaris, the feature is enabled by default and updated every 10 minutes.

Workload OS

Tampering Detection

Linux

The VEN monitors any underlying iptables and ipset changes. Once the VEN detects a tampering attempt, it validates the snapshot of iptables/ipset against the firewall policy validation meta information.

Windows

The VEN monitors any changes in Windows Filtering Platform (WFP) layer. If it detects a change, it starts the validation and restore procedure.

AIX/Solaris

On AIX (all versions) and Solaris (versions before 11.4) , the VEN monitors any underlying ipfilter changes. Once the VEN detects a tampering attempt, it validates the snapshot of ipfilter against the firewall policy validation meta information.

On Solaris versions 11.4 and later, the VEN checks packet filter.

On AIX and Solaris, the feature is enabled by default and updated every 10 minutes.

Host Firewall Tampering Alerts

Host firewall tampering alerts can be viewed:

On the host VEN
In the PCE web console
In the return from a query in Splunk or other SIEM software

Splunk or Other SIEM Software

If you send VEN events received by the PCE to Splunk or other SIEM software, query for agent.tampering events in accordance with the SIEM vendor's query procedures.