VEN Firewall Tampering Detection
The PCE distributes the latest policy applicable to each workload to ensure that the VEN receives the latest policy updates. The VEN internally creates and maintains a set of meta information of these rules, which it uses to detect tampering.
Automatic History of Firewall Changes
Changes to the firewall on a workload are historically recorded for an audit trail. Up to 10 changes to the firewall history are saved. The history is viewable via the PCE Support Reports.
Host Firewall Tampering Protection
If a host firewall is tampered with, firewall tampering protection start firewall validation procedure. If the outcome detects any of the Illumio Xpress-added rules have been tampered, then the restoration procedure starts.
The procedure attempts to fetch a new security policy from the PCE, but if it fails due to a network connectivity issue, you can try to recover your last known good copy of a policy stored locally. The last step is validating the policy against the meta information of the policy. The tampering attempt is reported to the PCE as an agent.tampering
event.
A host firewall tampering event occurs when another administrator or an attacker:
- Adds a firewall rule to the Illumio Xpress firewall compartment.
- Modifies a firewall rule added by Illumio Xpress.
- Deletes a firewall rule added by Illumio Xpress.
- Deletes all firewall rules (flush) added by Illumio Xpress.
The norm is that Illumio Xpress tries to detect tampering attempts only to Illumio Xpress firewall policy only and not to others.
Workload OS |
Tampering Detection |
---|---|
Linux |
The VEN monitors any underlying iptables and ipset changes. Once the VEN detects a tampering attempt, it validates the snapshot of iptables/ipset against the firewall policy validation meta information. |
Windows |
The VEN monitors any changes in Windows Filtering Platform (WFP) layer. If it detects a change, it starts the validation and restore procedure. |
AIX/Solaris |
On AIX (all versions) and Solaris (versions before 11.4) , the VEN monitors any underlying ipfilter changes. Once the VEN detects a tampering attempt, it validates the snapshot of ipfilter against the firewall policy validation meta information. On Solaris versions 11.4 and later, the VEN checks packet filter. On AIX and Solaris, the feature is enabled by default and updated every 10 minutes. |
Host Firewall Tampering Alerts
Host firewall tampering alerts can be viewed:
- On the host VEN
- In the PCE web console
- In the return from a query in Splunk or other SIEM software
Splunk or Other SIEM Software
If you send VEN events received by the PCE to Splunk or other SIEM software, query for agent.tampering
events in accordance with the SIEM vendor's query procedures.