Policy Sets are a logical grouping of policies that can be applied to specific sites or groups of policy enforcement points within an organization. By organizing policies into sets, administrators can easily define and enforce different sets of policies tailored to the unique needs and requirements of individual sites or business units, especially as your segmentation efforts expand. This flexibility allows for more granular policy enforcement and ensures that policies are aligned with the specific characteristics and operational environments of each site. This article provides a comprehensive technical overview of Policy Sets, highlighting their benefits and practical usage, and how they contribute to a more streamlined and customizable policy management process.
Before delving into the intricacies of Policy Sets and their impact on scalability and policy management, it is important to note that this article addresses an advanced concept within the realm of network policy management. To fully grasp the content presented here, readers are expected to have a solid understanding of the Elisity architecture and Policy Constructs.
Elisity architecture encompasses the underlying framework and components that facilitate policy enforcement, management, and distribution within an organization's network infrastructure. Familiarity with Elisity's architectural principles and its role in network security is crucial for comprehending the nuances of Policy Sets. The articles below serve as an introduction to the Elisity architecture.
Policy Constructs refer to the fundamental building blocks of policy management in Elisity, including Policy Groups, and the Policy Matrix. These constructs serve as the foundation upon which Policy Sets are built. To appreciate the benefits and technical intricacies of Policy Sets, a working knowledge of Policy Constructs is essential. Read the articles below for more information on Policy Constructs.
Policy Set Structure
Core Policy Set
The Core Policy Set is the default, unmodifiable policy set that contains every Policy Group defined within your organization. As a reminder, Policy Groups are collections of assets defined by common match criteria to be used as policy endpoints. The Core Policy Set is the primary group of policies that is distributed to all Virtual Edges (and associated Virtual Edge Nodes) that have not been configured to use a different Policy Set. Imagine the "core" policy set as the default Policy Matrix before enabling Policy Sets - it works essentially the same way. In this article we will show you how to move beyond the Core Policy Set and begin using custom-defined policy sets to distribute selective policies throughout your network.
Policy Groups and Policy Sets
At the most basic level, user-defined Policy Sets are selections of Policy Groups from the (Core) Policy Set. By choosing the relevant Policy Groups, organizations can create new sets of policies that align with the unique requirements of certain sites or business units. This customization capability allows for a highly adaptable and flexible policy management approach.
Policy Group Labels
To assign Policy Groups to Policy Sets, a construct called "Policy Group Labels" is used. Policy Group Labels act as markers that link Policy Groups to Policy Sets, forming the foundation for policy enforcement. By associating the appropriate Policy Groups using labels, organizations can easily define and modify the policies within a Policy Set, granting administrators the flexibility to modify and adapt the Policy Set to the continually changing requirements of sites or business units within or across sites. Administrators can leverage this flexibility to gain the control of exactly how to manage and organize their Policy Groups and their Policy Set assignments. As you can see below, Policy Labels can associate one or more Policy Groups with one or more Policy Sets, with no limit to how they are used or the number and combination of Policy Groups to Policy Sets. Policy Groups can have multiple labels that map to multiple Policy Sets.
Site Labels and Policy Set Distribution
Policy Sets are assigned to policy enforcement points using a construct known as "Site Labels." Note that "site" used here is referring to a collection of policy enforcement points (Virtual Edges) and not necessarily a physical site or location. You can leverage Policy Sets regardless of your deployment model (Switch-Hosted Virtual Edge or Virtual Edge VM). Site Labels provide a means to define sites or groups of policy enforcement points (Virtual Edge Nodes) within an organization. A Policy Set can be associated with multiple Site Labels, allowing for the distribution of a set of policies across multiple sites. However, it's important to note that each individual site can only have one assigned Policy Set, ensuring consistency and clear policy enforcement within each site.
Policy Sets are an advanced setting that should only be turned on after careful consideration and planning. Enabling Policy Sets is currently a permanent setting, meaning once enabled, they cannot be disabled. Enabling Policy Sets changes the way you build, deploy, and manage policies, and require additional planning to execute smoothly and ensure that every sector of your network has the proper policies in place.
To turn on Policy Sets, go to Settings -> Security -> Advanced and enable Policy Sets by clicking the button.
Implementing Policy Sets involves the following steps.
- Administrators define Policy Groups based on discovered match criteria for assets, such as device type, device vendor, device model or user AD group, user department etc.
- Policy Group Labels are created, and assigned to these Policy Groups.
- Policy Sets are created, and Policy Group Labels are selected to import the associated Policy Groups into the Policy Set.
- Site Labels are created (if not yet created) to define the sites or groups of policy enforcement points (Virtual Edge Nodes) within the organization. Our Policy Sets are then associated with the appropriate Site Labels, effectively distributing the set of policies across the designated sites.
Note: This is one way to implement Policy Sets, however these steps do not have to go in this particular order. The order you implement Policy Sets is quite flexible. Below is a walk-through of how to implement the various components of Policy Sets described above.
Create Policy Groups
Create and Assign Policy Group Labels
Policy Group Labels are used to assign Policy Groups to Policy Sets. It is very important to understand that Policy Groups are a global construct, and are shared across all Policy Sets. This means that assets are profiled at the Global or "Core" level.
There are a couple of implications to this:
For example, you may have a policy set assigned to "Site A" that excludes the Policy Group for security cameras. Cameras that are discovered at "Site A" will still match to the Policy Group for Security Cameras, assuming that your PG ordering is set up correctly. With this Policy Group missing from the Policy Set assigned to "Site A" you will not be able to create policies for these cameras, leading to gaps in Policy Coverage for this site. This is why it is important to plan your Policy Sets carefully, observe traffic flows and discovered devices, and adapt your Policy Sets as you gain more data through Elisity.
In the illustration below, we can see our core Policy Set which contains all of our Policy Groups. We then see two additional Policy Sets that only contain select Policy Groups based on the assigned Policy Group Labels. We can then see the devices coming online at "Site-A" and "Site-B" matching to Policy Groups. However, we can see that cameras at Site A and printers at Site B match to the correct policy groups, but those PGs are not found in the Policy Set, leading to gaps in policy for each site.
Armed with the knowledge that Policy Groups are a "global" construct, you can avoid these types of scenarios. You can filter the devices page by site label, device type, and so-on to discover what kinds of devices are at each site, then build your Policy Sets to cover every device that has been discovered at that site.
Before creating and assigning Policy Group Labels, first consider what business units or groupings of Policy Groups would prove useful in organizing and assigning to Policy Sets. In the example and diagram above, we have chosen to create Policy Group Labels that organize our Users and Devices based on the type of site at which those assets are found. For example, you typically wouldn't find MRI machines at a clinic, but you would certainly find them at a main hospital. Electronic Health Record (EHR) servers, however, may be found at both hospitals and clinics in our organization. Knowing this, we will give our MRI Policy Group the Hospital Devices label, and our EHR Servers Policy Group will get both the Hospital Devices label and the Clinic Devices label.
Keep in mind, this is just an example. Policy Sets are very flexible and how they are defined and assigned completely depends on the organizations requirements. As you read through this article, think about how you would apply Policy Sets in a way that makes sense for your organization's segmentation goals.
To create a policy label, navigate to the policy dashboard, click on "Policy Group Labels" and click "+ Create Policy Group Labels."
Note: This dashboard is also where you can modify and delete Policy Group Labels by clicking "actions" in a user-created Policy Group Label.
You will notice the two system-created default Policy Group Labels. These are non-modifiable and serve an important purpose, detailed below.
The "Core" Policy Group Label is automatically assigned to every user-defined Policy Group by default, associating EVERY Policy Group with the "Core" Policy Set.
The "Unassigned" Policy Group Label is reserved for the default Unassigned Policy Group. Having a default Policy Group Label that is dedicated to the Unassigned Policy Group gives administrators the flexibility to include the Unassigned Policy Group in any Policy Set they choose, clearly defined.
Note: The Core Policy Set includes the Unassigned Policy Label by default.
You can create as many Policy Group Labels as needed by continuing to click "+ Add New Label" In this case we have created our example Policy Group Labels. When you are done, click create.
Now we need to go through our Policy Groups and assign our newly created labels to the appropriate Policy Groups. To do this, go to the Policy Group section, click on your desired Policy Group, and modify the Policy Group Label field to include the appropriate labels as seen in the example below.
Create and Assign Policy Sets
Now that our Policy Group Labels are created and assigned, we need to create our Policy Sets and select our Policy Group labels that we want to be included in each Policy Set.
We will create a Clinic Policy Set as an example. First, go to your Policy dashboard, click Policy Sets, and click "Create Policy Set".
Give your Policy Set a name, select the appropriate Policy Group Labels, and if you have created Site Labels already, select those as well. We will leave Site Labels empty for now. Click "Deploy".
You can now see your Policy Set by going back to the policy matrix, clicking the Policy Set icon in the top left of the matrix, and selecting our newly created "Clinic" Policy Set. All of our Policy Groups that have been assigned Clinic Users or Clinic Devices Policy Group Labels will be visible on the matrix.
IMPORTANT: Show Traffic Flow is linked to your current Policy Set, meaning the Traffic Flow View ONLY reflects traffic observed at sites or Virtual Edges (and associated Virtual Edge Nodes) where your currently selected Policy Set is distributed.
You can begin deploying or simulating policies at any time in your newly created Policy Set. When you choose to assign site labels to both this Policy Set and to your Virtual Edges, the policies will be dynamically distributed to all relevant policy enforcement nodes (Virtual Edge Nodes).
Manage Policy Sets
In the Policy Set Dashboard there are several columns that indicate important information about each Policy Set. All these columns are self-explanatory, however some explanation is needed for "Nodes" and "Status."
"Nodes" indicates the number of Virtual Edges that are assigned to this Policy Set through the use of Site Labels. This does not indicate the number of Virtual Edge Nodes (access switches onboarded as policy enforcement points) as the name would suggest.
Note: Currently, Site Labels can only be assigned to Virtual Edges, and all associated Virtual Edge Nodes inherit the site label of their Virtual Edge. In an upcoming release, Virtual Edge Nodes will support assignment of dedicated Site Labels for additional policy distribution granularity.
"Status" is a quick way to indicate whether this policy set has been deployed to any Virtual Edge in your enterprise. If this Policy Set is deployed somewhere in your network by means of the associated Site Labels being assigned to any Virtual Edge, the status will indicate "Deployed." If this Policy Set has not yet been distributed, the status will indicate "Not in Use."
You can find several more options for managing Policy Sets by clicking the three dots under the Actions column. Below is a brief description of each of these options.
Edit Policy Set
Here you can change the name of your Policy Sets. More importantly, you can add and remove Policy Group Labels and Site Labels.
Duplicate Policy Set
Clicking "Duplicate Policy Set" opens up a window to create a new Policy Set, with all the Policy Group labels of the source Policy Set pre-selected. You can then assign the Policy Set to any available Site Labels upon creation.
Create and Assign Site Labels
Finally, we need to create our site labels and assign them to our Policy Set. To do this, we need to go to Settings -> Site Labels and click "Add Site Labels."
Again, you can add as many Site Labels as needed. Click Create.
Once our Site Label is created, we need to assign it to the correct Policy Sets, as well as any Virtual Edge that we want to inherit this Policy Set. To start, we will go back to the Policy Dashboard, find the Policy Set we previously created, and click the three dots to find and click "Edit Policy Set".
Here we can modify which Policy Group Labels are associated, as well as which Site Labels are associated. Click on the Site Labels tab, and click "+ Add Site Label".
We will associate the site label we just created by selecting it and clicking "add Label" then clicking "Save".
Finally, to deploy this Policy Set to appropriate enforcement points, we need to assign our Site Label to the appropriate Virtual Edges. To do this, go to the Virtual Edges dashboard, select your desired Virtual Edge, and click "Edit/Download Virtual Edge Configuration".
In the Virtual Edge Label configuration, select the correct Site Label - in this case "Clinic-A." Click deploy, and within seconds any existing policies on this Virtual Edge are pulled, and the policies in our Policy Set are deployed to this Virtual Edge and any associated Virtual Edge Nodes.
Removing a Site Label from a Policy Set
To remove a site label from a Policy Set, or to reassign a site label, perform the following steps.
Step 1: Open the Policy Sets menu and click "Edit Policy Set" for a deployed/in-use Policy Set with Site Labels.
Step 2: Within the edit window, click the Site Labels tab. Click the delete button, and click Save Changes once applicable changes have been made.
|IMPORTANT: Once the Site Label has been removed from the Policy Set, it will be assigned to the "Core" Policy Set, meaning that all the policies in the "Core" Policy Set will take effect at the sites using the just removed Site Label. See in the image below that our "Hospital A" Site Label has been moved to the "Core" Policy Set after removal from the "Hospital" Policy Set.|
One of the key advantages of Policy Sets is their scalability. Organizations can effortlessly add or modify policies within a set without affecting the entire organization, simplifying the management of policies across different entities. Centralized administration further streamlines policy enforcement, as administrators can easily configure and manage Policy Sets through a centralized interface.
Policy Sets not only offer customization and control but also play a pivotal role in improving scalability within organizations. By leveraging Policy Sets, organizations can streamline policy distribution, ensuring that only relevant policies are deployed to policy enforcement points at each site.
Customized Policy Distribution
One of the fundamental benefits of Policy Sets is the ability to distribute policies selectively to policy enforcement points based on site-specific requirements. Rather than deploy a one-size-fits-all policy configuration to every site, each site or business unit can have customized policies. This customization enables the deployment of policies that are directly relevant to the context of each site, eliminating the need to distribute unnecessary or redundant policies.
Simplified Policy Management
Policy Sets also contribute to enhanced scalability by simplifying policy management. With traditional approaches, managing a large number of policies across numerous sites can quickly become complex and challenging. However, Policy Sets enable administrators to define and modify policies at a higher level of abstraction through Policy Groups and policy labels. This abstraction not only makes policy management more intuitive but also allows for efficient updates and modifications across multiple sites, ensuring consistency while reducing administrative overhead.
Flexibility for Growth
As organizations expand and new sites are added to their network infrastructure, scalability becomes a critical consideration. Policy Sets offer the flexibility needed to accommodate growth by easily incorporating new sites into the existing policy framework. With the ability to assign multiple Site Labels to a Policy Set, organizations can seamlessly distribute the relevant policies to new sites, ensuring consistent policy enforcement while maintaining scalability as the network expands.
Using Policy Sets as an Incident Response Tool
Policy Sets can also be used creatively to provide solutions for problems that have traditionally been very hard to solve for, far beyond everyday network security management. In the realm of incident response, policy sets can prove to be an invaluable tool for swiftly and decisively handling cybersecurity emergencies while minimizing operational disruptions.
Consider a scenario where an organization faces a critical security breach or cyberattack targeting specific manufacturing units or production sites. The priority becomes mitigating the threat and containing the potential damage. In such cases, traditional methods of reconfiguring policies across the entire network could be time-consuming and disruptive to the core business functions.
This is where Policy Sets come into play. By strategically deploying a more restrictive "incident response" Policy Set to the affected sites, organizations can rapidly and aggressively shut down all unnecessary traffic while ensuring the continuity of essential operations. This incident-specific policy set should be designed to contain most, if not all, of the policy groups present in the organization's standard "core" policy set, but with additional policy restrictions in place.
The incident response policy set acts as a powerful tool to swiftly contain the threat. It enforces stringent network access controls, tightly restricting traffic to only essential communication channels. This effectively isolates the compromised segments while allowing critical business functions to continue running without interruption.
In practical terms, the process involves associating the incident response policy set with the affected sites using site labels. This action triggers the deployment of the more restrictive policies exclusively to the sites experiencing the security incident. Once the threat is neutralized and the situation is under control, reverting to the standard "core" policy set is a straightforward process.
This proactive and targeted approach to incident response highlights the scalability and flexibility of policy sets. They empower organizations to respond swiftly and effectively to security incidents, mitigating risks while minimizing operational downtime. By compartmentalizing policies based on specific scenarios, policy sets offer a robust framework for incident management within complex manufacturing environments.
Policy Sets, facilitated by Policy Groups and Site Labels, provide organizations with a powerful mechanism for customizing and distributing policies across their network infrastructure. By leveraging these constructs, organizations can achieve fine-grained policy enforcement, adapting their policy matrices to the diverse requirements of different sites or groups of policy enforcement points. This level of customization, combined with centralized management and ease of policy updates, empowers organizations to maintain a robust and tailored security posture while efficiently managing their policies. Policy Sets serve as a crucial tool for large organizations aiming to enhance policy management and ensure consistent policy enforcement across their network infrastructure.