Policy Sets and Site Labels

 

Overview

Policy Sets are a logical grouping of policies that can be applied to specific sites or groups of policy enforcement points within an organization. By organizing policies into sets, administrators can easily define and enforce different sets of policies tailored to the unique needs and requirements of individual sites or business units, especially as your segmentation efforts expand. This flexibility allows for more granular policy enforcement and ensures that policies are aligned with the specific characteristics and operational environments of each site. This article provides a comprehensive technical overview of Policy Sets, highlighting their benefits and practical usage, and how they contribute to a more streamlined and customizable policy management process.

 

Requirements

Before delving into the intricacies of Policy Sets and their impact on scalability and policy management, it is important to note that this article addresses an advanced concept within the realm of network policy management. To fully grasp the content presented here, readers are expected to have a solid understanding of the Elisity architecture and Policy Constructs.

Elisity architecture encompasses the underlying framework and components that facilitate policy enforcement, management, and distribution within an organization's network infrastructure. Familiarity with Elisity's architectural principles and its role in network security is crucial for comprehending the nuances of Policy Sets. The articles below serve as an introduction to the Elisity architecture.

Introduction to Elisity

Virtual Edge Design Guide

Policy Constructs refer to the fundamental building blocks of policy management in Elisity, including Policy Groups, and the Policy Matrix. These constructs serve as the foundation upon which Policy Sets are built. To appreciate the benefits and technical intricacies of Policy Sets, a working knowledge of Policy Constructs is essential. Read the articles below for more information on Policy Constructs.

Policy Groups

Policy Matrix

Managing Policies Using the Policy Matrix

 

Policy Set Structure

Core Policy Set

The Core Policy Set is the default, unmodifiable policy set that contains every Policy Group defined within your organization. As a reminder, Policy Groups are collections of assets defined by common match criteria to be used as policy endpoints. The Core Policy Set is the primary group of policies that is distributed to all Virtual Edges (and associated Virtual Edge Nodes) that have not been configured to use a different Policy Set. Imagine the "core" policy set as the default Policy Matrix before enabling Policy Sets - it works essentially the same way. In this article we will show you how to move beyond the Core Policy Set and begin using custom-defined policy sets to distribute selective policies throughout your network.

 

Policy Groups and Policy Sets

At the most basic level, user-defined Policy Sets are selections of Policy Groups from the (Core) Policy Set. By choosing the relevant Policy Groups, organizations can create new sets of policies that align with the unique requirements of certain sites or business units. This customization capability allows for a highly adaptable and flexible policy management approach.

 

Policy Group Labels

To assign Policy Groups to Policy Sets, a construct called "Policy Group Labels" is used. Policy Group Labels act as markers that link Policy Groups to Policy Sets, forming the foundation for policy enforcement. By associating the appropriate Policy Groups using labels, organizations can easily define and modify the policies within a Policy Set, granting administrators the flexibility to modify and adapt the Policy Set to the continually changing requirements of sites or business units within or across sites. Administrators can leverage this flexibility to gain the control of exactly how to manage and organize their Policy Groups and their Policy Set assignments. As you can see below, Policy Labels can associate one or more Policy Groups with one or more Policy Sets, with no limit to how they are used or the number and combination of Policy Groups to Policy Sets. Policy Groups can have multiple labels that map to multiple Policy Sets.

Site Labels and Policy Set Distribution

Policy Sets are assigned to policy enforcement points using a construct known as "Site Labels." Note that "site" used here is referring to a collection of policy enforcement points (Virtual Edges) and not necessarily a physical site or location. You can leverage Policy Sets regardless of your deployment model (Switch-Hosted Virtual Edge or Virtual Edge VM). Site Labels provide a means to define sites or groups of policy enforcement points (Virtual Edge Nodes) within an organization. A Policy Set can be associated with multiple Site Labels, allowing for the distribution of a set of policies across multiple sites. However, it's important to note that each individual site can only have one assigned Policy Set, ensuring consistency and clear policy enforcement within each site.   

By default, all Virtual Edges and Virtual Edge Nodes are assigned to the default site label called "Default"

 

Practical Implementation

Policy Sets are an advanced setting that should only be turned on after careful consideration and planning. Enabling Policy Sets is currently a permanent setting, meaning once enabled, they cannot be disabled. Enabling Policy Sets changes the way you build, deploy, and manage policies, and require additional planning to execute smoothly and ensure that every sector of your network has the proper policies in place.

To turn on Policy Sets, go to Settings -> Security -> Advanced and enable Policy Sets by clicking the button.

Implementing Policy Sets involves the following steps.

  • Administrators define Policy Groups based on discovered match criteria for assets, such as device type, device vendor, device model or user AD group, user department etc.
  • Policy Group Labels are created, and assigned to these Policy Groups.
  • Policy Sets are created, and Policy Group Labels are selected to import the associated Policy Groups into the Policy Set.
  • Site Labels are created (if not yet created) to define the sites or groups of policy enforcement points (Virtual Edge Nodes) within the organization. Our Policy Sets are then associated with the appropriate Site Labels, effectively distributing the set of policies across the designated sites.

Note: This is one way to implement Policy Sets, however these steps do not have to go in this particular order. The order you implement Policy Sets is quite flexible. Below is a walk-through of how to implement the various components of Policy Sets described above.

Create Policy Groups

Your Policy Groups should already be created, but if not, follow our in-depth guide on how to implement Policy Groups

 

Create and Assign Policy Group Labels

Policy Group Labels are used to assign Policy Groups to Policy Sets. It is very important to understand that Policy Groups are a global construct, and are shared across all Policy Sets. This means that assets are profiled at the Global or "Core" level.

There are a couple of implications to this:

Assets at "Site A" can match to a Policy Group in the "Core" Policy Set that is not found in the Policy Set for "Site A." 
Policy Sets can have gaps in policy coverage if not set up properly. 

For example, you may have a policy set assigned to "Site A" that excludes the Policy Group for security cameras. Cameras that are discovered at "Site A" will still match to the Policy Group for Security Cameras, assuming that your PG ordering is set up correctly. With this Policy Group missing from the Policy Set assigned to "Site A" you will not be able to create policies for these cameras, leading to gaps in Policy Coverage for this site. This is why it is important to plan your Policy Sets carefully, observe traffic flows and discovered devices, and adapt your Policy Sets as you gain more data through Elisity.

 

In the illustration below, we can see our core Policy Set which contains all of our Policy Groups. We then see two additional Policy Sets that only contain select Policy Groups based on the assigned Policy Group Labels. We can then see the devices coming online at "Site-A" and "Site-B" matching to Policy Groups. However, we can see that cameras at Site A and printers at Site B match to the correct policy groups, but those PGs are not found in the Policy Set, leading to gaps in policy for each site. 

Armed with the knowledge that Policy Groups are a "global" construct, you can avoid these types of scenarios. You can filter the devices page by site label, device type, and so-on to discover what kinds of devices are at each site, then build your Policy Sets to cover every device that has been discovered at that site.

 

 

Before creating and assigning Policy Group Labels, first consider what business units or groupings of Policy Groups would prove useful in organizing and assigning to Policy Sets. In the example and diagram above, we have chosen to create Policy Group Labels that organize our Users and Devices based on the type of site at which those assets are found. For example, you typically wouldn't find MRI machines at a clinic, but you would certainly find them at a main hospital. Electronic Health Record (EHR) servers, however, may be found at both hospitals and clinics in our organization. Knowing this, we will give our MRI Policy Group the Hospital Devices label, and our EHR Servers Policy Group will get both the Hospital Devices label and the Clinic Devices label. 

Keep in mind, this is just an example. Policy Sets are very flexible and how they are defined and assigned completely depends on the organizations requirements. As you read through this article, think about how you would apply Policy Sets in a way that makes sense for your organization's segmentation goals. 


To create a policy label, navigate to the policy dashboard, and click on the "Policy Group Labels" tab.

You will notice the two system-created default Policy Group Labels. These are non-modifiable and serve an important purpose, detailed below.

The "Core" Policy Group Label is automatically assigned to every user-defined Policy Group by default, associating EVERY Policy Group with the "Core" Policy Set. 

The "Unassigned" Policy Group Label is reserved for the default Unassigned Policy Group. Having a default Policy Group Label that is dedicated to the Unassigned Policy Group gives administrators the flexibility to include the Unassigned Policy Group in any Policy Set they choose, clearly defined.

Common use cases for Policy Group labels include assigning PG's to Incident Response Policy Sets and Simulation Mode or "Staging" Policy Sets. More information on each of these use cases can be found near the end of this article. 

To create a new Policy Group Label, click "+ Create Policy Group Labels.

 

Note: This dashboard is also where you can modify and delete Policy Group Labels by clicking "actions" in a user-created Policy Group Label.

Screenshot 2024-04-03 at 8.59.38 AM.png

 

Type in a name for your Policy Group Label that aligns with the Policy Sets you are going to assign Policy Groups to using the label. Select all relevant Policy Groups from the drop down list. You can create as many Policy Group Labels as needed by continuing to click "+ Add New Label

Screenshot 2024-04-03 at 9.01.32 AM.png

You can also go to the Policy Group section, click on your desired Policy Group, and modify the Policy Group Label field to include the appropriate labels as seen in the example below.

 

Create and Assign Policy Sets

Now that our Policy Group Labels are created and assigned, we need to create our Policy Sets and select our Policy Group labels that we want to be included in each Policy Set. 

We will create a Clinic Policy Set as an example. First, go to your Policy dashboard, click Policy Sets, and click "Create Policy Set".

Note: The Core Policy Set includes the Unassigned Policy Label by default.


 

Give your Policy Set a name, select the appropriate Policy Group Labels, and if you have created Site Labels already, select those as well. We will leave Site Labels empty for now. Click "Deploy".

 

You can now see your Policy Set by going back to the policy matrix, clicking the Policy Set icon in the top left of the matrix, and selecting our newly created "Clinic" Policy Set. All of our Policy Groups that have been assigned Clinic Users or Clinic Devices Policy Group Labels will be visible on the matrix. 

IMPORTANT: Show Traffic Flow is linked to your current Policy Set, meaning the Traffic Flow View ONLY reflects traffic observed at sites or Virtual Edges (and associated Virtual Edge Nodes) where your currently selected Policy Set is distributed.

 

You can begin deploying or simulating policies at any time in your newly created Policy Set. When you choose to assign site labels to both this Policy Set and to your Virtual Edges, the policies will be dynamically distributed to all relevant policy enforcement nodes (Virtual Edge Nodes). 

 

Manage Policy Sets

In the Policy Set Dashboard there are several columns that indicate important information about each Policy Set. All these columns are self-explanatory, however some explanation is needed for "Nodes" and "Status."

"Nodes" indicates the number of Virtual Edges that are assigned to this Policy Set through the use of Site Labels. This does not indicate the number of Virtual Edge Nodes (access switches onboarded as policy enforcement points) as the name would suggest.

Note: Currently, Site Labels can only be assigned to Virtual Edges, and all associated Virtual Edge Nodes inherit the site label of their Virtual Edge. In an upcoming release, Virtual Edge Nodes will support assignment of dedicated Site Labels for additional policy distribution granularity. 

"Status" is a quick way to indicate whether this policy set has been deployed to any Virtual Edge in your enterprise. If this Policy Set is deployed somewhere in your network by means of the associated Site Labels being assigned to any Virtual Edge, the status will indicate "Deployed." If this Policy Set has not yet been distributed, the status will indicate "Not in Use."

You can find several more options for managing Policy Sets by clicking the three dots under the Actions column. Below is a brief description of each of these options. 


Edit Policy Set

Here you can change the name of your Policy Sets. More importantly, you can add and remove Policy Group Labels and Site Labels.

 

Duplicate Policy Set

Clicking "Duplicate Policy Set" opens up a window to create a new Policy Set, with all the Policy Group labels of the source Policy Set pre-selected. You can then assign the Policy Set to any available Site Labels upon creation. Read below for more information on Site Labels and how they are used.

 

Using Site Labels

The final step of implementing Policy Sets is assigning them to Virtual Edges or Virtual Edge Nodes using Site Labels.

Using Site Labels for Analytics and Visibility ONLY

If you are only using the "Core" Policy Set for policy enforcement, and only using additional Policy Sets for Simulation Mode or Incident Response rather than using Policy Sets to distinguish different policies for various sites, then there is no need to reassign your site labels from the "Core" Policy Set. You can leave all Site Labels in the "Core" Policy Set and simply use Site Labels for visibility and analytics purposes. 

 

Distributing Policy Sets Using Site Labels 

First, if you have not created Site Labels and assigned them to Virtual Edges and Virtual Edge Nodes, its time to consider what approach you would like to take.

Method 1: Create and assign Site Labels to VEs/VENs, then associating the Site Label with a Policy Set (Recommended)

This option stages your VEs/VENs so that when you assign the Site Label to a Policy Set, policy is distributed immediately, requiring no further action in the VE/VEN dashboard. Assigning Site Labels to VEs and VENs takes a little more time and consideration, so doing this step first makes distributing policies a much quicker process. This method also means that as you onboard VEs and VENs, you can assign a site label to them during deployment, resulting in a more efficient workflow for assigning VEs/VENs to Policy Sets.

To learn how to assign site labels to VEs and VENs, read our article on Managing Virtual Edges and Virtual Edge Nodes. After Site Labels have been assigned to your VEs/VENs, you are ready to proceed with assigning site labels to your Policy Sets. 

 

To start, go to your Policy Dashboard and go to Policy Sets.

To start, we will go back to the Policy Dashboard, find the Policy Set we previously created, and click the three dots to find and click "Edit Policy Set".


Here we can modify which Policy Group Labels are associated, as well as which Site Labels are associated. Click on the Site Labels tab, and click "Add Site Label".



Select the site labels you would like to associate with this Policy Set by selecting them and clicking "Add Label".

You can see the number of Virtual Edges that you have associated with each Site Label before clicking Save Changes.

Once you click Save Changes your policies will be distributed to all the associated Virtual Edges and Virtual Edge Nodes that have been assigned these Site Labels.

 

Method 2: Create and assign Site Labels to Policy Sets, then assign the Site Labels to VEs/VENs

This method stages your Policy Set with site labels FIRST so that when you assign site labels to VEs/VENs, they are moved from "Core" to their assigned Policy Set. This method can be used if you do not have an established Site Label schema, or if you want to roll sites into "production" one at a time to a production Policy Set. 

 

Removing a Site Label from a Policy Set

To remove a site label from a Policy Set, or to reassign a site label, perform the following steps.

Step 1: Open the Policy Sets menu and click "Edit Policy Set" for a deployed/in-use Policy Set with Site Labels.

 

Step 2: Within the edit window, click the Site Labels tab. Click the delete button, and click Save Changes once applicable changes have been made. 

IMPORTANT: Once the Site Label has been removed from the Policy Set, it will be assigned to the "Core" Policy Set, meaning that all the policies in the "Core" Policy Set will take effect at the sites using the just removed Site Label. See in the image below that our "Hospital A" Site Label has been moved to the "Core" Policy Set after removal from the "Hospital" Policy Set.

 

 

Using Site Labels to Filter Devices by Site


In the Elisity Microsegmentation platform, Site Labels play a crucial role in the organization and visibility of devices across your network. These labels are typically set by customers to define virtual edges from different sites across their enterprises, aligning with geographical locations, departmental boundaries, or other organizational structures.

When navigating to the device dashboard within the Elisity Cloud Control Center, administrators can enhance their network oversight using Site Labels through a dropdown menu. This feature allows for the selection of one or multiple site labels, providing flexibility in device visibility and management. There is also a 'Select All' option for broader oversight. You can also search for site labels if using a large number of site labels.

Once a Site Label is selected, the device table will update to display only the devices associated with the chosen 'sites'. 

Scalability

One of the key advantages of Policy Sets is their scalability. Organizations can effortlessly add or modify policies within a set without affecting the entire organization, simplifying the management of policies across different entities. Centralized administration further streamlines policy enforcement, as administrators can easily configure and manage Policy Sets through a centralized interface.

Policy Sets not only offer customization and control but also play a pivotal role in improving scalability within organizations. By leveraging Policy Sets, organizations can streamline policy distribution, ensuring that only relevant policies are deployed to policy enforcement points at each site.

Customized Policy Distribution

One of the fundamental benefits of Policy Sets is the ability to distribute policies selectively to policy enforcement points based on site-specific requirements. Rather than deploy a one-size-fits-all policy configuration to every site, each site or business unit can have customized policies. This customization enables the deployment of policies that are directly relevant to the context of each site, eliminating the need to distribute unnecessary or redundant policies.

Simplified Policy Management

Policy Sets also contribute to enhanced scalability by simplifying policy management. With traditional approaches, managing a large number of policies across numerous sites can quickly become complex and challenging. However, Policy Sets enable administrators to define and modify policies at a higher level of abstraction through Policy Groups and policy labels. This abstraction not only makes policy management more intuitive but also allows for efficient updates and modifications across multiple sites, ensuring consistency while reducing administrative overhead.

Flexibility for Growth

As organizations expand and new sites are added to their network infrastructure, scalability becomes a critical consideration. Policy Sets offer the flexibility needed to accommodate growth by easily incorporating new sites into the existing policy framework. With the ability to assign multiple Site Labels to a Policy Set, organizations can seamlessly distribute the relevant policies to new sites, ensuring consistent policy enforcement while maintaining scalability as the network expands.

 

Using Policy Sets as an Incident Response Tool

Policy Sets can also be used creatively to provide solutions for problems that have traditionally been very hard to solve for, far beyond everyday network security management. In the realm of incident response, policy sets can prove to be an invaluable tool for swiftly and decisively handling cybersecurity emergencies while minimizing operational disruptions.

Consider a scenario where an organization faces a critical security breach or cyberattack targeting specific manufacturing units or production sites. The priority becomes mitigating the threat and containing the potential damage. In such cases, traditional methods of reconfiguring policies across the entire network could be time-consuming and disruptive to the core business functions.

This is where Policy Sets come into play. By strategically deploying a more restrictive "incident response" Policy Set to the affected sites, organizations can rapidly and aggressively shut down all unnecessary traffic while ensuring the continuity of essential operations. This incident-specific policy set should be designed to contain most, if not all, of the policy groups present in the organization's standard "core" policy set, but with additional policy restrictions in place.

The incident response policy set acts as a powerful tool to swiftly contain the threat. It enforces stringent network access controls, tightly restricting traffic to only essential communication channels. This effectively isolates the compromised segments while allowing critical business functions to continue running without interruption.

In practical terms, the process involves associating the incident response policy set with the affected sites using site labels. This action triggers the deployment of the more restrictive policies exclusively to the sites experiencing the security incident. Once the threat is neutralized and the situation is under control, reverting to the standard "core" policy set is a straightforward process.

This proactive and targeted approach to incident response highlights the scalability and flexibility of policy sets. They empower organizations to respond swiftly and effectively to security incidents, mitigating risks while minimizing operational downtime. By compartmentalizing policies based on specific scenarios, policy sets offer a robust framework for incident management within complex manufacturing environments.

Conclusion

Policy Sets, facilitated by Policy Groups and Site Labels, provide organizations with a powerful mechanism for customizing and distributing policies across their network infrastructure. By leveraging these constructs, organizations can achieve fine-grained policy enforcement, adapting their policy matrices to the diverse requirements of different sites or groups of policy enforcement points. This level of customization, combined with centralized management and ease of policy updates, empowers organizations to maintain a robust and tailored security posture while efficiently managing their policies. Policy Sets serve as a crucial tool for large organizations aiming to enhance policy management and ensure consistent policy enforcement across their network infrastructure.

 

Was this article helpful?
1 out of 1 found this helpful