Xshield Spark
Introduction
ColorTokens is extending the Xshield Security Platform with a new component known as Xshield Spark. This program (executable) enables agentless policy enforcement on hosts by leveraging existing configuration management tools such as Microsoft Endpoint Configuration Manager (MECM) a.k.a SCCM, Tanium, Puppet etc.
The Xshield Security Platform integrates the Xshield Spark, configuration management tool and importing network and host visibility data from EDRs such as Microsoft Defender for Endpoint, to provide a highly scalable micro-segmentation solution with minimal friction.
This approach of integrating with EDR for collecting host and network telemetry and using Xshield Spark to configure the host firewalls with zero trust policies allows the Xshield Security Platform to offer the full set of micro-segmentation capabilities offered by its agent solution without the friction of requiring to install and manage agents (expensive and time consuming).
Xshield Spark – Functional Overview
The Xshield Spark program is a lightweight executable that when run, connects to the Xshield Security Platform to retrieve Zero Trust policies for the host and then program it on the host firewall. It additionally reads the programmed firewall rules and firewall event logs from the operating system and sends them to the Xshield Security Platform. It uses very little CPU and Memory during its execution and runs for a short duration. The Xshield Spark program itself is signed to ensure authenticity. It additionally also authenticates with the Xshield Security Platform to retrieve the policy updates.
The Xshield Spark program is designed to:
-
Install & Execute via Configuration Manager
- Xshield Spark can be distributed and executed periodically on endpoints through the configuration management tool of your choice.
- A script running on the configuration management server will initiate Spark on a defined list of hosts.
-
Policy Retrieval & Enforcement
-
Upon execution, Spark connects securely to the Xshield Platform.
-
It requests the latest policy updates for the host.
-
If updates are present, Spark translates them into host firewall rules:
- Windows OS → Windows Filtering Platform (WFP)
- Linux OS →
nf_tables
-
Collect the programmed firewall rules and send them to the Xshield platform
-
-
Log Collection & Publishing
-
Spark collects firewall event logs:
- Windows → Windows Event Logs / pfirewall logs
- Linux →
iptables/nf_tableslogs
-
Logs are then published back to the Xshield platform for visibility and analytics.
-
-
Supported Operating Systems
-
Windows: Windows Server 2008 R2 and above, including modern Windows desktop/server platforms.
-
Linux:
- Red Hat Enterprise Linux (RHEL) 7 and above
- Ubuntu 20.04 and above
- CentOS 7.x and above
-
Integration Architecture
Components
The following figure provides a high level work flow architecture of the integration. The Integration involves
- Xshield Security Platform
- Xshield Spark Deployment Package (Includes spark binary)
- Configuration Management Tool (MECM, Tanium etc)
Xshield Security Platform
The Xshield Security Platform is responsible for:
- Downloadable Xshield Spark Package (including the Configuration Manager specific deployment script)
- Export APIs that Xshield Spark can invoke from each host to retrieve policies and to export firewall rules/logs.
- Enforcement key - Authentication key used for setting up the per-host session key for making API calls
- List of Hosts on which to execute Xshield Spark.
Xshield Spark
- Executable that runs on the host periodically.
- Responsible for generating session keys to make API calls
- Makes API calls to retrieve policy configuration and export firewall rules/logs.
- Export logs (for troubleshooting) to the Xshield Platform
- Resolve FQDN and process to program appropriate host firewall rules.
Xshield Spark Deployment Package
The Xshield Spark Deployment Package acts as an orchestrator between configuration manager and the Xshield platform.
It runs at a configurable interval to keep Spark components, enforcement keys and target host information up to date, ensuring that Spark executes on the correct hosts with the latest configuration.
Configuration Management Tool
The Configuration Management tool is responsible for distributing and executing Spark across managed endpoints.
It receives updated Spark packages and configuration data from the Deployment Package and ensures that Spark runs on the designated hosts at the configured schedule.
Software Package
The Xshield Spark executable (inclusive of binaries for different Operating Systems) is part of a software package along with the execution script for a specific configuration manager.
Ongoing Enforcement & Reporting
- Spark enforces updated firewall policies and streams logs.
- Integration ensures policy consistency and telemetry visibility without requiring permanent agents.
Guide to setup Xshield Spark
Refer to the below spark deployemnt guides for the configuration management tool of your choice
FAQ
Can firewalld and nftables (ctspark) coexist?
Answer: No
Spark installs and enables nftables on linux systems for enforcement.
If firewalld is installed or enabled on a Linux system, Spark will not run and will not enforce any firewall policies on that host.
This is because firewalld and nftables cannot co-exist.
If nftables are enabled, it effectively disables firewalld, preventing any applications depending on firewalld rules from proper functioning
Summary
The integration of Xshield Spark with MECM provides a scalable and agentless enforcement model by leveraging the customer’s existing configuration management infrastructure. This approach avoids additional agent deployment while ensuring that firewall policies are consistently enforced across all endpoints.