GDS International - Next - Generation - Security - Summit - Europe - 2


Published on

Tufin Firewall Operations Management Whitepapaer

Published in: Technology
  • Be the first to comment

  • Be the first to like this

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

GDS International - Next - Generation - Security - Summit - Europe - 2

  1. 1. SecureTrack™Firewall Operations Management,Auditing & ComplianceMarch,
  2. 2. Table of ContentsIntroduction ................................................................................................... 3Comprehensive View of Firewall Policy ...................................................... 4Configuration Change Management ........................................................... 4Security Policy Optimization and Cleanup ................................................. 5Risk Management ......................................................................................... 6Network Topology Intelligence .................................................................... 6Rule Documentation and Recertification .................................................... 7Auditing and Continuous Compliance ........................................................ 7Automatic Security Policy Generation ........................................................ 8Compliance with Best Practices .................................................................. 9Scalable, Distributed Deployment Architecture and Multi-Tenancy........ 9Firewall Operations Management: The Automated Solution .................... 9Firewall Operations Management 2/10
  3. 3. IntroductionManaging network security for an organization or a service provider has become a highlycomplex operation involving dozens or even hundreds of firewalls and routers. Multiple sitesand teams, different hardware and software vendors – all of these factors make it virtuallyimpossible to maintain an accurate, airtight security policy on every device. At the same time,internal security policies have become more rigorous, and organizations need to comply witha growing body of industry and government regulations.To make sure that security standards are being met, most organizations rely on periodicaudits – a process involving days of manual, painstaking effort. In addition to the tremendousinvestment of time and resources, relying on audits is a reactive approach to network securitythat can leave threats undetected for months at a time.Today’s security operations teams urgently need a management solution that can proactivelyassure network security and achieve Continuous Compliance with standards whileautomating labor-intensive day-to-day tasks. In practical terms, firewall operations teamsneed:  Central, cross-vendor management starting with a top-down view of all firewalls, routers and switches in the organization – including next-generation firewalls  Change management to ensure that every change to security policy is accountable and in accordance with corporate standards  Proactive risk analysis and business continuity management to evaluate the impact of every configuration change and ensure Continuous Compliance with standards  Policy optimization and cleanup to eliminate security loopholes, improve firewall performance, and reduce hardware costs  Network topology intelligence to visually analyze the access path between any source and destination  Rule documentation that enables you to manage rule ownership, expiration and recertification.  Automated security audits to efficiently comply with corporate policies as well as industry and government regulations  Automatic security policy generation to enable rapid deployment of new firewalls without disrupting business continuity or resorting to permissive rules  Alignment with best practices from vendors and security industry veterans  Scalable support for large enterprises and datacenters including distributed deployment, multiple device domains and role-based management.Tufin SecureTrack™ enables security operations teams to dramatically reduce risk whileincreasing compliance and efficiency. With a powerful set of real-time and analytical tools,SecureTrack tackles the practical challenges that operations teams face every day when itcomes to managing firewalls, routers and switches. This paper takes a closer look at each ofthe key requirements in security operations management and explains how SecureTrackenables companies to eliminate potential threats, lower costs, and achieve their strategicsecurity objectives.Firewall Operations Management 3/10
  4. 4. Comprehensive View of Firewall PolicyEnterprises and service providers manage dozens, if not hundreds, of individual networksecurity devices including network-layer firewalls, next-generation, application-layer firewalls,routers and switches with ACLs. Each device has its own policy - a complex set of rulesdefining the access privileges and restrictions for specific users and services. Today,administrators lack a unified top-down view of all of their security policies from variousvendors, and need to individually monitor each piece of the puzzle.Tufin SecureTrack provides a convenient, top-down view of all security policies (rule basesand ACLs) in the organization, even if they are from multiple vendors. You can view thecurrent configuration as well as historical views and snapshots. Each policy is displayedusing the vendor’s native layout and conventions. SecureTrack makes it simple to visuallycompare and review devices. For example, you can analyze a side-by-side view of the samefirewall at two different points in time, and you can compare the settings of different firewallsin a variety of views and reports.SecureTrack’s dashboard and interactive browsers enable you to immediate assess youroverall security posture and to drill down for more information in order to analyze andremediate threats.On or off-site, SecureTrack enables you to centrally manage alerts and notifications andgenerate reports for all of your firewalls and related security infrastructure. Since it is easy tolearn and use, within minutes you can integrate SecureTrack into your network environmentand start real-time monitoring.In addition to the list of vendors currently supported by SecureTrack, the Tufin Open Platform(TOP) enables enterprises and integrators to easily extend the platform and supportadditional vendors and infrastructure components through simple plugins.Click here for a complete list of supported devices.Configuration Change ManagementOrganizations are constantly in motion. So implementing a corporate security policy is not aone-shot deal. Every day, configuration changes are made in response to user requests fornetwork access, security threats and changes to the network structure. Monitoring, trackingand analyzing these configuration changes is probably the biggest challenge facing firewalladministrators today. And the problem is not limited to rule bases and ACLs. Changes to theconfiguration and performance of the firewall operating system or firmware also directlyFirewall Operations Management 4/10
  5. 5. impact security and business continuity, yet they are difficult to track with conventionalmethods.Tufin SecureTrack continuously monitors and keeps track of every security configurationchange including changes to rules and network objects such as hosts and services.Comprehensive change reports include all firewalls and vendors, using the vendor’s nativeconventions – for example, field names and colors. SecureTrack offers a variety ofcustomizable change reports as well as comparisons of different firewalls, or differenthistorical snapshots. Reports can be sliced by firewall, by rule, by object, or by the type ofchange.Full accountability is assured since each change is stored along with the administrator’sname, the time, and the server where the change originated. SecureTrack makes it possibleto determine who made a change with a simple query, rather than searching throughnumerous log files for the needle in the haystack.SecureTrack also integrates with leading ticketing systems so that changes can be trackedfrom the original request through approvals to implementation. Each change in aSecureTrack report includes a link to the relevant ticket so that you can automatically launchthe ticket for more information.Using real-time alerts, SecureTrack sends e-mail to designated administrators in response toevery change that may conflict with corporate security policy. Rather than wait for the nextaudit, SecureTrack empowers you to proactively prevent security risks before they actuallyarise. Alerts are also useful for ongoing management – even when you are off site,SecureTrack alerts can inform you of any or all changes via email.Security Policy Optimization and CleanupAs thousands of tickets are processed by the security team, and organizational securityobjectives evolve over time, the underlying policies and rule bases become very large,intricate and complex. In fact, many of the rules and objects in a typical firewall rule base areobsolete. These unused rules represent a potential security hole and should be eliminated.Yet administrators do not have an easy way of identifying these rules with standardadministration tools.In addition to security risks, a poorly maintained rule base can have a major impact onperformance. The entire rule base is parsed from top to bottom with every networkconnection, and as the rule base grows, hardware requirements also increase.SecureTrack analyzes the actual usage of policy rules and labels each rule as heavily used,moderately used, or unused. SecureTrack also analyzes object usage within each rule,indicating specific network objects and services that are no longer in use. It is advisable toreview every unused rule and object, and remove those that are not necessary and mayrepresent a security risk.To improve device performance, SecureTrack makes recommendations regarding theposition of specific rules – placing the heavily used rules at the top of the rule base andmoving the least-used rules to the bottom. SecureTrack also indicates rule shadowing –places where rules overlap, or effectively “hide” other rules – so that you can re-position rulesintelligently.You can view the latest optimization recommendations in the SecureTrack dashboard andClean-Up browser or generate a customized report at any time.Firewall Operations Management 5/10
  6. 6. Risk ManagementThe implications of a security configuration error can be severe – from a breach to networkdowntime, or even a network service interruption. Therefore, it is essential to analyze theimpact of every change before it is implemented in the production environment. The same istrue for the firewall gateway operating system, where routine system maintenance canexpose vulnerabilities or even disrupt business.In addition, security managers must be able to assess risk and vulnerability at any given time– for all relevant network security devices. The challenge is greatest in distributedorganizations with multiple teams. Inevitably, different teams develop their own standardsand working methodologies. To ensure that everybody is successfully implementing securityguidelines, organizations need to implement automated solutions that can evaluate risk andcompliance at all times.To manage risk and ensure business continuity, SecureTrack uses a multi-step approach:  Security administrators define the organization’s security compliance policy for mission critical and risky services within SecureTrack. SecureTrack automatically compares every change that is made to the firewall, router or switch configuration and sends out a real-time alert in the case of a violation to the organization’s compliance policy. This capability is firewall vendor agnostic and implemented transparently in heterogeneous firewalls environments.  Before implementing a change, administrators can use SecureTrack’s Security Policy Analysis to simulate the change on the rule base and identify possible conflicts or violations. This pro-active risk analysis tool can save hours of painstaking, manual rule base review.  The SecureTrack dashboard and the interactive Risk browser always show the current level of risk along with a prioritized list of risk factors, so that you can investigate and remediate as soon as possible.  The Security Risk Report summarizes the current risk posture and calculates your Security Score. The report can be run at the organizational level or per gateway, and indicates risk trends in addition to the current state. To determine the Security Score, the report uses your compliance policies as well as a group of pre-defined risk factors culled from leading industry standards. You can set your own priorities and customize the report to exclude specific policies, risk factors or even rules that cause false positive violations.Network Topology IntelligenceGiven the size and complexity of today’s networks, it is not easy to maintain a clear picture ofall of its devices and zones. When faced with a network access request from a user, or achange request from IT, it can take time to understand which firewalls and networkcomponents are involved.SecureTrack discovers an organizations’ network topology and provides securityadministrators with a dynamic, visual map. The map, which is continuously updated inresponse to network changes, identifies firewalls, routers and network zones such as theDMZ. SecureTrack supports very large maps and enables you to add unmonitored routers inorder to create the most complete picture.Firewall Operations Management 6/10
  7. 7. Network Topology Intelligence is an integral part of many SecureTrack and SecureChangefeatures including policy analysis, compliance and security risk reports, and the PolicyChange Advisor. It automatically identifies the devices and zones that are relevant for anaccess requests making it easier for you to analyze, modify and report on security policies.Rule Documentation and RecertificationA key best practice for security policies is to periodically review each rule and remove theones that are no longer required. Since policies regularly contain hundreds of rules, and thereare often several administrators making changes, it is optimal to document each rule as it iscreated, and to assign an expiration date.Among firewall, router and switch vendors, the ability to document rules and set expirationdates is handled to varying extents – or not at all – so it is important to be able to managerule ownership, expiration and recertification centrally.With SecureTrack, you can continuously weed out rules that are no longer needed andprevent rule bases from growing out of control. You can document each rule, identify thetechnical and business owners, and indicate an expiration date upon which the rule must bereviewed. At any time, you can sort and filter rules according to expiration date and/or ownerand recertify, or remove them, as needed. You can also define scheduled reports and alertsto proactively stay on top of rule status at all times.Rule documentation is a valuable tool for justification of rules as required by certain auditssuch as PCI DSS.Auditing and Continuous ComplianceCompanies now understand the business impact of network security and are demanding ahigh level of transparency and accountability from network operations teams. In addition,more and more organizations need to conform to government and industry standards such asPCI DSS, NERC and SOX.To meet these increasingly rigorous standards, you need the ability to efficiently performperiodic audits. Owing to the size and dynamic nature of firewall rule bases, it is extremelytime-consuming to do this manually, even for an expert. you need an automated auditprocess that can be configured to meet the specific requirements of both corporate andregulatory standards.To hold individuals accountable for their actions, you need to maintain an accurate audit trailof all security policy and operating system changes. It is preferable that the audit trail comeFirewall Operations Management 7/10
  8. 8. from an objective third party or automatic logging tool. Furthermore, you need to enforce anddemonstrate a separation of duties designed to ensure that all changes are approved andmonitored properly.But auditing is not enough. The true goal of security regulations is Continuous Compliance.So in between audits, it is essential to continuously monitor every single change, to assessrisks and to mitigate threats before they materialize.SecureTrack provides automatic audit reports that test current firewall configuration againstyour corporate security policy as well as a configurable checklist of standards. Along with alist of violations, Tufin’s audit reports provide information on how to resolve or mitigate theinfraction. Specialized reports, such as the PCI DSS Audit and the Cisco DeviceConfiguration Report (DCR), are already designed according to the requirements of theindustry standard. Audit reports can be scheduled for automatic, periodic execution andmailed to all relevant security officers.SecureTrack supports periodic audits with continuous change tracking and a comprehensiveaudit trail that provides full accountability and demonstrates implementation of a separation ofduties. Change reports can be generated at any time to show the configuration changes thatwere made both to the rule base and to the firewall operating system.Since SecureTrack issues real-time alerts any time a configuration change violates corporatepolicy, all security threats can be addressed immediately. This transforms the periodic auditinto the reporting process it is meant to be, and enables you to deliver ContinuousCompliance to your organization.Automatic Security Policy GenerationNetwork security teams are frequently asked to secure unrestricted network segments – forexample, between branch offices or merged companies – or to tighten up permissive firewallpolicies. This is very difficult to achieve without accidentally disrupting critical businessservices. Through labor-intensive manual log inspection, administrators try to identifylegitimate business traffic and create a rule set that will meet both security and businessobjectives. But given the complexity of network traffic today, this process is not only tediousand error-prone – it is also not very effective. As a result, companies often deploy firewallswith permissive ANY rules that do little to fulfill their security objectives. Network securityteams need an automatic solution for defining new firewall policies and tightening uppermissive ones that can reduce deployment times and ensure business continuity.With SecureTrack’s Automatic Policy Generator™ (APG), you can automatically generate anew, robust firewall policy based on a thorough analysis of current network traffic. APGcreates a rule base that is not too permissive, is optimized for high performance andorganized for easy management and maintenance. Fast and efficient, APG processesthousands of logs to create a new rule base within minutes.APG also provides security professionals with a powerful tool for tightening existing firewalls,re-building complex, heavy rule sets, and analyzing the rule bases of firewalls inherited fromother organizations. APG evaluates the permissiveness of each rule and provides concreterecommendations on how to improve them. Using an interactive graph, you can set thebalance between the degree of permissiveness and the number of rules that is generated.APG is powered by Tufin’s patent-pending Permissive Rule Analysis technology. For moreinformation read the APG Whitepaper.Firewall Operations Management 8/10
  9. 9. Compliance with Best PracticesOver the years, security best practices have evolved that enable organizations to managetheir security infrastructure more effectively. Given the variety of devices – different vendors,versions and administration tools – it is difficult to enforce industry best practices throughoutthe organization. Managers need tools that define best practices and are able to identify non-conformance for the full range of security devices.In SecureTrack, Tufin has gathered a long list of best practices derived from firewall vendors,industry experts and years of practical experience. The configurable Best Practices Auditreport instantly checks compliance with practices such as log tracking (rules that areuntracked or unlogged), permissive rules (that allow traffic from too many IP addresses),network object name patterns, firewall OS settings, and more.Scalable, Distributed Deployment Architecture andMulti-TenancyAt large organizations, firewalls and related security infrastructure are frequently distributed atmultiple sites, even in different countries. Slow network connections can frustrate attempts toanalyze data from a central location and maintain consistency throughout the organization.Similarly, at large datacenters, network devices are often distributed on multiple managementservers to increase performance. Yet it is still important to manage the security posturecentrally.Tufin SecureTrack features a robust distributed architecture that uses T-Series appliances tocollect data from each site. Suitable for wide area networks, the collectors forward data to acentral database for administration. SecureTrack is designed to overcome connectiondowntime between components and ensure a continuous, centralized managementenvironment.If you need to maintain integrity between sites or business units, SecureTrack provides fullsegregation of data along with flexible, role-based administrator definitions that provideaccess control for each management domain. At the same time, it gives you the ability toleverage Policy Analysis Queries and reports that you have designed for multiple tenants.For all mission critical data centers, Tufin offers high availability, database compression, high-performance appliances and disaster recovery.Firewall Operations Management: The Automated SolutionAs network security infrastructure grows more distributed and diverse, operations teams musthave central management solutions to ensure network security and Continuous Compliance,while keeping costs under control. . Tufin SecureTrack enables you to monitor, track andreport changes for all firewalls, routers and switches in the organization. It creates a completeaudit trail with full personal accountability for every change, along with configurable auditreports that support a wide variety of standards and regulations. With in-depth analysis tools,it gives you the power to proactively assess risks, replace permissive rules, and optimize theperformance of your firewalls. SecureTrack is an essential solution for any organization thatcannot afford to compromise on security and efficiency.According to an analysis performed by Frost & Sullivan, organizations can slash the timerequired to make configuration changes, and to perform security audits, by as much as 75%(see Security Lifecycle Management ROI). Tufin customers report that on average,SecureTrack cuts the cost of daily operations tasks in up to a half, so that they can focus onthe strategic part of their jobs instead of on routine, manual work.Firewall Operations Management 9/10
  10. 10. SecureTrack features all of the tools that operations teams need to ensure network securityevery day: Change tracking and analysis: Monitors firewall policy changes, reports them in real- time and maintains a comprehensive, accurate audit trail for full accountability. Security infrastructure optimization: Analysis and clean-up of complex rule bases and objects to eliminate potential security breaches and improve performance. Risk management: Assessment of Security Score and risk trends based on conformance to compliance policies and industry-standard risk factors. Network topology intelligence: Discovery of network topology and creation of a dynamic map including firewalls, routers and network zones. Automatic identification of relevant devices and zones in requests, queries and reports. Rule documentation and recertification: Documentation of rules and automatic identification of expired rules so that they can be removed and recertified as needed. Auditing and regulatory compliance: Automated audit reports to demonstrate compliance with corporate policy and regulatory standards including PCI DSS, NERC, SOX, HIPAA, ISO 17799 and Basel II. Multi-vendor visual monitoring: Intuitive, graphical views of policies, rule bases and configuration changes for the largest variety of vendors and network devices. Support for next-generation and network-layer firewalls and Cisco routers with ACLs. Comprehensive security policy analysis: In-depth analysis of organizational security policy implementation on a wide range of security devices. Automatic firewall policy generation: Definition of a new firewall policy based on an analysis of network traffic and elimination of permissive rules. Firewall OS Monitoring: Monitoring of critical firewall operating system components and server performance indicators to prevent service interruptions and enable effective auditing. Scalable and business-critical: Includes high availability, database compression, robust appliances and disaster recovery. Distributed, multi-tenant architecture: Distributed architecture supports unlimited firewalls, rules and network objects in large or distributed datacenters. Support for multiple tenants or domains provides security among customers or business units.Learn more about SecureTrack at© 2008, 2009, 2010, 2011, 2012 Tufin Software Technologies, Ltd. Tufin, SecureChange, SecureTrack, AutomaticPolicy Generator, and the Tufin logo are trademarks of Tufin Software Technologies Ltd. All other product namesmentioned herein are trademarks or registered trademarks of their respective owners.Firewall Operations Management 10/10