If you work in IT, you have devices to manage. There's no escaping this fact. Often device management comes down to numbers and resources insofar as how many devices are there to manage, where are they located, who has access to them, and will the office in Manhattan by affected if someone in Chicago changes a policy?
Duly curious about device control, and especially firewall management in large-scale network design, The Tech Herald recently sat down with Tufin Technologies for a demo and overview to learn how some shops are dealing with device management.
Tufin Technologies was founded by Ruvi Kitov and Reuven Harrison in 2003. Both came from Checkpoint Software before founding the company together. Tufin, to keep things simple, deals strictly with Security Lifecycle Management (SLM). During our talk with Michael Hamelin, Tufin’s Chief Security Architect, we learned more about SLM. Yet, what interested us the most was a talk and demonstration of the company's SecureTrack and SecureChange Workflow.
In almost any technology business, IT has to manage devices, routers, switches and, most importantly, firewalls. The more devices a business has, the more IT management must focus on. The trick, which is actually one of the more frustrating parts of device management, is knowing what all devices are doing at any given time, how they are reacting with other devices on the network, who is accessing them, and what is being done.
For the most part, every IT shop has a different process for device management. Sometimes this means adding layer upon layer of rules to solve little problems or simply just granting permissions to various departments – such as development or QA – to access a device for testing or production deployments. It seems silly, but it happens. It is easier to put out a fire by granting access or adding a rule than it is to have a manager constantly leaning over your shoulder.
This consistent problem, one that led us to research solutions, is how we discovered Tufin Technologies in the first place and learned about SecureTrack and SecureChange Workflow. When explaining who he was and how he ended up working for Tufin Technologies, Hamelin told us he had been a customer prior to becoming an employee.
“The thing that I liked about it is Tufin is not an inline security product,” he said. “It’s nothing connecting to your firewall doing active defense, it’s not even pushing anything to your firewall. It’s purely in the audit space and the change management, change lifecycles space.”
SecureTrack and SecureChange Work flow are two product sets bundled together in the Tufin Security Suite (TSS). TSS works with Check Point, Cisco, Juniper, Fortinet, F5, and Blue Coat devices.
SecureTrack centers on policy management and auditing. It does this by tracking changes to devices, without needing to open a console or other interface. Most companies are far from a single-vendor shop, so it’s no surprise to see Cisco sitting in the same rack as Check Point or Juniper. However, Tufin cares little for your vendor; it simply allows you to get a visual of what’s happening on what devices and, if there was a change, what it affected and who initiated it.
Some of SecureTrack’s abilities include risk assessment, which will test device rules and hunt down potential security risks they create. The risk assessment ties into policy cleaning. SecureTrack can examine policies and clean-up rules by listing the rules that are active, but have absolutely no use, as well as showing rules that conflict with one another and create bottlenecks or other issues. SecureTrack also monitors Firewall OS status, with the goal of preventing configuration errors.
Auditing wise, SecureTrack will create custom audit reports for all the standards such as SOX, HIPAA, PCI-DSS, etc., while at the same time using logs and other collected data to create a visual auditing trail that has to be seen to be believed. During our demo, it was interesting to note that, if a rule was created that violated PCI-DSS by, for example, opening all network traffic to a device identified as a SQL server, Tufin threw out warning flags left and right.
Another core function of SecureTrack is the Automatic Policy Generator (APG), which analyzes logs and other collected data to create firewall rules that focus only on the used network traffic. This means it will look at the log data and take a device with 500 rules and create a policy that uses only 100 rules, killing off the wasted 400 and removing policies that simply use ANY as a base. As the ANY rules are removed, actual network addresses are used, creating that audit trail mentioned previously.
The second part of TSS comes from SecureChange Workflow. SecureChange Workflow streamlines device management, and works hand-in-hand with SecureTrack. For example, it allows change automation and process management for security teams charged with overseeing rules and device policy. It comes packed with templates for the most requested changes, as well as allowing the creation of policy for separation of duties. The workflow, request, design, approve, implement, verify, and audit, is managed from a single interface. During our demo, SecureChange Workflow worked seamlessly with Active Directory. This allowed for granular control over duty separation, and added to the auditing.
One interesting note from the TSS demo that we picked up on was that whenever accessing rules or policy editors for any given vendor, TSS actually uses a graphial user interface (GUI) that looks exactly like what you would expect if you logged in from the console. For example, in the TSS demo, the rules list for a Check Point device were brought up, and the GUI used in TSS was the same - even down to the color scheme.
Overall, considering that device management can make some administrators beat their heads against a wall, Tufin Technologies' offering stands out as one of those things that shouldn’t be needed, but, once experienced first hand, prompts the question: why it isn't a standard suite of tools given out with the device at purchase?
Tufin Security Suite 5 will be available in August of this year. Aimed specifically at larger networks and enterprise environments, the cost will start at $20,000 USD.
More information can be found by clicking here.
Want regular updates from The Tech Herald? Follow us on Twitter.
Interested in a more interactive TTH? Join our Facebook Group.