Tufin automates policy changes and compliance for next-generation firewalls

Next-generation firewalls are a big leap forward in terms of knowing who is using what Web-based applications, but tracking the configurations, changes and policies can be a huge task that requires automation tools. Tufin Technologies just announced product enhancements that may make a firewall administrator's job a little easier.

The emergence of application-aware next-generation firewalls is a big advancement. NGFWs make it possible to associate application usage with specific users, providing more granular control over the IT environment.

NGFWs are especially important in this era of Web-based applications. Standard firewalls, after all, allow all Web traffic to flow through Port 80 and make no distinction between applications, so the pictures Ashley is posting to Facebook of her new puppy are treated just the same as customer information being uploaded to Salesforce.com. In contrast, a NGFW allows the administrator to specify which users can use which applications over the Web, meaning the administrator can allow Ashley to update her customer information but deny her the ability to access Facebook at work.

CLEAR CHOICE TEST: What is a next-generation firewall?

I'm sure you can see where this is going.

As companies move to next-generation firewalls, they face the issue of maintaining compliance with new policies and rules. Now network administrators are not just monitoring and controlling Port 80, they also must control specific application/user sets to assure controlled access to Web-based apps. The enhanced control is surely welcome, but it adds the burden of having to create, test and maintain these multidimensional rule sets across the network.

Doing this manually is simply untenable.

That's where tools like those from Tufin Technologies Inc. come in. Tufin's software automates the task of analyzing firewall rule sets for conflicts and compliance with corporate policies. The company just announced a new version of its Tufin Security Suite (TSS) that adds the ability to create, implement and manage NGFW policies. TSS 6.0 includes the combined offering of SecureTrack, Tufin's firewall operations management and compliance product, and SecureChange, its security change automation solution.

Diana Kelley is a principal security analyst with the firm Security Curve, and in a previous job she was a firewall administrator. "I know how difficult it is to efficiently design, implement and maintain appropriate firewall rules that both protect the network but also meet today's ever changing compliance requirements," she says. "The increased complexity introduced by Web applications requires tools that will assist administrators in effectively managing their network and application firewalls to reduce organizational risk and maintain compliance while minimizing or reducing overhead. Tufin's new tools will be very helpful to administrators as they develop and manage new rules for Port 80 traffic."

There are several significant enhancements to TSS, including:

* Topology Intelligence -- TSS now includes the ability to generate large maps of interconnected network devices across multiple zones and segments, making it easier to visually discover the relationships between various devices. The tool can automatically generate configuration reports about networking equipment. This should help administrators visualize and craft effective policies, and enable them to predicatively determine what policy changes result in an efficient path between a given network source and destination.

* Cisco Device Configuration Reports -- TSS's Device Configuration Report is designed for Cisco routers and switches. TSS checks for the misconfiguration of common security settings that are critical for overall device and network security. The report, which aligns with the best practices of the CIS IOS Benchmark and the NSA's Router Security Configuration Guide, checks for many common security settings like SNMP settings, authentication settings, NTP settings, unnecessary services, Syslog settings and more. The reports can be run against any Cisco device on a network. TSS generates alerts if there are violations with either the CIS benchmark or NSA guide.

* High Availability -- TSS can be now configured for high availability, providing continuous synchronization between the primary TSS server and a secondary TSS server deployed locally or across a remote network. This redundancy provides assurance that TSS will be available when needed.

* Extended Support for Multi-Tenancy -- Following on the multi-domain capabilities of SecureTrack, SecureChange now supports multiple tenants and domains. Service providers and large enterprises can now handle change request tickets from different business units, data centers or customers. SecureChange automatically associates change tickets to the proper domain and maintains segregation of data between domains. Each requestor only sees the devices and objects in the domains to which they belong.

In addition to the feature enhancements, Tufin announced the availability of the model T-80 appliance specifically designed for small data centers and distributed deployments. This midsize solution can handle about 10 firewalls.

Whether your organization has moved to next-generation firewalls or you are still relying on traditional firewalls, you can ease your administration burden with automation tools that detect conflicts, track changes and ensure compliance with corporate policies.

Brian Musthaler is a principal consultant with Essential Solutions Corporation. You can write to him at Bmusthaler@essential-iws.com.

______________________________________________________________

About Essential Solutions Corp:

Essential Solutions researches the practical value of information technology, and how it can make individual workers and entire organizations more productive. Essential Solutions offers consulting services to computer industry and corporate clients to help define and fulfill the potential of IT.

Learn more about this topic

Tech priorities: Moving to a next-generation firewall

What you should know about Next Generation Firewalls

Is a next-generation firewall in your future?

Join the Network World communities on Facebook and LinkedIn to comment on topics that are top of mind.
Related:

Copyright © 2011 IDG Communications, Inc.

SD-WAN buyers guide: Key questions to ask vendors (and yourself)