• United States

Automation critical to scalable network security

News Analysis
Jun 11, 20183 mins
Cisco SystemsFirewallsNetwork Security

With Tufin Orchestration Suite R18-1, Cisco Firepower customers can make changes and update all the firewalls in minutes instead of having to touch each box one at a time.

lock binary circuits
Credit: Thinkstock

Securing the business network has been and continues to be one of the top initiatives for engineers. Suffering a breach can have catastrophic consequences to a business, including lawsuits, fines, and brand damage from which some companies never recover.

To combat this, security professionals have deployed a number of security tools, including next-generation firewalls (NGFW) such as Cisco’s Firepower, which is one of the most widely deployed in the industry. 

Managing firewalls becomes increasingly difficult

Managing a product like Firepower has become increasingly difficult, though, because the speed at which changes need to be made has increased. Digital businesses operate at a pace never seen before in the business world, and the infrastructure teams need to keep up. If they can’t operate at this accelerated pace, the business will suffer. And firewall rules continue to grow in number and complexity, making it nearly impossible to update them manually.

Tufin unveils new features to automate the management of Firepower

This week at Cisco Live, network security policy orchestration vendor Tufin announced the release of Tufin Orchestration Suite R18-1 (TOS 18-1), which includes several new features, including enhanced support and integration for Cisco Firepower. As far as I am aware, TOS 18-1 is first to automate change management for Cisco Firepower policies for customers using Cisco Firepower Management Center (FMC). 

Changing firewall rules can be a long and painful process, and removing rules can be even more painful, which is why firewall rules wind up being unmanageable in a fairly short period of time. With Tufin’s product, though, customers can make changes and propagate them across all the firewalls in a matter of minutes instead of having to touch each box one at a time.

Another new feature of Orchestration Suite R18-1 is the ability to migrate the configuration from Cisco’s Adaptive Security Appliance (ASA) to Firepower.  Without an automated tool, migrating from one product to the other can take a significant amount of time and be filled with errors, as rules have to be manually ported from one system to the other. Any mistake is then carried over. The complexity of this process often holds companies back from upgrading or switching platforms.

Tufin’s products make moving from ASA to Firepower error-free, reducing the risk of switching while validating the rules to ensure no broken or expired rules are migrated. The enhanced support in TOS 18-1 will allow security professionals to ensure they meet compliance mandates with an auditable, documented process for Firepower policy changes.

TOS 18-1 helps meet compliance mandates

In addition to the Firepower enhancements, TOS 18-1 includes the ability to automate the process of tracking, monitoring, and managing the expiration of firewall rules to ensure compliance mandates are met. This can be particularly useful for businesses in an industry that has strict compliance guidelines and issues big fines for non-compliance, such as PCI DSS in retail. The software automatically identifies expiring rules and then automatically recertifies them across a wide range of vendors, reducing or even eliminating that risk vector as it continuously ensures compliance and automates the enforcement of the rule recertification policies.

Keeping up with firewall rules is extremely important for digital businesses in both regulated and non-regulated industries. Changing them can be a daunting task, though, as the number of rules and their complexity can be overwhelming. Tufin’s Orchestration Suite R18-1 makes this process considerably easier. Cisco customers in particular can use Firepower to its fullest and create a rapid, error-free migration path to it from ASA.

Note: Cisco is a client of ZK Research.


Zeus Kerravala is the founder and principal analyst with ZK Research, and provides a mix of tactical advice to help his clients in the current business climate and long-term strategic advice. Kerravala provides research and advice to end-user IT and network managers, vendors of IT hardware, software and services and the financial community looking to invest in the companies that he covers.

More from this author