Tufin SecureTrack
Tufin SecureTrack
Tufin SecureTrack
Create successful ePaper yourself
Turn your PDF publications into a flip-book with our unique Google optimized e-Paper software.
<strong>SecureTrack</strong><br />
Security Operations Management,<br />
Auditing & Compliance for Cisco<br />
Firewalls, Routers and Switches<br />
February, 2012<br />
www.tufin.com
Table of Contents<br />
Introduction ............................................................................................................. 3<br />
Comprehensive View of Firewall Policy ................................................................ 4<br />
Configuration Change Management ...................................................................... 5<br />
Security Policy Optimization and Cleanup ............................................................ 5<br />
Risk Management .................................................................................................... 6<br />
Network Topology Intelligence............................................................................... 7<br />
Rule Documentation and Recertification ............................................................... 7<br />
Corporate Auditing and Compliance ..................................................................... 8<br />
Automatic Security Policy Generation ................................................................... 8<br />
Compliance with Best Practices ............................................................................ 9<br />
Scalable, Distributed Deployment Architecture and Multi-Tenancy ................. 10<br />
Firewall Operations, Auditing and Compliance: The Automated Solution ........ 10<br />
Firewall Operations for Cisco 2/11
Introduction<br />
Managing network security for an organization or a service provider has become a highly<br />
complex operation involving dozens or even hundreds of firewalls and routers. Multiple sites<br />
and teams, different hardware and software vendors – all of these factors make it virtually<br />
impossible to maintain an accurate, airtight security policy on every device. At the same time,<br />
internal security policies have become more rigorous, and organizations need to comply with<br />
a growing body of industry and government regulations.<br />
To make sure that security standards are being met, most organizations rely on periodic<br />
audits – a process involving days of manual, painstaking effort. In addition to the tremendous<br />
investment of time and resources, relying on audits is a reactive approach to network security<br />
that can leave threats undetected for months at a time.<br />
Today’s security operations teams urgently need a management solution that can proactively<br />
assure network security and achieve Continuous Compliance with standards while<br />
automating labor-intensive day-to-day tasks. In practical terms, firewall operations teams<br />
need:<br />
� Central management starting with a top-down view of all Cisco firewalls, routers and<br />
switches in the organization, the Cisco Security Manager (CSM), and firewalls from<br />
other vendors<br />
� Management of both next-generation and network-layer firewalls<br />
� Change management to ensure that every configuration change made to a firewall,<br />
router or switch is accountable and in accordance with corporate standards<br />
� Proactive risk analysis and business continuity management to evaluate the impact<br />
of every configuration change and ensure Continuous Compliance with standards<br />
� ACL optimization and cleanup to eliminate security loopholes, improve firewall<br />
performance, and reduce hardware costs<br />
� Network topology intelligence to visually analyze the access path between any<br />
source and destination<br />
� Rule (ACE) documentation that enables you to manage ACE ownership, expiration<br />
and recertification.<br />
� Automated security audits to efficiently comply with corporate policies as well as<br />
industry and government regulations<br />
� Automatic ACL generation to enable rapid deployment of new firewalls without<br />
disrupting business continuity or resorting to permissive rules<br />
� Alignment with best practices from vendors and security industry veterans<br />
� Scalable support for large enterprises and datacenters including distributed<br />
deployment, multiple device domains and role-based management.<br />
<strong>Tufin</strong> <strong>SecureTrack</strong> enables security operations teams to dramatically reduce risk while<br />
increasing compliance and efficiency. With a powerful set of real-time and analytical tools,<br />
<strong>SecureTrack</strong> tackles the practical challenges that operations teams face every day when it<br />
comes to managing Cisco firewalls, routers and switches. This paper takes a closer look at<br />
each of the key requirements in security operations management and explains how<br />
<strong>SecureTrack</strong> enables companies to eliminate potential threats, lower costs, and achieve their<br />
strategic security objectives.<br />
Firewall Operations for Cisco 3/11
Comprehensive View of Firewall Policy<br />
Enterprises and service providers currently manage dozens, if not hundreds, of individual<br />
network security devices including network-layer firewalls, next-generation firewalls, Web<br />
proxies, load balancers, routers and switches. Each device has its own policy or access<br />
control list (ACL) - a complex set of rules defining the access privileges and restrictions for<br />
specific users and services. Today, administrators lack a unified top-down view of all of their<br />
security policies on all of their Cisco devices as well as other vendors, and need to<br />
individually monitor each piece of the puzzle.<br />
<strong>Tufin</strong> <strong>SecureTrack</strong> provides a convenient, top-down view of all ACLs and security policies in<br />
the organization that is fully interoperable with the Cisco Security Manager. You can view the<br />
current configuration as well as historical views and snapshots. Each policy is displayed<br />
using Cisco’s native layout and conventions. <strong>SecureTrack</strong> makes it simple to visually<br />
compare and review devices. For example, you can analyze a side-by-side view of the same<br />
firewall at two different points in time, and you can compare the settings of different firewalls<br />
in a variety of views and reports.<br />
<strong>SecureTrack</strong>’s dashboard and interactive browsers enable you to immediately assess your<br />
overall security posture and to drill down for more information in order to analyze and<br />
remediate threats.<br />
On or off site, <strong>SecureTrack</strong> enables you to centrally manage alerts and notifications and<br />
generate reports for your entire security infrastructure. Since it is easy to learn and use, within<br />
minutes you can integrate <strong>SecureTrack</strong> into your network environment and start real-time<br />
monitoring.<br />
In addition to the list of vendors currently supported by <strong>SecureTrack</strong>, the <strong>Tufin</strong> Open Platform<br />
(TOP) enables enterprises and integrators to easily extend the platform and support<br />
additional vendors and infrastructure components through simple plugins.<br />
Firewall Operations for Cisco 4/11
Configuration Change Management<br />
Organizations are constantly in motion. So implementing a corporate security policy is not a<br />
one-shot deal. Every day, configuration changes are made in response to user requests for<br />
network access, security threats and changes to the network structure. Monitoring, tracking<br />
and analyzing these configuration changes is probably the biggest challenge facing firewall<br />
administrators today. And the problem is not limited to ACLs. Changes to the configuration<br />
and performance of the firewall operating system or firmware also directly impact security and<br />
business continuity, yet they are difficult to track with conventional methods.<br />
<strong>Tufin</strong> <strong>SecureTrack</strong> continuously monitors and keeps track of every security configuration<br />
change including changes to ACEs and network objects such as hosts and services.<br />
Comprehensive change reports include Cisco firewalls, routers and switches as well as other<br />
vendors, using the native conventions – for example, field names and colors. <strong>SecureTrack</strong><br />
offers a variety of customizable change reports as well as comparisons of different firewalls,<br />
or different historical snapshots. Reports can be sliced by firewall, by rule, by object, or by the<br />
type of change.<br />
Full accountability is assured since each change is stored along with the administrator’s<br />
name, the time, and the server where the change originated. <strong>SecureTrack</strong> makes it possible<br />
to determine who made a change with a simple query, rather than searching through<br />
numerous log files for the needle in the haystack.<br />
<strong>SecureTrack</strong> also integrates with leading ticketing systems so that changes can be tracked<br />
from the original request through approvals to implementation. Each change in a<br />
<strong>SecureTrack</strong> report includes a link to the relevant ticket so that you can automatically launch<br />
the ticket for more information.<br />
Using real-time alerts, <strong>SecureTrack</strong> sends an e-mail to designated administrators in response<br />
to every change that may conflict with corporate security policy. Rather than wait for the next<br />
audit, <strong>SecureTrack</strong> empowers you to proactively prevent security risks before they actually<br />
arise. Alerts are also useful for ongoing management – even when you are off site,<br />
<strong>SecureTrack</strong> alerts can inform you of any or all changes via e-mail.<br />
Security Policy Optimization and Cleanup<br />
As thousands of tickets are processed by the security team, and organizational security<br />
objectives evolve over time, the underlying ACLs become very large, intricate and complex.<br />
In fact, many of the rules (ACEs) and objects in a typical firewall rule base are obsolete.<br />
These unused ACEs represent a potential security hole and should be eliminated. Yet<br />
administrators do not have an easy way of identifying them with standard administration<br />
tools.<br />
In addition to security risks, a poorly maintained ACL can have a major impact on<br />
performance. The entire ACL is parsed from top to bottom with every network connection,<br />
and as it grows, hardware requirements also increase.<br />
<strong>SecureTrack</strong> analyzes the actual usage of individual ACEs and labels each one as heavily<br />
used, moderately used, or unused. <strong>SecureTrack</strong> also analyzes object usage within each<br />
ACE, indicating specific network objects and services that are no longer in use. It is advisable<br />
to review every unused ACE and object, and remove those that are not necessary and may<br />
represent a security risk.<br />
To improve device performance, <strong>SecureTrack</strong> makes recommendations regarding the<br />
position of specific ACEs – placing the heavily used ACEs at the top of the list and moving<br />
the least-used ACEs to the bottom. <strong>SecureTrack</strong> also indicates rule shadowing – places<br />
where ACEs overlap, or effectively “hide” others– so that you can re-position them<br />
intelligently.<br />
Firewall Operations for Cisco 5/11
You can view the latest optimization recommendations in the <strong>SecureTrack</strong> dashboard and<br />
Clean-Up browser or generate a customized report at any time.<br />
Risk Management<br />
The implications of a security configuration error can be severe – from a breach to network<br />
downtime, or even a network service interruption. Therefore, it is essential to analyze the<br />
impact of every change before it is implemented in the production environment. The same is<br />
true for the router configuration, where routine system maintenance can expose<br />
vulnerabilities or even disrupt business.<br />
In addition, security managers must be able to assess risk and vulnerability at any given time<br />
– for all relevant network security devices. The challenge is greatest in distributed<br />
organizations with multiple teams. Inevitably, different teams develop their own standards<br />
and working methodologies. To ensure that everybody is successfully implementing security<br />
guidelines, organizations need to implement automated solutions that can evaluate risk and<br />
compliance at all times.<br />
To manage risk and ensure business continuity, <strong>SecureTrack</strong> uses a multi-step approach:<br />
� Security administrators define the organization’s security compliance policy for<br />
mission critical and risky services within <strong>SecureTrack</strong>. <strong>SecureTrack</strong> automatically<br />
compares every change that is made to the firewall, router or switch configuration<br />
and sends out a real-time alert in the case of a violation to the organization’s<br />
compliance policy. This capability is firewall vendor agnostic and implemented<br />
transparently in heterogeneous environments.<br />
� The <strong>SecureTrack</strong> dashboard and the interactive Risk browser always show the<br />
current level of risk along with a prioritized list of risk factors, so that you can<br />
investigate and remediate as soon as possible.<br />
� Before implementing a change, administrators can use <strong>SecureTrack</strong>’s Security Policy<br />
Analysis to simulate the change on the ACL and identify possible conflicts or<br />
violations. This proactive risk analysis tool can save hours of painstaking, manual<br />
ACL review.<br />
� The Security Risk Report summarizes the current risk posture and calculates your<br />
Security Score. The report can be run at the organizational level or per gateway, and<br />
indicates risk trends in addition to the current state. To determine the Security Score,<br />
Firewall Operations for Cisco 6/11
the report uses your compliance policies as well as a group of pre-defined risk factors<br />
culled from leading industry standards. You can set your own priorities and customize<br />
the report to exclude specific policies, risk factors or even ACEs that cause false<br />
positive violations.<br />
Network Topology Intelligence<br />
Given the size and complexity of today’s networks, it is not easy to maintain a clear picture of<br />
all of its devices and zones. When faced with a network access request from a user, or a<br />
change request from IT, it can take time to understand which firewalls and network<br />
components are involved.<br />
<strong>SecureTrack</strong> discovers an organizations’ network topology and provides security<br />
administrators with a dynamic, visual map. The map, which is continuously updated in<br />
response to network changes, identifies firewalls, routers and network zones such as the<br />
DMZ. <strong>SecureTrack</strong> supports very large maps and enables you to add unmonitored routers in<br />
order to create the most complete picture.<br />
Network Topology Intelligence is an integral part of many <strong>SecureTrack</strong> and SecureChange<br />
features including policy analysis, compliance and security risk reports, and the Policy<br />
Designer. It automatically identifies the devices and zones that are relevant for an access<br />
request making it easier for you to analyze, modify and report on security policies.<br />
Rule Documentation and Recertification<br />
A key best practice for security policies is to periodically review each ACE (rule) and remove<br />
the ones that are no longer required. Since ACLs regularly contain hundreds of ACEs, and<br />
there are often multiple administrators making changes, it is optimal to document each ACE<br />
as it is created, and to assign an expiration date.<br />
Among firewall, router and switch vendors, the ability to document rules and set expiration<br />
dates is handled to varying extents – or not at all – so it is important to be able to manage<br />
ACE and rule ownership, expiration and recertification centrally.<br />
With <strong>SecureTrack</strong>, you can continuously weed out ACEs that are no longer needed and<br />
prevent ACLs from growing out of control. You can document each ACE, identify the<br />
technical and business owners, and indicate an expiration date upon which the ACE must be<br />
reviewed. At any time, you can sort and filter ACEs according to expiration date and/or owner<br />
and recertify, or remove them, as needed. You can also define scheduled reports and alerts<br />
to proactively stay on top of ACE status at all times.<br />
Rule documentation is a valuable tool for justification of rules as required by certain audits<br />
such as PCI DSS.<br />
Firewall Operations for Cisco 7/11
Auditing and Continuous Compliance<br />
Organizations now understand the business impact of network security and are demanding a<br />
high level of transparency and accountability from network operations teams. In addition,<br />
more and more companies need to conform to government and industry standards such as<br />
PCI DSS and SOX.<br />
To meet these increasingly rigorous standards, you need the ability to efficiently perform<br />
periodic audits. Owing to the size and dynamic nature of ACLs, it is extremely timeconsuming<br />
to do this manually, even for an expert. You need an automated audit process<br />
that can be configured to meet the specific requirements of both corporate and regulatory<br />
standards.<br />
To hold individuals accountable for their actions, organizations need to maintain an accurate<br />
audit trail of all ACL and operating system changes. It is preferable that the audit trail come<br />
from an objective third party or automatic logging tool. Furthermore, you need to enforce and<br />
demonstrate a separation of duties designed to ensure that all changes are approved and<br />
monitored properly.<br />
<strong>SecureTrack</strong> provides automatic audit reports that test current device configuration against<br />
your corporate security policy as well as a configurable checklist of standards. Along with a<br />
list of violations, <strong>Tufin</strong>’s audit reports provide information on how to resolve or mitigate the<br />
infraction. Specialized reports, such as the PCI DSS Audit and the Cisco DCR are already<br />
designed according to the requirements of the industry standard. Audit reports can be<br />
scheduled for automatic, periodic execution and mailed to all relevant security officers.<br />
<strong>SecureTrack</strong> supports periodic audits with continuous change tracking and a comprehensive<br />
audit trail that provides full accountability and demonstrates implementation of a separation of<br />
duties. Change reports can be generated at any time to show the configuration changes that<br />
were made both to the ACL and to the operating system.<br />
But auditing is not enough. The true goal of security regulations is Continuous Compliance.<br />
So in between audits, it is essential to continuously monitor every single change, to assess<br />
risks and to mitigate threats before they materialize.<br />
Since <strong>SecureTrack</strong> issues real-time alerts any time a configuration change violates corporate<br />
policy, all security threats can be addressed immediately. This transforms the periodic audit<br />
into the reporting process it is meant to be, and enables you to deliver Continuous<br />
Compliance to your organization..<br />
Cisco Device Configuration Report (DCR)<br />
<strong>SecureTrack</strong>’s Device Configuration Report is specially designed for Cisco routers, checking<br />
for common security settings and misconfigurations that are critical for overall device and<br />
network security. The report, which is in line with the CIS and the NSA’s Router Security<br />
Configuration Guide, checks for many common security settings like SNMP settings,<br />
authentication settings, NTP settings, unnecessary services, SYSLOG settings, and more.<br />
Firewall Operations for Cisco 8/11
Automatic Security Policy (ACL) Generation<br />
Network security teams are frequently asked to secure unrestricted network segments – for<br />
example, between branch offices or merged companies – or to tighten up permissive ACLs.<br />
This is very difficult to achieve without accidentally disrupting critical business services.<br />
Through labor-intensive manual log inspection, administrators try to identify legitimate<br />
business traffic and create a rule set that will meet both security and business objectives. But<br />
given the complexity of network traffic today, this process is not only tedious and error-prone<br />
– it is also not very effective. As a result, companies often deploy firewalls with permissive<br />
ANY rules that do little to fulfill their security objectives. Network security teams need an<br />
automatic solution for defining new ACLs and tightening up permissive ones that can reduce<br />
deployment times and ensure business continuity.<br />
With <strong>SecureTrack</strong>’s Automatic Policy Generator (APG), you can automatically generate a<br />
new, robust firewall policy (ACL) based on a thorough analysis of current network traffic. APG<br />
creates an ACL that is not too permissive, is optimized for high performance and organized<br />
for easy management and maintenance. Fast and efficient, APG processes thousands of<br />
logs to create a new ACL within minutes.<br />
APG also provides security professionals with a powerful tool for tightening existing firewalls,<br />
re-building complex, heavy ACLs, and analyzing ACLs of firewalls inherited from other<br />
organizations. APG evaluates the permissiveness of each ACE and provides concrete<br />
recommendations on how to improve them. Using an interactive graph, you can set the<br />
balance between the degree of permissiveness and the number of ACEs that is generated.<br />
APG is powered by <strong>Tufin</strong>’s patent-pending Permissive Rule Analysis technology. For more<br />
information read the APG Whitepaper.<br />
Compliance with Best Practices<br />
Over the years, security best practices have evolved that enable organizations to manage<br />
their security infrastructure more effectively. Given the variety of devices – different vendors,<br />
versions and administration tools – it is difficult to enforce industry best practices throughout<br />
the organization. Managers need tools that define best practices and are able to identify nonconformance<br />
for the full range of security devices.<br />
In <strong>SecureTrack</strong>, <strong>Tufin</strong> has gathered a long list of best practices derived from firewall vendors,<br />
industry experts and years of practical experience. The configurable Best Practices Audit<br />
report instantly checks compliance with practices such as log tracking (rules that are<br />
Firewall Operations for Cisco 9/11
untracked or unlogged), permissive rules (that allow traffic from too many IP addresses),<br />
network object name patterns, firewall OS settings, and more.<br />
Scalable, Distributed Deployment Architecture and<br />
Multi-Tenancy<br />
At large organizations, firewalls and related security infrastructure are frequently distributed at<br />
multiple sites, even in different countries. Slow network connections can frustrate attempts to<br />
analyze data from a central location and maintain consistency throughout the organization.<br />
Similarly, at large datacenters, network devices are often distributed on multiple management<br />
servers to increase performance. Yet it is still important to manage the security posture<br />
centrally.<br />
<strong>Tufin</strong> <strong>SecureTrack</strong> features a robust distributed architecture that uses T-Series appliances to<br />
collect data from each site. Suitable for wide area networks, the collectors forward data to a<br />
central database for administration. <strong>SecureTrack</strong> is designed to overcome connection<br />
downtime between components and ensure a continuous, centralized management<br />
environment.<br />
If you need to maintain integrity between sites or business units, <strong>SecureTrack</strong> provides full<br />
segregation of data along with flexible, role-based administrator definitions that provide<br />
access control for each management domain. At the same time, it gives you the ability to<br />
leverage Policy Analysis Queries and reports that you have designed for multiple tenants.<br />
For all mission critical data centers, <strong>Tufin</strong> offers high availability, database compression, highperformance<br />
appliances and disaster recovery.<br />
Firewall Operations, Auditing and Compliance: The<br />
Automated Solution<br />
As network security infrastructure grows more distributed and diverse, operations teams must<br />
have central management solutions to ensure network security and Continuous Compliance,<br />
while keeping costs under control. <strong>Tufin</strong> <strong>SecureTrack</strong> enables you to monitor, track and<br />
report changes for all Cisco firewalls, routers and switches in the organization. It creates a<br />
complete audit trail with full personal accountability for every change, along with configurable<br />
audit reports that support a wide variety of standards and regulations. With in-depth analysis<br />
tools, it gives you the power to proactively assess risks, replace permissive rules, and<br />
optimize the performance of your firewalls. <strong>SecureTrack</strong> is an essential solution for any<br />
organization that cannot afford to compromise on security and efficiency.<br />
<strong>Tufin</strong> is a member of the Cisco Developer Network and <strong>Tufin</strong> Security Suite has successfully<br />
completed interoperability testing with Cisco Security Manager 4.3.<br />
According to an analysis performed by Frost & Sullivan, organizations can slash the time<br />
required to make configuration changes, and to perform security audits, by as much as 75%<br />
(see Security Lifecycle Management ROI). <strong>Tufin</strong> customers report that on average,<br />
<strong>SecureTrack</strong> cuts the cost of daily operations tasks in up to a half, so that they can focus on<br />
the strategic part of their jobs instead of on routine, manual work.<br />
<strong>SecureTrack</strong> features all of the tools that operations teams need to ensure network security<br />
every day:<br />
� Change tracking and analysis: Monitors firewall changes, reports them in real-time and<br />
maintains a comprehensive, accurate audit trail for full accountability.<br />
� Security infrastructure optimization: Analysis and clean-up of complex ACLs and<br />
objects to eliminate potential security breaches and improve performance.<br />
Firewall Operations for Cisco 10/11
� Risk management: Assessment of Security Score and risk trends based on<br />
conformance to compliance policies and industry-standard risk factors.<br />
� Network topology intelligence: Discovery of network topology from monitored devices<br />
and creation of a dynamic map including firewalls, routers and network zones. Automatic<br />
identification of relevant devices and zones in requests, queries and reports.<br />
� Rule documentation and recertification: Documentation of ACEs and automatic<br />
identification of expired ACEs so that they can be removed and recertified as needed.<br />
� Auditing and regulatory compliance: Automated audit reports to demonstrate<br />
compliance with corporate policy and regulatory standards including PCI-DSS, SOX,<br />
NERC, HIPAA, ISO 17799 and Basel II.<br />
� Cisco DCR: Checks for common security settings and misconfigurations on Cisco<br />
routers.<br />
� Multi-vendor visual monitoring: Intuitive, graphical views of ACLs and other security<br />
policies, for the largest variety of vendors and network devices.<br />
� Comprehensive security policy analysis: In-depth analysis of organizational security<br />
policy implementation on a wide range of security devices.<br />
� Automatic firewall policy generation: Definition of a new firewall ACL based on an<br />
analysis of network traffic and elimination of permissive rules.<br />
� Multi-vendor best practice audit: Ability to compare current configuration with best<br />
practice recommendations derived from extensive industry experience.<br />
� Scalable and business-critical: Includes high availability, database compression,<br />
robust appliances and disaster recovery.<br />
� Distributed, multi-tenant architecture: Distributed architecture supports unlimited<br />
firewalls, rules and network objects in large or distributed datacenters. Support for<br />
multiple tenants or domains provides security among customers or business units.<br />
Learn more about <strong>SecureTrack</strong> at www.tufin.com.<br />
© 2008, 2009, 2010, 2011, 2012 <strong>Tufin</strong> Software Technologies, Ltd. <strong>Tufin</strong>, SecureChange, <strong>SecureTrack</strong>, Automatic<br />
Policy Generator, and the <strong>Tufin</strong> logo are trademarks of <strong>Tufin</strong> Software Technologies Ltd. All other product names<br />
mentioned herein are trademarks or registered trademarks of their respective owners.<br />
Firewall Operations for Cisco 11/11