Tufin SecureTrack

SecureTrack
Security Operations Management,
Auditing & Compliance for Cisco
Firewalls, Routers and Switches
February, 2012
www.tufin.com

Table of Contents
Introduction ............................................................................................................. 3
Comprehensive View of Firewall Policy ................................................................ 4
Configuration Change Management ...................................................................... 5
Security Policy Optimization and Cleanup ............................................................ 5
Risk Management .................................................................................................... 6
Network Topology Intelligence............................................................................... 7
Rule Documentation and Recertification ............................................................... 7
Corporate Auditing and Compliance ..................................................................... 8
Automatic Security Policy Generation ................................................................... 8
Compliance with Best Practices ............................................................................ 9
Scalable, Distributed Deployment Architecture and Multi-Tenancy ................. 10
Firewall Operations, Auditing and Compliance: The Automated Solution ........ 10
Firewall Operations for Cisco 2/11

Introduction
Managing network security for an organization or a service provider has become a highly
complex operation involving dozens or even hundreds of firewalls and routers. Multiple sites
and teams, different hardware and software vendors – all of these factors make it virtually
impossible to maintain an accurate, airtight security policy on every device. At the same time,
internal security policies have become more rigorous, and organizations need to comply with
a growing body of industry and government regulations.
To make sure that security standards are being met, most organizations rely on periodic
audits – a process involving days of manual, painstaking effort. In addition to the tremendous
investment of time and resources, relying on audits is a reactive approach to network security
that can leave threats undetected for months at a time.
Today’s security operations teams urgently need a management solution that can proactively
assure network security and achieve Continuous Compliance with standards while
automating labor-intensive day-to-day tasks. In practical terms, firewall operations teams
need:
� Central management starting with a top-down view of all Cisco firewalls, routers and
switches in the organization, the Cisco Security Manager (CSM), and firewalls from
other vendors
� Management of both next-generation and network-layer firewalls
� Change management to ensure that every configuration change made to a firewall,
router or switch is accountable and in accordance with corporate standards
� Proactive risk analysis and business continuity management to evaluate the impact
of every configuration change and ensure Continuous Compliance with standards
� ACL optimization and cleanup to eliminate security loopholes, improve firewall
performance, and reduce hardware costs
� Network topology intelligence to visually analyze the access path between any
source and destination
� Rule (ACE) documentation that enables you to manage ACE ownership, expiration
and recertification.
� Automated security audits to efficiently comply with corporate policies as well as
industry and government regulations
� Automatic ACL generation to enable rapid deployment of new firewalls without
disrupting business continuity or resorting to permissive rules
� Alignment with best practices from vendors and security industry veterans
� Scalable support for large enterprises and datacenters including distributed
deployment, multiple device domains and role-based management.
Tufin SecureTrack enables security operations teams to dramatically reduce risk while
increasing compliance and efficiency. With a powerful set of real-time and analytical tools,
SecureTrack tackles the practical challenges that operations teams face every day when it
comes to managing Cisco firewalls, routers and switches. This paper takes a closer look at
each of the key requirements in security operations management and explains how
SecureTrack enables companies to eliminate potential threats, lower costs, and achieve their
strategic security objectives.
Firewall Operations for Cisco 3/11

Comprehensive View of Firewall Policy
Enterprises and service providers currently manage dozens, if not hundreds, of individual
network security devices including network-layer firewalls, next-generation firewalls, Web
proxies, load balancers, routers and switches. Each device has its own policy or access
control list (ACL) - a complex set of rules defining the access privileges and restrictions for
specific users and services. Today, administrators lack a unified top-down view of all of their
security policies on all of their Cisco devices as well as other vendors, and need to
individually monitor each piece of the puzzle.
Tufin SecureTrack provides a convenient, top-down view of all ACLs and security policies in
the organization that is fully interoperable with the Cisco Security Manager. You can view the
current configuration as well as historical views and snapshots. Each policy is displayed
using Cisco’s native layout and conventions. SecureTrack makes it simple to visually
compare and review devices. For example, you can analyze a side-by-side view of the same
firewall at two different points in time, and you can compare the settings of different firewalls
in a variety of views and reports.
SecureTrack’s dashboard and interactive browsers enable you to immediately assess your
overall security posture and to drill down for more information in order to analyze and
remediate threats.
On or off site, SecureTrack enables you to centrally manage alerts and notifications and
generate reports for your entire security infrastructure. Since it is easy to learn and use, within
minutes you can integrate SecureTrack into your network environment and start real-time
monitoring.
In addition to the list of vendors currently supported by SecureTrack, the Tufin Open Platform
(TOP) enables enterprises and integrators to easily extend the platform and support
additional vendors and infrastructure components through simple plugins.
Firewall Operations for Cisco 4/11

Configuration Change Management
Organizations are constantly in motion. So implementing a corporate security policy is not a
one-shot deal. Every day, configuration changes are made in response to user requests for
network access, security threats and changes to the network structure. Monitoring, tracking
and analyzing these configuration changes is probably the biggest challenge facing firewall
administrators today. And the problem is not limited to ACLs. Changes to the configuration
and performance of the firewall operating system or firmware also directly impact security and
business continuity, yet they are difficult to track with conventional methods.
Tufin SecureTrack continuously monitors and keeps track of every security configuration
change including changes to ACEs and network objects such as hosts and services.
Comprehensive change reports include Cisco firewalls, routers and switches as well as other
vendors, using the native conventions – for example, field names and colors. SecureTrack
offers a variety of customizable change reports as well as comparisons of different firewalls,
or different historical snapshots. Reports can be sliced by firewall, by rule, by object, or by the
type of change.
Full accountability is assured since each change is stored along with the administrator’s
name, the time, and the server where the change originated. SecureTrack makes it possible
to determine who made a change with a simple query, rather than searching through
numerous log files for the needle in the haystack.
SecureTrack also integrates with leading ticketing systems so that changes can be tracked
from the original request through approvals to implementation. Each change in a
SecureTrack report includes a link to the relevant ticket so that you can automatically launch
the ticket for more information.
Using real-time alerts, SecureTrack sends an e-mail to designated administrators in response
to every change that may conflict with corporate security policy. Rather than wait for the next
audit, SecureTrack empowers you to proactively prevent security risks before they actually
arise. Alerts are also useful for ongoing management – even when you are off site,
SecureTrack alerts can inform you of any or all changes via e-mail.
Security Policy Optimization and Cleanup
As thousands of tickets are processed by the security team, and organizational security
objectives evolve over time, the underlying ACLs become very large, intricate and complex.
In fact, many of the rules (ACEs) and objects in a typical firewall rule base are obsolete.
These unused ACEs represent a potential security hole and should be eliminated. Yet
administrators do not have an easy way of identifying them with standard administration
tools.
In addition to security risks, a poorly maintained ACL can have a major impact on
performance. The entire ACL is parsed from top to bottom with every network connection,
and as it grows, hardware requirements also increase.
SecureTrack analyzes the actual usage of individual ACEs and labels each one as heavily
used, moderately used, or unused. SecureTrack also analyzes object usage within each
ACE, indicating specific network objects and services that are no longer in use. It is advisable
to review every unused ACE and object, and remove those that are not necessary and may
represent a security risk.
To improve device performance, SecureTrack makes recommendations regarding the
position of specific ACEs – placing the heavily used ACEs at the top of the list and moving
the least-used ACEs to the bottom. SecureTrack also indicates rule shadowing – places
where ACEs overlap, or effectively “hide” others– so that you can re-position them
intelligently.
Firewall Operations for Cisco 5/11

You can view the latest optimization recommendations in the SecureTrack dashboard and
Clean-Up browser or generate a customized report at any time.
Risk Management
The implications of a security configuration error can be severe – from a breach to network
downtime, or even a network service interruption. Therefore, it is essential to analyze the
impact of every change before it is implemented in the production environment. The same is
true for the router configuration, where routine system maintenance can expose
vulnerabilities or even disrupt business.
In addition, security managers must be able to assess risk and vulnerability at any given time
– for all relevant network security devices. The challenge is greatest in distributed
organizations with multiple teams. Inevitably, different teams develop their own standards
and working methodologies. To ensure that everybody is successfully implementing security
guidelines, organizations need to implement automated solutions that can evaluate risk and
compliance at all times.
To manage risk and ensure business continuity, SecureTrack uses a multi-step approach:
� Security administrators define the organization’s security compliance policy for
mission critical and risky services within SecureTrack. SecureTrack automatically
compares every change that is made to the firewall, router or switch configuration
and sends out a real-time alert in the case of a violation to the organization’s
compliance policy. This capability is firewall vendor agnostic and implemented
transparently in heterogeneous environments.
� The SecureTrack dashboard and the interactive Risk browser always show the
current level of risk along with a prioritized list of risk factors, so that you can
investigate and remediate as soon as possible.
� Before implementing a change, administrators can use SecureTrack’s Security Policy
Analysis to simulate the change on the ACL and identify possible conflicts or
violations. This proactive risk analysis tool can save hours of painstaking, manual
ACL review.
� The Security Risk Report summarizes the current risk posture and calculates your
Security Score. The report can be run at the organizational level or per gateway, and
indicates risk trends in addition to the current state. To determine the Security Score,
Firewall Operations for Cisco 6/11

the report uses your compliance policies as well as a group of pre-defined risk factors
culled from leading industry standards. You can set your own priorities and customize
the report to exclude specific policies, risk factors or even ACEs that cause false
positive violations.
Network Topology Intelligence
Given the size and complexity of today’s networks, it is not easy to maintain a clear picture of
all of its devices and zones. When faced with a network access request from a user, or a
change request from IT, it can take time to understand which firewalls and network
components are involved.
SecureTrack discovers an organizations’ network topology and provides security
administrators with a dynamic, visual map. The map, which is continuously updated in
response to network changes, identifies firewalls, routers and network zones such as the
DMZ. SecureTrack supports very large maps and enables you to add unmonitored routers in
order to create the most complete picture.
Network Topology Intelligence is an integral part of many SecureTrack and SecureChange
features including policy analysis, compliance and security risk reports, and the Policy
Designer. It automatically identifies the devices and zones that are relevant for an access
request making it easier for you to analyze, modify and report on security policies.
Rule Documentation and Recertification
A key best practice for security policies is to periodically review each ACE (rule) and remove
the ones that are no longer required. Since ACLs regularly contain hundreds of ACEs, and
there are often multiple administrators making changes, it is optimal to document each ACE
as it is created, and to assign an expiration date.
Among firewall, router and switch vendors, the ability to document rules and set expiration
dates is handled to varying extents – or not at all – so it is important to be able to manage
ACE and rule ownership, expiration and recertification centrally.
With SecureTrack, you can continuously weed out ACEs that are no longer needed and
prevent ACLs from growing out of control. You can document each ACE, identify the
technical and business owners, and indicate an expiration date upon which the ACE must be
reviewed. At any time, you can sort and filter ACEs according to expiration date and/or owner
and recertify, or remove them, as needed. You can also define scheduled reports and alerts
to proactively stay on top of ACE status at all times.
Rule documentation is a valuable tool for justification of rules as required by certain audits
such as PCI DSS.
Firewall Operations for Cisco 7/11

Auditing and Continuous Compliance
Organizations now understand the business impact of network security and are demanding a
high level of transparency and accountability from network operations teams. In addition,
more and more companies need to conform to government and industry standards such as
PCI DSS and SOX.
To meet these increasingly rigorous standards, you need the ability to efficiently perform
periodic audits. Owing to the size and dynamic nature of ACLs, it is extremely timeconsuming
to do this manually, even for an expert. You need an automated audit process
that can be configured to meet the specific requirements of both corporate and regulatory
standards.
To hold individuals accountable for their actions, organizations need to maintain an accurate
audit trail of all ACL and operating system changes. It is preferable that the audit trail come
from an objective third party or automatic logging tool. Furthermore, you need to enforce and
demonstrate a separation of duties designed to ensure that all changes are approved and
monitored properly.
SecureTrack provides automatic audit reports that test current device configuration against
your corporate security policy as well as a configurable checklist of standards. Along with a
list of violations, Tufin’s audit reports provide information on how to resolve or mitigate the
infraction. Specialized reports, such as the PCI DSS Audit and the Cisco DCR are already
designed according to the requirements of the industry standard. Audit reports can be
scheduled for automatic, periodic execution and mailed to all relevant security officers.
SecureTrack supports periodic audits with continuous change tracking and a comprehensive
audit trail that provides full accountability and demonstrates implementation of a separation of
duties. Change reports can be generated at any time to show the configuration changes that
were made both to the ACL and to the operating system.
But auditing is not enough. The true goal of security regulations is Continuous Compliance.
So in between audits, it is essential to continuously monitor every single change, to assess
risks and to mitigate threats before they materialize.
Since SecureTrack issues real-time alerts any time a configuration change violates corporate
policy, all security threats can be addressed immediately. This transforms the periodic audit
into the reporting process it is meant to be, and enables you to deliver Continuous
Compliance to your organization..
Cisco Device Configuration Report (DCR)
SecureTrack’s Device Configuration Report is specially designed for Cisco routers, checking
for common security settings and misconfigurations that are critical for overall device and
network security. The report, which is in line with the CIS and the NSA’s Router Security
Configuration Guide, checks for many common security settings like SNMP settings,
authentication settings, NTP settings, unnecessary services, SYSLOG settings, and more.
Firewall Operations for Cisco 8/11

Automatic Security Policy (ACL) Generation
Network security teams are frequently asked to secure unrestricted network segments – for
example, between branch offices or merged companies – or to tighten up permissive ACLs.
This is very difficult to achieve without accidentally disrupting critical business services.
Through labor-intensive manual log inspection, administrators try to identify legitimate
business traffic and create a rule set that will meet both security and business objectives. But
given the complexity of network traffic today, this process is not only tedious and error-prone
– it is also not very effective. As a result, companies often deploy firewalls with permissive
ANY rules that do little to fulfill their security objectives. Network security teams need an
automatic solution for defining new ACLs and tightening up permissive ones that can reduce
deployment times and ensure business continuity.
With SecureTrack’s Automatic Policy Generator (APG), you can automatically generate a
new, robust firewall policy (ACL) based on a thorough analysis of current network traffic. APG
creates an ACL that is not too permissive, is optimized for high performance and organized
for easy management and maintenance. Fast and efficient, APG processes thousands of
logs to create a new ACL within minutes.
APG also provides security professionals with a powerful tool for tightening existing firewalls,
re-building complex, heavy ACLs, and analyzing ACLs of firewalls inherited from other
organizations. APG evaluates the permissiveness of each ACE and provides concrete
recommendations on how to improve them. Using an interactive graph, you can set the
balance between the degree of permissiveness and the number of ACEs that is generated.
APG is powered by Tufin’s patent-pending Permissive Rule Analysis technology. For more
information read the APG Whitepaper.
Compliance with Best Practices
Over the years, security best practices have evolved that enable organizations to manage
their security infrastructure more effectively. Given the variety of devices – different vendors,
versions and administration tools – it is difficult to enforce industry best practices throughout
the organization. Managers need tools that define best practices and are able to identify nonconformance
for the full range of security devices.
In SecureTrack, Tufin has gathered a long list of best practices derived from firewall vendors,
industry experts and years of practical experience. The configurable Best Practices Audit
report instantly checks compliance with practices such as log tracking (rules that are
Firewall Operations for Cisco 9/11

untracked or unlogged), permissive rules (that allow traffic from too many IP addresses),
network object name patterns, firewall OS settings, and more.
Scalable, Distributed Deployment Architecture and
Multi-Tenancy
At large organizations, firewalls and related security infrastructure are frequently distributed at
multiple sites, even in different countries. Slow network connections can frustrate attempts to
analyze data from a central location and maintain consistency throughout the organization.
Similarly, at large datacenters, network devices are often distributed on multiple management
servers to increase performance. Yet it is still important to manage the security posture
centrally.
Tufin SecureTrack features a robust distributed architecture that uses T-Series appliances to
collect data from each site. Suitable for wide area networks, the collectors forward data to a
central database for administration. SecureTrack is designed to overcome connection
downtime between components and ensure a continuous, centralized management
environment.
If you need to maintain integrity between sites or business units, SecureTrack provides full
segregation of data along with flexible, role-based administrator definitions that provide
access control for each management domain. At the same time, it gives you the ability to
leverage Policy Analysis Queries and reports that you have designed for multiple tenants.
For all mission critical data centers, Tufin offers high availability, database compression, highperformance
appliances and disaster recovery.
Firewall Operations, Auditing and Compliance: The
Automated Solution
As network security infrastructure grows more distributed and diverse, operations teams must
have central management solutions to ensure network security and Continuous Compliance,
while keeping costs under control. Tufin SecureTrack enables you to monitor, track and
report changes for all Cisco firewalls, routers and switches in the organization. It creates a
complete audit trail with full personal accountability for every change, along with configurable
audit reports that support a wide variety of standards and regulations. With in-depth analysis
tools, it gives you the power to proactively assess risks, replace permissive rules, and
optimize the performance of your firewalls. SecureTrack is an essential solution for any
organization that cannot afford to compromise on security and efficiency.
Tufin is a member of the Cisco Developer Network and Tufin Security Suite has successfully
completed interoperability testing with Cisco Security Manager 4.3.
According to an analysis performed by Frost & Sullivan, organizations can slash the time
required to make configuration changes, and to perform security audits, by as much as 75%
(see Security Lifecycle Management ROI). Tufin customers report that on average,
SecureTrack cuts the cost of daily operations tasks in up to a half, so that they can focus on
the strategic part of their jobs instead of on routine, manual work.
SecureTrack features all of the tools that operations teams need to ensure network security
every day:
� Change tracking and analysis: Monitors firewall changes, reports them in real-time and
maintains a comprehensive, accurate audit trail for full accountability.
� Security infrastructure optimization: Analysis and clean-up of complex ACLs and
objects to eliminate potential security breaches and improve performance.
Firewall Operations for Cisco 10/11

� Risk management: Assessment of Security Score and risk trends based on
conformance to compliance policies and industry-standard risk factors.
� Network topology intelligence: Discovery of network topology from monitored devices
and creation of a dynamic map including firewalls, routers and network zones. Automatic
identification of relevant devices and zones in requests, queries and reports.
� Rule documentation and recertification: Documentation of ACEs and automatic
identification of expired ACEs so that they can be removed and recertified as needed.
� Auditing and regulatory compliance: Automated audit reports to demonstrate
compliance with corporate policy and regulatory standards including PCI-DSS, SOX,
NERC, HIPAA, ISO 17799 and Basel II.
� Cisco DCR: Checks for common security settings and misconfigurations on Cisco
routers.
� Multi-vendor visual monitoring: Intuitive, graphical views of ACLs and other security
policies, for the largest variety of vendors and network devices.
� Comprehensive security policy analysis: In-depth analysis of organizational security
policy implementation on a wide range of security devices.
� Automatic firewall policy generation: Definition of a new firewall ACL based on an
analysis of network traffic and elimination of permissive rules.
� Multi-vendor best practice audit: Ability to compare current configuration with best
practice recommendations derived from extensive industry experience.
� Scalable and business-critical: Includes high availability, database compression,
robust appliances and disaster recovery.
� Distributed, multi-tenant architecture: Distributed architecture supports unlimited
firewalls, rules and network objects in large or distributed datacenters. Support for
multiple tenants or domains provides security among customers or business units.
Learn more about SecureTrack at www.tufin.com.
© 2008, 2009, 2010, 2011, 2012 Tufin Software Technologies, Ltd. Tufin, SecureChange, SecureTrack, Automatic
Policy Generator, and the Tufin logo are trademarks of Tufin Software Technologies Ltd. All other product names
mentioned herein are trademarks or registered trademarks of their respective owners.
Firewall Operations for Cisco 11/11