Review: Firewall Operations Management

Anyone running multiple firewalls in a complex, enterprise environment knows how difficult it can be to catch misconfigurations, avoid conflicting rules, identify vulnerabilities and meet auditing and compliance mandates.

1 2 Page 2
Page 2 of 2

We found that the install documentation for Skybox was excellent. The user manuals and tutorials are automatically loaded onto the C: drive.

Skybox provides several methods to import device configuration files into the Skybox View database. You can use the Add Device wizard application that has a Collect feature to import the configuration files directly from the device. There are also several ways to automate the configuration collection process. If configuration data is located in a database or file repository, the data can be directly imported into Skybox View. You need additional Skybox View Collectors if you want to directly import configuration files on segmented networks.

We used the Operational Console to create tasks using the New Task wizard and selecting a Task Type. There is a convenient option for scheduling collection that can be set for a specific hour, or to be run daily, weekly, monthly or yearly. We could also program the Task Wizard to schedule data import from file repositories with configuration files.

We could create task sequences to run the tasks at a scheduled time. Task sequences have exit codes so that if a task fails, any other tasks set to import configurations, run audits and change management will not be blocked.

We saw that APIs were also available to facilitate integration with large third party management tools, such as Opsware, to obtain stored configuration files.

Once the configuration files are loaded into Skybox View, the compliance auditor in Skybox View Assure uses its predefined best-practice access policy to analyze the firewall policies. The best practice policies are compared with the device configuration rules and policies to display security violations and configuration errors. We used the Policy Compliance Report table to view Violated Rules, Access Compliance and Rule Compliance. In the case of an Access Compliance report failure, the rule violation is highlighted and detailed information about the violation is presented.

We tested the Risk Exposure Analyzer that simulates potential attack and access scenarios. After Skybox Secure builds a virtual map of the security model, a business impact analysis is created for what-if attack scenarios. These scenarios are based on malicious code and human attackers. Using the analyzer, we saw a graphical flow chart diagram displaying the step-by-step process taken by the attacker and the network access path available for the attack.

Results of the attack are used to calculate the business impact of a security breach in terms of confidentiality, integrity and availability. Skybox Secure can import business-impact rules and regulations to classify assets and determine an accurate risk assessment metric. We saw that they also had predefined regulation templates.

Rule-usage analysis requires three to 12 months of information to obtain a valid rule use analysis report. Shadowing and redundancy analysis can be run as soon as the configuration information for the network devices is imported and the network model is built.

We used the Access Analyzer feature in Skybox View Assure to answer questions about network access. It can be used for What-If model test scenarios and for connectivity analysis on live networks. Queries can be created for access within a firewall and for networks.

For tracking changes, we used the Change Tracking option in Skybox View Assure by selecting it under the expanded device object icon in the GUI. When data is collected periodically to update network models, you can display and analyze comparisons between ACL rules, routing rules and network interface changes. We saw that you could keep records of network and firewall changes for compliance recordkeeping. What-If modeling changes can be made as firewall rules in the model and then compared with the actual firewall rules.

Skybox View Assure offers change control and workflow with a ticketing system. While the Firewall Compliance Auditor supports Access Change tickets, the Network Compliance Auditor supports both Access Change and Policy Violation tickets.We were impressed with the modeling capabilities of the SkyBox View Firewall Assurance product. We could simultaneously store three models of the network for running comparison analyses. A side-by-side analysis report makes it effortless to see the changes between two versions of the same network model.

Skybox View Risk Exposure Analyzer presents features to organize the network based on business units and assets. We obtained network vulnerability data from second party vulnerability scanners such as Nessus and Qualys. Using attack scenario options, we generated detailed reports on vulnerabilities uncovered by the simulation. Although we did not see a predefined vulnerability test suite for running attack situations, the Risk Exposure Analyzer is a valuable asset when combined with the modeling capabilities of View Firewall Assurance. Vulnerabilities could be tested on a network model before deploying any equipment.

Tufin SecureTrack

With SecureTrack from Tufin, you can manage and audit firewalls, routers and switches, plus access an incorporated view of firewalls and other devices in your network. SecureTrack supplies automated reporting of risk and audit status, monitors firewall operating systems and supports security compliance standards.

Since the Tufin T-500 appliance has the TufinOS and SecureTrack pre-installed, the install process was conducted on a VMware appliance. Installation was quick, with no problem. After we saved the settings, the login screen appeared and we could access the Tufin SecureTrack server.

The screen has icons for Policy Change Reports, Rule Usage Statistics, Security Risk Reports and Best Practices Audit. Users can choose to be notified immediately of policy changes and to receive weekly reports.

Tufin SecureTrack categorizes the devices it can monitor as Devices, Plugins and Firewall OS Monitoring. Plugins are preinstalled for Blue Coat ProxySG, F5 Big IP and Linux iptables We also could select plugins for devices from Check Point, Cisco, Juniper, Fortinet, Blue Coat, F5 and others. The tab for Firewall OS Monitoring is a separately licensed feature for extending SecureTrack to use SNMP for device changes, in addition to monitoring.

Optimization and cleanup is a big part of SecureTrack's capabilities. With the goal of ensuring the rule base is not in violation of corporate and regulatory compliance, SecureTrack continually monitors firewalls, routers and switches. The SecureTrack Compare feature lists the number of recent revisions next to the device name. New revision alerts appear when revisions are generated. The Revision List can be filtered based on 10 attributes.

We used SecureTrack Analyzer to identify overlapping and redundant rules. To access predefined best practice policies that are stored in the SecureTrack database, we used the Audit and Compliance option. There are best practice checks for all firewalls and specific firewalls such as Check Point. SecureTrack also offers predefined policy analysis audits for PCI-DSS compliance. You can also set up alerts to be sent when security policy rule changes are made.

We found the browser dashboard to be crisp and well laid out. We liked the Compare Analysis option for comparing firewall revisions and maintaining the audit trail. Users familiar with the interfaces and screen presentations of major firewall vendors will appreciate this feature.

Custom firewall audits were created with the SecureTrack Audit wizard for detailed answers on compliance policies. An impressive list of predefined audit templates can be selected with a wizard, thereby saving time. There is also a predefined PCI-DSS audit analysis feature used to create reports for audit policy with a summary detailing the compliance verification.We liked the Security Trend analysis reports with charts, graphs and a summary table displaying risk scoring. Tufin does not base the scores on the CVSS as is common practice with similar products. We did find SecureTrack to be a good product for auditing and maintaining compliance with best practices based on industry and corporate policies.

Smithers is a Network World Test Alliance Partner and CEO of Miercom, a testing lab and network consultancy. He can be reached at

Read more about wide area network in Network World's Wide Area Network section.

Copyright © 2010 IDG Communications, Inc.

1 2 Page 2
Page 2 of 2
7 hot cybersecurity trends (and 2 going cold)