Fight firewall sprawl with AlgoSec, Tufin, Skybox suites

These three security policy management toolsets deliver orchestration and automation.

1 2 Page 2
Page 2 of 2

SecureTrack is very careful when removing shadowed rules. Change requests can be put into a ticket for an approvals process as one safeguard. For another, the default when removing a shadowed rule is to put it into a queue where it waits for 30 days. During that time, the rule is still active, but Tufin monitors whether it actually gets used. Shadowed rules normally don’t because they are sitting behind another rule doing the same thing, but if they are activated during the wait period, then they might not be so shadowed after all. After 30 days, if no contact is made, the shadowed rule is decommissioned.

tufin Tufin

Users also get access to compliance and regulation checking with SecureTrack. Checking against the most common standards and regulations as well as many which affect specific industries like PCI DSS or NERC CIP 5 are included out of the box. Users can also customize rules and policies based on their specific organization and scan for compliance.

Tufin’s interface allows it to shine here because it allows networks to be segmented by various groups or geographic locations, or any other way that might help with policy management. Thereafter, users are shown an Excel-like spreadsheet with compliance rules running one way and the defined groups going the other. At a glance, we were able to tell on the color-coded chart which groups were in compliance with what rules. Blocks that were displaying anything other than green had problems, and Tufin let us click on them to investigate. All of those reports could be exported as a PDF too, so we could take them along to C-level meetings, or use them to show how the network looked before and after we worked on compliance issues.

SecureChange is used to add automation to security policy management, and builds on a lot of the work being done by SecureTrack. We could, for example, set it so that any changes being made in the future that had no risk associated with them would be automatically approved without human intervention. It also provided us with helpful tips to ensure that our automation efforts were successful. For example, in one case it advised us that implementing a new rule should only be done with a specific firewall before line 38 in the existing code. Digging a little deeper, we discovered that line had a catchall rule for blocking everything else not specifically authorized, so all our changes would need to come before that.

The biggest advantage with SecureChange is being able to begin automation from scratch. But instead of that being a huge mountain to have to climb, the interface of the Tufin suite helps to simplify everything by representing complex automation tasks graphically. It would be perfect for any organization just starting out on that path.

SecureApp is the most advanced part of the suite. It is used to look at how applications are performing and what they need in order to accomplish their jobs. Unlike users, applications won’t complain if they are getting blocked or slowed by policies. But SecureApp can unmask those silent problems.

We used it in our testing to map the paths that data from a new app was taking through our test network, including into a hybrid cloud. We noted that it was running into trouble, but only occasionally because it didn’t always interface with a specific router. That allowed us to fix the problem and improve functionality before any human would have even noticed, and before a future traffic surge made a real problem out of the situation. We also used SecureApp to track how proposed rules would affect all apps running in our network, so nothing would ever be accidentally knocked offline or otherwise hindered.

The Tufin Orchestration Suite is designed for professionals who know a lot about policy management. Those folks will likely be shocked by the beautiful and functional interface provided, given that most advanced tools we’ve tested don’t offer such functionality alongside a streamlined GUI. By combining the two, Tufin really stands out as a useful addition for security policy manager programs in an increasingly complex world of network defenses.

Skybox Firewall Assurance

The Skybox Security Suite was the most comprehensive that we looked at, and included modules for doing everything from network mapping and discovery to managing threat intelligence. For this review, we only considered the firewall manager module, which can be purchased separately. The base price for just the Skybox Firewall Assurance module is $9,130. That makes it the most economical product here, though it did seem a bit naked without the support of the other modules and capabilities. Even so, organizations that have their cybersecurity waterfront covered and just need to manage their firewalls better will find it to be a smart choice.

Regardless of how many parts of the Skybox suite are installed, it can be served from a 1U hardware appliance, a virtual appliance or as software running on a dedicated server. There is no difference in functionality based on the install method. We worked with a virtual appliance.

After installation, Skybox Firewall Assurance gives administrators a lot of choices about how to improve firewall configurations. The module comes with 80 built-in best practice rules for configuring firewalls. Some of those rulesets can be applied to any firewall, while some are only valid with specific companies like Cisco or Palo Alto devices. A few even apply to specific models.

We grabbed a generic best-practice rule where no firewall should have “Any” listed in its Source, Destination or Service fields. This normally happens when a firewall is first installed in listening mode and someone forgets to later modify those fields. Our test network had four such devices that broke this best practice rule, which were quickly located and fixed. We also found a few very specific rule violations that related to code problems with certain firewalls, and fixed them as well. This unique best-practice rule feature can improve the health of firewall networks right from the time the module is first deployed.

After the initial 80 best-practice rules are checked and applied, Skybox offers a second set which have been configured by Skybox based on their experience over the years. Users can choose to also scan and implement them if they choose. Each one is given a detailed justification about why the best-practice rule was created and where it should be applied, so users can pick and choose what rules to accept. Finally, compliance rules based on PCI and NIST 800-41 can also be implemented. Once the out of the box rule applying is complete, users are given the chance to write their own organization-specific rules using a wizard, and then can scan for non-compliance and plug those holes too.

After cleaning up everything that violates best practice and compliance standards, the next step is probably going to be cleaning up the remaining rules which might be in compliance, but not working correctly or possibly opening up vulnerabilities. Shadowed rules are likely the biggest problem, and Firewall Assurance did a great job of ferreting them out. Like any moderately sized network, our testbed had many shadowed rules in place.

Firewall Assurance first identifies the rules and then provides lots of helpful statistics to help ensure that they are, in fact, duplicating the functions of another rule somewhere else. Even if the shadowed rule seems unused, the default for decommissioning it through Skybox adds in a 90-day waiting period, which can be expanded to much longer if desired. During that waiting period, Skybox first moves the rule to the bottom of the code chain and then constantly monitors it. At the end of the waiting period, whether it’s 90 days or two years, users are given a detailed report showing how often the rule was used. If nothing activated it during that time, it can probably be safely decommissioned and erased. A full audit trail shows every action that was taken, just in case it’s needed later.

That part of Firewall Assurance can help to clean up complex firewall deployments. The next part ensures that chaos and non-compliance does not creep back in. Whenever we tried to create a new rule, the program checked it against the existing network and told us if the new rule violated compliance rules, broke best-practice procedures or would become a shadowed rule to something else. We were given a detailed breakdown of the risks and conflicts involved and could act accordingly.

In one case, where a shadowed rule would have been born, we instead could modify another rule that Firewall Assurance pointed us to in order to get the same effect, so the new rule was never deployed. In that case, our modification was also checked for compliance issues, but as expected, was never in danger of becoming shadowed because it had already been cleaned up. Of course, Firewall Assurance ultimately lets users break their rules or accept risk if they deem it necessary. In that case, a ticket can be generated and passed into either an existing ticketing system or the one used by Skybox, so admins can evaluate and approve, or deny, the risky rule change.

skybox skybox

The Skybox suite also ensures that firewall networks don’t age into non-compliance. Every new rule deployed is treated as part of a life cycle where nothing lasts forever. When deploying a new rule, an expiration date can be set where it will need to be recertified. Firewall Assurance is very good at letting administrators carefully define who is taking ownership of each rule. We could even set up an e-mail reminder to be sent to that person when a rule starts to get close to its recertification time.

Recertification rules with Skybox can be configured for almost anything. For example, we could assign ownership of an entire firewall to someone within our organization, and ask them to confirm that the device is still needed every few years, a nice feature that would prevent aging hardware from taking up space, and possibly adding vulnerability after it was no longer needed or used. We could also define ownership of individual rules or even our entire firewall network.

And the program is smart about not overloading users who own multiple rules or devices. We set one test user as the owner of more than 100 rules, all with the same expiration date set. When that time came, the system only sent them a single notice which contained information about all the rules that needed to be examined. They would still need to sit down and recertify each one, but at least they weren’t flooded with e-mails.

A nice extra feature with the Skybox software is its ability to generate PDF reports about everything happening in the firewall network. These reports are surprisingly good looking, almost like professional white papers, and would be suitable to present to C-level executives or board members, as well as cybersecurity teams.

Firewall Assurance worked well to tame the chaos and remove vulnerabilities from our firewall testbed. It was even better when we added other modules to the suite, such as a beautiful network mapping tool that could easily compete with Visio. The other components were outside the scope of this evaluation, but their inclusion let us see how the entire Skybox suite worked together to enhance one another.

For example, our beautiful network map could show the paths that users were taking to move through the network, which might illuminate an unknown vulnerability in the firewall network. Or, the Skybox Horizon module can be used to show every security issue happening within a network around the world broken down geographically, greatly enhancing the somewhat more technical interface of Firewall Assurance, and enabling monitoring to executives without formal security training.

As a standalone product, Firewall Assurance is a good tool for keeping firewalls and their many complex rules in check. Companies with mature cybersecurity footprints can find a lot of value, especially at the price point, with Firewall Assurance if they want to additionally start making their firewalls more efficient. It worked well in our testing, but had a lot more functionality if deployed alongside the other available Skybox modules.

Breeden is an award-winning reviewer and public speaker with over 20 years of experience. He is currently the CEO of the Tech Writers Bureau, a group of influential journalists and writers who work in government and other circles. He can be reached at

This story, "Fight firewall sprawl with AlgoSec, Tufin, Skybox suites" was originally published by Network World.


Copyright © 2017 IDG Communications, Inc.

1 2 Page 2
Page 2 of 2
Microsoft's very bad year for security: A timeline