• United States



by John Breeden II

Fight firewall sprawl with AlgoSec, Tufin, Skybox suites

Apr 10, 201721 mins

These three security policy management toolsets deliver orchestration and automation.

Credit: Thinkstock

New and innovative security tools seem to be emerging all the time, but the frontline defense for just about every network in operation today remains the trusty firewall. They aren’t perfect, but if configured correctly and working as intended, firewalls can do a solid job of blocking threats from entering a network, while restricting unauthorized traffic from leaving.

The problem network administrators face is that as their networks grow, so do the number of firewalls. Large enterprises can find themselves with hundreds or thousands, a mix of old, new and next-gen models, probably from multiple vendors — sometimes accidentally working against each other. For admins trying to configure firewall rules, the task can quickly become unmanageable.

That is where Security Policy Management comes into play. These products used to be called firewall managers, and in truth, they mostly still just manage firewalls – though some also help with routers and switches. They allow administrators to define security policies, and then rely on the programs to – somewhat automatically – make it happen.

We looked at security policy management programs from AlgoSec, Tufin and Skybox. Each suite was deployed and tested in a virtual and physical environment stacked with firewalls from all the top vendors including Palo Alto, Cisco, WatchGuard, Check Point and others. We deployed new security policies, tracked and identified traffic flow complications, decommissioned old or non-functional rules and checked configurations against desired security policies and regulatory requirements.

While each suite did an excellent job, we were most impressed with AlgoSec, although not every organization might agree with us. What set AlgoSec apart was that it allowed end users, not just security teams, to help share the burden and take ownership of managing security policies as they related to their areas of responsibly within an organization.

The Tufin suite seemed targeted at top-level security professionals, but nonetheless had an intuitive graphical interface which made diagnosing traffic and security policy problems extremely easy. Tufin was also the only suite which had full end-to-end functionality with the AWS cloud, including complete automation.

Skybox had the most comprehensive security suite of any that we tested, with a ton of extras available in the form of other modules to help in areas like vulnerability management and threat intelligence. It was also the most economical when only deploying the firewall management module.


Here are the individual reviews:

AlgoSec Security Policy Management Suite

The AlgoSec Security Policy Management Suite aims to automate the process of securing even the most complex firewall deployments, letting valid traffic pass through network gateways unharmed, while stopping all threats. The level of automation is customizable based on an organization’s comfort level.

It can provide simple help with rule creation at the low-end to true zero touch deployments where applications and processes can be authorized without human intervention. With granular controls, users can even start small with something like automatic processes requiring human approval, and then automate their security policies slowly over time as they become more comfortable with the concept of taking their hands off the wheel and letting their systems manage themselves.

Of all the products we tested, AlgoSec was also the most innovative in that it put a lot of effort into empowering application owners. Most products had a little bit of that, but only AlgoSec created an interface with good permission-based roles tailored to help non-security personnel assist in crafting security policies that affect their work. This may require a change of thinking or culture at some organizations, but AlgoSec put tools in place to ensure a successful deployment.

The AlgoSec Security Policy Management Suite has four components: AutoDiscovery, BusinessFlow, FireFlow and Firewall Analyzer. They are tightly integrated to the point that it’s easy to drift from one component to another, though some like AutoDiscovery, which finds the connectivity links between devices, is likely going to get used most often. The software starts at $30,000 and can vary based on network size.

Once in place, the interface for AlgoSec will change depending on who is looking at it. The program offers single sign-on, with each user thereafter being shown a dashboard populated only with data they are responsible for, and what they are authorized to see. This might lengthen onboarding times because more users beyond just the security team can be given access, and each user’s role needs to be defined.

We configured several application owner type users who were not part of the security team and had them working along with security personnel. Much of the setup was done using out-of-the-box templates, but specific network and user information still needed to be configured.

Once set up, application owners who logged into the system were shown the health of the apps each was responsible for maintaining. In one example, a certain app was not achieving full functionality in our dashboard. We could highlight the application and get information, in mostly plain English, about the problem.

For application owners, AlgoSec tries to simplify things as much as possible. Instead of being shown information about IP numbers or firewall configurations, we were simply told that, in this example, our app could not connect to either a Washington D.C. or a California-based time clock server, which was hurting functionality. That’s all we needed to know at that level.

From the user level, we highlighted the problem and created a ticket which then went up the chain to security personnel. The highlighted problem came up on our dashboard when we re-logged in as an administrator. From that view, the entire AlgoSec suite opened up for us. We could run a traffic simulation with BusinessFlow through a virtual network and see why the time servers were getting blocked, in addition to finding the IP numbers and devices in that chain. It turns out that a Check Point firewall was blocking the traffic.

As an admin, we could dive into the specific rules and the reasoning behind the blocked traffic. In this case, there was a low probability that allowing FTP traffic to return from the clock servers could open an FTP hole in the network. There is almost no chance that a time clock server is going to get compromised and used to inject FTP attacks, but the danger was there, so Check Point was stopping return traffic, hurting the needed app. Knowing this, we chose to allow it, which automatically rewrote the rules on the blocking firewall. We could have also sent the matter up to higher authorities for approval.

Depending on the level of automation set, AlgoSec could have also automatically approved the change the user wanted. We reset the network and reprogrammed the suite to allow all changes of minimal risk or those with no risk at all. After that, when the user made the same request, it was quickly approved and acted upon. An audit trail was still generated, and AlgoSec ran a post-rule change diagnostic to ensure that the change did not negatively affect anything else, but security teams were never bothered with the fairly trivial event, other than being sent a notice about it. The user was able to instigate the change even though they really didn’t know anything about firewall management, or even what device was ultimately blocking their app.

Another innovative thing about AlgoSec is that all rules can be future-proofed against obsolescence, and the suite won’t propagate new rules which overlap existing ones. It’s interesting to be thinking about decommissioning devices and rules while they are being first deployed and programmed, but that is what AlgoSec does, or can be set to do if desired. Going back to the FTP time clock server rule as an example, when approved, or at any time afterwards, we could set an expiration date. For our tests, we set it to just a few minutes, but normally the expiration date would be months or even years in the future.

When the expiration date arrives, the application owner who requested the rule is queried, asking if they still need the rule or rule change in place. If they do, then the rule can be recertified. But if the server or application no longer exists or has been migrated elsewhere, like into the cloud, then the owner can simply tell AlgoSec that the rule is no longer needed. At that point, security teams are notified and can decommission it to avoid unnecessary clutter, or to stop the organization from taking on any risk that is no longer necessary. And if set to do so, AlgoSec can handle the whole process automatically.

The same care goes into the process of deploying rules. When we made a new rule to block specific HTTP traffic between the cloud and physical parts of our test network, we were told that some of our firewalls were already effectively doing that because of other rules. As such, we only needed to deploy the new rule to certain devices. AlgoSec remembers all those relationships and rationales too, so that if the would-be duplicate rules are ever decommissioned or changed, it doesn’t open a hole in the defenses.

The AlgoSec Security Policy Management Suite is extremely innovative, allowing users to help shoulder the burden of security, automating the process of creating new firewall rules, reducing rule-based clutter and helping to safely deploy and decommission devices as needed. And if an organization isn’t comfortable with any of that, it can be ignored and used like any other firewall manager program, though that would be a shame given the functionality and time-saving features packed into this advanced toolset.

Tufin Orchestration Suite

The Tufin Orchestration Suite is designed to help firewall administrators, compliance and risk officers and NetOps/SecOps teams automate security policy changes regardless of network size or how many different devices populate it.

Given that Tufin is aimed squarely at cybersecurity specialists, we were expecting a technical, functional interface without much polish. What we found instead was one of the best GUIs tested for this feature. The graphical and intuitive nature of the interface really cuts down on the learning curve, and makes some very complicated tasks a lot easier to envision and tackle.

+ RELATED: Dos and don’ts for next-gen firewalls +

The suite is divided into three components: SecureChange, SecureTrack and SecureApp, all of which can be purchased separately. SecureTrack is probably the starting point for most organizations, and is used to monitor all current security policies to look for duplicate rules, compliance violations and visualizing traffic problems being disrupted by policies.

SecureChange is the next logical step, which includes the ability to make changes in policies across the entire network and to set up automation to help handle repetitive but necessary policy tasks. SecureApp is the most advanced component and enables security policies to be reverse engineered to see how different applications are affected by policy changes, or to approach security policy creation from the application layer.

The Tufin suite is normally deployed on-premises through a dedicated appliance, but it can also be served from a virtual appliance or a dedicated in-house server. Pricing is based on the number of devices that need to be monitored, and starts at $33,150.

It’s worth noting that all three of the Tufin suite components worked in our testing for both physical networks and with Amazon Web Services. Tufin was the only suite that had full end-to-end functionality with the AWS cloud, including complete automation. Organizations such as government agencies that rely heavily on Amazon cloud services will thus definitely want to consider Tufin.

We started our testing with SecureTrack since that offers baseline functionality. Immediately out of the gate, it could detect many shadowed rules that existed within our test network. If you want to clear traffic for an application, removing or modifying a single rule sometimes won’t work if there are shadowed ones on the same network, so it really concentrates on helping to eliminate these. SecureTrack was able to find all of those conflicts across the entire network of firewalls.

SecureTrack is very careful when removing shadowed rules. Change requests can be put into a ticket for an approvals process as one safeguard. For another, the default when removing a shadowed rule is to put it into a queue where it waits for 30 days. During that time, the rule is still active, but Tufin monitors whether it actually gets used. Shadowed rules normally don’t because they are sitting behind another rule doing the same thing, but if they are activated during the wait period, then they might not be so shadowed after all. After 30 days, if no contact is made, the shadowed rule is decommissioned.

Users also get access to compliance and regulation checking with SecureTrack. Checking against the most common standards and regulations as well as many which affect specific industries like PCI DSS or NERC CIP 5 are included out of the box. Users can also customize rules and policies based on their specific organization and scan for compliance.

Tufin’s interface allows it to shine here because it allows networks to be segmented by various groups or geographic locations, or any other way that might help with policy management. Thereafter, users are shown an Excel-like spreadsheet with compliance rules running one way and the defined groups going the other. At a glance, we were able to tell on the color-coded chart which groups were in compliance with what rules. Blocks that were displaying anything other than green had problems, and Tufin let us click on them to investigate. All of those reports could be exported as a PDF too, so we could take them along to C-level meetings, or use them to show how the network looked before and after we worked on compliance issues.

SecureChange is used to add automation to security policy management, and builds on a lot of the work being done by SecureTrack. We could, for example, set it so that any changes being made in the future that had no risk associated with them would be automatically approved without human intervention. It also provided us with helpful tips to ensure that our automation efforts were successful. For example, in one case it advised us that implementing a new rule should only be done with a specific firewall before line 38 in the existing code. Digging a little deeper, we discovered that line had a catchall rule for blocking everything else not specifically authorized, so all our changes would need to come before that.

The biggest advantage with SecureChange is being able to begin automation from scratch. But instead of that being a huge mountain to have to climb, the interface of the Tufin suite helps to simplify everything by representing complex automation tasks graphically. It would be perfect for any organization just starting out on that path.

SecureApp is the most advanced part of the suite. It is used to look at how applications are performing and what they need in order to accomplish their jobs. Unlike users, applications won’t complain if they are getting blocked or slowed by policies. But SecureApp can unmask those silent problems.

We used it in our testing to map the paths that data from a new app was taking through our test network, including into a hybrid cloud. We noted that it was running into trouble, but only occasionally because it didn’t always interface with a specific router. That allowed us to fix the problem and improve functionality before any human would have even noticed, and before a future traffic surge made a real problem out of the situation. We also used SecureApp to track how proposed rules would affect all apps running in our network, so nothing would ever be accidentally knocked offline or otherwise hindered.

The Tufin Orchestration Suite is designed for professionals who know a lot about policy management. Those folks will likely be shocked by the beautiful and functional interface provided, given that most advanced tools we’ve tested don’t offer such functionality alongside a streamlined GUI. By combining the two, Tufin really stands out as a useful addition for security policy manager programs in an increasingly complex world of network defenses.

Skybox Firewall Assurance

The Skybox Security Suite was the most comprehensive that we looked at, and included modules for doing everything from network mapping and discovery to managing threat intelligence. For this review, we only considered the firewall manager module, which can be purchased separately. The base price for just the Skybox Firewall Assurance module is $9,130. That makes it the most economical product here, though it did seem a bit naked without the support of the other modules and capabilities. Even so, organizations that have their cybersecurity waterfront covered and just need to manage their firewalls better will find it to be a smart choice.

Regardless of how many parts of the Skybox suite are installed, it can be served from a 1U hardware appliance, a virtual appliance or as software running on a dedicated server. There is no difference in functionality based on the install method. We worked with a virtual appliance.

After installation, Skybox Firewall Assurance gives administrators a lot of choices about how to improve firewall configurations. The module comes with 80 built-in best practice rules for configuring firewalls. Some of those rulesets can be applied to any firewall, while some are only valid with specific companies like Cisco or Palo Alto devices. A few even apply to specific models.

We grabbed a generic best-practice rule where no firewall should have “Any” listed in its Source, Destination or Service fields. This normally happens when a firewall is first installed in listening mode and someone forgets to later modify those fields. Our test network had four such devices that broke this best practice rule, which were quickly located and fixed. We also found a few very specific rule violations that related to code problems with certain firewalls, and fixed them as well. This unique best-practice rule feature can improve the health of firewall networks right from the time the module is first deployed.

After the initial 80 best-practice rules are checked and applied, Skybox offers a second set which have been configured by Skybox based on their experience over the years. Users can choose to also scan and implement them if they choose. Each one is given a detailed justification about why the best-practice rule was created and where it should be applied, so users can pick and choose what rules to accept. Finally, compliance rules based on PCI and NIST 800-41 can also be implemented. Once the out of the box rule applying is complete, users are given the chance to write their own organization-specific rules using a wizard, and then can scan for non-compliance and plug those holes too.

After cleaning up everything that violates best practice and compliance standards, the next step is probably going to be cleaning up the remaining rules which might be in compliance, but not working correctly or possibly opening up vulnerabilities. Shadowed rules are likely the biggest problem, and Firewall Assurance did a great job of ferreting them out. Like any moderately sized network, our testbed had many shadowed rules in place.

Firewall Assurance first identifies the rules and then provides lots of helpful statistics to help ensure that they are, in fact, duplicating the functions of another rule somewhere else. Even if the shadowed rule seems unused, the default for decommissioning it through Skybox adds in a 90-day waiting period, which can be expanded to much longer if desired. During that waiting period, Skybox first moves the rule to the bottom of the code chain and then constantly monitors it. At the end of the waiting period, whether it’s 90 days or two years, users are given a detailed report showing how often the rule was used. If nothing activated it during that time, it can probably be safely decommissioned and erased. A full audit trail shows every action that was taken, just in case it’s needed later.

That part of Firewall Assurance can help to clean up complex firewall deployments. The next part ensures that chaos and non-compliance does not creep back in. Whenever we tried to create a new rule, the program checked it against the existing network and told us if the new rule violated compliance rules, broke best-practice procedures or would become a shadowed rule to something else. We were given a detailed breakdown of the risks and conflicts involved and could act accordingly.

In one case, where a shadowed rule would have been born, we instead could modify another rule that Firewall Assurance pointed us to in order to get the same effect, so the new rule was never deployed. In that case, our modification was also checked for compliance issues, but as expected, was never in danger of becoming shadowed because it had already been cleaned up. Of course, Firewall Assurance ultimately lets users break their rules or accept risk if they deem it necessary. In that case, a ticket can be generated and passed into either an existing ticketing system or the one used by Skybox, so admins can evaluate and approve, or deny, the risky rule change.

The Skybox suite also ensures that firewall networks don’t age into non-compliance. Every new rule deployed is treated as part of a life cycle where nothing lasts forever. When deploying a new rule, an expiration date can be set where it will need to be recertified. Firewall Assurance is very good at letting administrators carefully define who is taking ownership of each rule. We could even set up an e-mail reminder to be sent to that person when a rule starts to get close to its recertification time.

Recertification rules with Skybox can be configured for almost anything. For example, we could assign ownership of an entire firewall to someone within our organization, and ask them to confirm that the device is still needed every few years, a nice feature that would prevent aging hardware from taking up space, and possibly adding vulnerability after it was no longer needed or used. We could also define ownership of individual rules or even our entire firewall network.

And the program is smart about not overloading users who own multiple rules or devices. We set one test user as the owner of more than 100 rules, all with the same expiration date set. When that time came, the system only sent them a single notice which contained information about all the rules that needed to be examined. They would still need to sit down and recertify each one, but at least they weren’t flooded with e-mails.

A nice extra feature with the Skybox software is its ability to generate PDF reports about everything happening in the firewall network. These reports are surprisingly good looking, almost like professional white papers, and would be suitable to present to C-level executives or board members, as well as cybersecurity teams.

Firewall Assurance worked well to tame the chaos and remove vulnerabilities from our firewall testbed. It was even better when we added other modules to the suite, such as a beautiful network mapping tool that could easily compete with Visio. The other components were outside the scope of this evaluation, but their inclusion let us see how the entire Skybox suite worked together to enhance one another.

For example, our beautiful network map could show the paths that users were taking to move through the network, which might illuminate an unknown vulnerability in the firewall network. Or, the Skybox Horizon module can be used to show every security issue happening within a network around the world broken down geographically, greatly enhancing the somewhat more technical interface of Firewall Assurance, and enabling monitoring to executives without formal security training.

As a standalone product, Firewall Assurance is a good tool for keeping firewalls and their many complex rules in check. Companies with mature cybersecurity footprints can find a lot of value, especially at the price point, with Firewall Assurance if they want to additionally start making their firewalls more efficient. It worked well in our testing, but had a lot more functionality if deployed alongside the other available Skybox modules.

Breeden is an award-winning reviewer and public speaker with over 20 years of experience. He is currently the CEO of the Tech Writers Bureau, a group of influential journalists and writers who work in government and other circles. He can be reached at