Tufin SecureTrack Firewall Management Review

[deanwebb]

I've been using this product for about a year now, and now I don't know how I lived without it, until I have to manage a firewall that isn't yet in the system. Then the painful memories return.

There are some tricks needed to get firewalls to participate fully in the Tufin system, but they're well worth doing to get that full participation. Well worth it.

At a basic level, Tufin will track all firewall config changes. That helps to answer the "what changed?" question that will either confirm or eliminate the firewall as a potential culprit in network issues. It offers a change comparison feature that clinches that feature in a way where you can point to a screen or a screen capture and show a manager what's going on without having to give him a course in Firewalls 101.

The config tracker also allows one to see the current config without logging into the firewall itself, to review the ruleset or other config items. This can help in determining if a rule already exists. It can also help when you want to batch-script a bunch of object additions and need to familiarize yourself with the syntax used by a vendor you're not all that familiar with yourself.

But the rule-checking gets to another level when you use the traffic analysis and object lookup features. These are must-haves for those firewalls with 500 rules that nobody wants to sift through, so they just add another rule when it's requested, and just hope that it's not a duplicate of an earlier rule. Tufin can search all firewalls for existing objects and then run analysis to see if the desired traffic is already permitted.

The heart of the analysis piece is the topology builder in Tufin. To make this work, you will need to add in at least one router that provides connections to your enterprise network. The router won't need to be managed by Tufin, but you will need to set it up so that Tufin can poll it for its routing tables.

Armed with that information, you can go into the Tufin topology window and start connecting firewalls to the routes they serve. It's a laborious process, but, again, well worth doing. Once it's set up, you'll be able to run the traffic analysis functions to determine which firewalls need to be opened up for the desired traffic - or if any firewalls are touched, at all.

But wait, there's more! Tufin can also help with rule cleanup: it will run reports to show rules that are shadowed and objects that are unused. Tufin can also run usage reports to show which rules are going unused.

Tufin SecureTrack will also run analysis on rules that are too permissive. Set a window for collecting data on a permissive rule and Tufin will watch all traffic that hits on that rule. At the end of that window, Tufin will then offer suggestions for making that rule less permissive, based upon that observed traffic. If there was an any-any-all rule made "just for troubleshooting", this will help to get rid of that.

With just a few firewalls, CLI and single-firewall GUI tools are fine. More than 10, and something like Tufin really comes into its own.

There are also other components to the Tufin suite, but SecureTrack is what I've used the most. SecureChange and SecureApp, however, also look to be in the "pretty dang good" category.

[wintermute000]

How's it line up vs checkpoint GUI or juniper NSM? The latter afaik can do all the above aside from mapping topologies

[deanwebb]

It can handle more than one vendor, so that's good news in our multi-vendor environment. It was made by former CheckPoint employees (quick, name five security companies that weren't founded by former CheckPoint employees...), so they built it to go farther than the CP management utilities. I can't personally verify if it's better than the products you mentioned, since I'm not familiar with them, but I can vouch that this thing worked as advertised, which was really nice.

[Fred]

We use Firemon for a similar purpose, and while I loved it when I was using CheckPoint firewalls, I find it lacking when it comes to ASA's.  Do you use Tufin with ASA's? Both Tufin and Firemon seem to have their origin from CheckPoint, and work well in those environments.  ASA rulesets are quite a bit different (and clunkier).

We're looking at deploying more Palo Alto's, including replacing some/most of our ASA's responsibilities.  Firemon appears to work well with those.

[deanwebb]

Tufin works very well with our ASAs and Junipers.