Tufin Technologies introduced an upgraded version of its security orchestration platform that gives administrators a unified, easy-to-digest display of network segments and their associated security policies.
Unified Security Policy (USP), a new feature in version R14-2, provides an easy-to-see grid that enables "a new way to visualize the security policy," according to Tufin CEO Ruvi Kitov.
There is always some zone-to-zone piece that is missing.
Firewall policies and actions are usually displayed in a long list that reflects the rules that are applied to each segment of an organization's network. Instead of a list, USP exhibits those rules in a table -- or matrix -- that provides a visual representation of those policies.
"The challenge of the security team is properly zoning and segmenting the zones," Kitov said. An enterprise network can boast dozens of zones, each one serving a particular business operation like finance, operations or sales. Each zone, in turn, requires its own specific security policy and its own segmentation. "The problem with today's firewall policies is they don't describe the full breadth of all zones," Kitov said. "There is always some zone-to-zone piece that is missing."
Network zones listed with associated security policies
USP lists the enterprise's zones and the associated policies that regulate the level of traffic that's permitted among and between those zones. Kitov said the grid not only provides visibility, it also lets administrators quickly define so-called "dead cells," or zones with undefined behavior. "It might be blocked; it might be accepted; it depends on your policy. This is a way to let [users] visualize zoning and segmentation in a way they weren't able to before."
The software also allows administrators to pinpoint changes, enabling them to assess quickly whether end-user requests to access different zones meets policy guidelines, Kitov said. "The customer builds a compliance policy that we now watch," he said.
The ability to view network segmentation security policies in an easily digestible view will benefit both network and security administrators, said Jon Oltsik, senior analyst at Milford, Massachusetts-based Enterprise Strategy Group.
"Any time you do something like create a VLAN [virtual local area network] or segment an IP network, the security team may suggest things and create policies, but it's the networking team that configures and manages it. The value here is that the networking team wants to understand these controls and segments so they can get a better handle on how the network is architected. That's particularly useful when you are making changes," he said.
"You'd be surprised how hard that is to audit; to audit things like, 'Where are my zones, where are my VLANs, where are my access control lists?' People layer on these things over time, and they're done in different departments, so trying to get a single report on this is next to impossible."
In addition to the features within USP, Tufin said its orchestration suite now supports Palo Alto Networks' Panorama management console. Tufin also extended support for Cisco Security Manager, using Cisco's new application programming interface to provide advanced policy automation capabilities.
The latest version of the Tufin Orchestration Suite is available now. Pricing starts at $21,500 for SecureTrack and $45,000 for the full suite.
Dig deeper on Network Access Control