As part of its ongoing effort to stretch beyond firewall rules management, Tufin Technologies enhanced its firewall management software to support application lifecycle management and troubleshooting.
To do that, the company added a Unified Security Policy (USP) feature to the Tufin Orchestration Suite. USP visualizes security policies for an enterprise's entire network and then overlays how individual firewall rule changes affects those policies. This feature allows network security pros to evaluate how connectivity requests from application owners affect overall security.
"That's an improvement above a firewall rule base, which is just a long list of firewall rules that is unreadable given its complexity," said Reuven Harrison, chief technology officer and founder of Morristown, N.J.-based Tufin. "It embeds into our automation tool SecureChange, so not only can we tell you if an access request potentially violates your policies, we can help you design your changes in advance so they comply with your policies."
"Tufin analyzes rules to make sure they aren't shadowed; that there aren't security holes where the rules are overly permissive," said Eric Ogren, president of the Stow, Mass.-based Ogren Group. "It's for customers looking for a higher level analysis of rule sets and how it makes sense in the context of your business. I don't think firewall manufacturers are great at that."
Unified Security Policy is enabled for network segmentation policies today, but Tufin will add other policy types later.
Tufin also enhanced SecureApp, the software in its orchestration suite that allows application owners to define business applications and request network connectivity from network and security teams. The company added an Application Release Automation feature that simplifies the security policy connectivity aspects of the application lifecycle.
"If you are doing a development environment for a new payroll system, you'll need a connection to a database," Harrison said.
"In the dev environment, the database may be local. But in the staging or QA [quality assurance] environment, you are probably going to connect to a real database to test it out. And in the production environment, you will map that out to your virtual storage. These are three different IT environments, but they're actually the same components conceptually. We give a name to that conceptual element and say this is a storage element for my payroll application in dev, in staging and in production. Then, when you are ready to, we will take all the network connectivity definitions from one environment and automatically deploy them in the next environment."
"It takes companies too long to deploy applications," Ogren said. "It can take a couple weeks just going through how I change firewalls and routers, especially if they are virtualized. Any time [a management vendor] can define requirements and go through the firewall rule sets and recommend changes, it can validate those changes throughout the organization."
At the same time, Tufin beefed up SecureApp with Automated Connection Repair, which monitors application connectivity and reports where connections might be broken by firewall changes.
"Usually when someone calls the help desk and says an application is running slow, the help desk calls security and says, 'Check out the firewalls and see what's going on,'" Ogren said. Networks security teams want an "application-level view" to see if firewall rule changes are affecting connectivity, he said.
Additionally, Tufin integrated its software with Puppet Labs' DevOps software for the automation and orchestration of host-based firewalls. "System administrators don't know how to configure host-based firewalls on their servers because they don't know about security policies and they don't care about security policies," Harrison said. "We allowed Puppet to retrieve those policies from our system through our APIs [application programming interfaces] and use them to provision that to hundreds and thousands of servers."
Finally, Tufin added support for Cisco IOS routers to its orchestration suite, permitting engineers to manage security policies on routers and firewalls in one place.
Tufin is "trying to expand their space," said Adam Hils, research director at Stamford, Conn.-based Gartner Inc. "If you look at the various competitors in this market, they are all using different tactics to get beyond firewall rules automation. In this case, [Tufin] wants to become a key part of network operations. Right now they can see the network, orchestrate policies across pieces of the network, [and] they can diagnose when policies are breaking things."