Automatic Policy Generator

Tufin SecureTrack™ introduces a new approach to firewall deployment called Automatic Policy Generation™ (APG). With APG, managers can automatically generate a new, robust firewall policy based on a thorough analysis of:

  • Current network traffic
  • Compliance with organizational and regulatory policies
  • Alignment with industry best practices

The resulting firewall rule base ensures that business-critical traffic is flowing normally, yet meets corporate and regulatory security standards. APG creates a rule base that is not too permissive, is optimized for high performance and organized for easy management and maintenance.

Fast and efficient, APG processes thousands of logs to create a new rule base within minutes. By repeating the process several times and adjusting a variety of parameters, firewall managers can achieve and deploy a highly optimized firewall policy in hours, rather than in weeks or months.

APG also provides security professionals with a powerful new tool for tightening existing firewalls, re-building complex, heavy rule sets, and analyzing the rule bases of firewalls inherited from other organizations, for example, following M&A. For more information download the complete APG white paper

How it Works

Since APG analyzes network traffic, the first step is to deploy a permissive firewall in the designated location with an "accept all and log" rule. The firewall should collect traffic logs for enough time to capture normal network usage behavior - generally a couple of weeks.

APG then retrieves and normalizes the logs. Using patent-pending Permissive Rule Analysis™ technology, APG analyzes "accept" logs and creates a map of required network connectivity. The network traffic that users need is defined as allowed, while all other traffic is blocked. Rules are refined until they are as specific and accurate as possible, replacing "Any" rules in the original policy with actual network addresses and services.

Within a matter of hours, APG can process weeks or months of log data - from any of the leading firewall vendors - and create an effective new rule based derived from network traffic. To optimize the rule base for faster performance, APG orders rules according to usage, placing the most-used rules on top and the least-used rules on the bottom.

Once automatic policy generation is complete, firewall managers can add unusual scenarios, such as disaster recovery, that may not have been sampled. A careful review of the new traffic-based rule base may also reveal malicious traffic such as a port scan, (even if it runs slowly over several days), a conflicker virus or a generic botnet.

Finally, to ensure that the new rule base is not just accurate but also compliant, SecureTrack can be used to check alignment with corporate and regulatory security policies, as well as industry best practices.

Copyright © 2003-2010 Tufin Software Technologies Ltd.