We are excited to welcome 2020 with the release of Tufin Orchestration Suite 19-3 with new features and enhancements, including greater support of our customers’ Software-Defined Networking (SDN) initiatives, whether they implemented Cisco Application Centric Infrastructure(ACI) or VMware NSX-T (NSX Transformer).
Tufin 19-3 also provides new automation capabilities, such as a granular workflow for rule modification, and an automated change process for Palo Alto Networks’ FQDN (dynamic objects). This can help simplify users’ daily management tasks, boost productivity, and accelerate delivery.
Market-Leading SDN Support
As many organizations embrace Software Defined Networking (SDN) as part of their digital transformation to achieve network virtualization and agility, we at Tufin continue to be the first Network Security Policy Management (NSPM) vendor to provide enhanced support for Cisco ACI and VMware NSX-T. This enables our customers to manage their SDN environment and the rest of their network as a single entity.
Full visibility and path analysis for Cisco ACI fabric
Tufin R19-3 provides enhanced support for service graphs for full visibility into the Cisco Application Policy Infrastructure Controller (Cisco APIC) network. Users can view how traffic flows within the ACI fabric and how it’s directed through firewalls embedded in the ACI fabric.
With such a granular level of visibility, you can accurately analyze and plan changes, such as when troubleshooting connectivity issues or configuring access changes within and beyond the ACI environment. For example, once an access change request is submitted, you can run path analysis between Endpoint Groups (EPGs) and tenants. Tufin analyzes L3 connectivity, service graphs, VFRs, contracts and relevant EPGs, including other network objects outside the Cisco APIC, if needed, to provide an optimized way to implement the change. Based on the selected path, Tufin automatically implements changes in all relevant network devices targeted throughout the path.
With Tufin SecureTrack, users can view policy revisions in real time. Every time a policy changes, such as when a new tenant is added, you can view detailed information about the new contracts and subjects, bridge domains, VRFs, and even when the change was made. Further, Tufin provides a color-coded comparison between the new and old revisions, so you can easily view the changes.
Visibility, automation, and compliance for VMware NSX-T
Tufin was the first NSPM vendor to provide support for VMware NSX-v. We’ve since expanded our support, and with Tufin 19-3, we are the first to support VMware
NSX-T. You can now start managing your NSX-T environment and overall hybrid environment directly from Tufin, and:
- Apply segmentation to your NSX-T environment and receive real-time alerts on policy violations
- Maintain full visibility of your NSX-T environment as part of the Tufin Interactive Topology Map, including traffic flows (east-west and north-south)
- Automatically detect and troubleshoot broken connectivity, misconfigured rules, and policy violations
- Monitor and document rule changes for compliance purposes
- Conduct path analysis as part of route optimizations and configuration processes
- Automate rule maintenance - eliminate redundant, shadowed and outdated rules as well as modify overly permissive rules
- Automate network access changes using customized workflows
- Generate compliance audit reports
Customers who currently have VMware NSX-v and are looking to migrate to VMware NSX-T can use Tufin to:
- Apply the same NSX-v Unified Security Policy (USP) to your NSX-T environment, to achieve a seamless, secure migration process
- Manage and apply server cloning and decommissioning to improve operational efficiency
- Use the same automated workflows for rule provisioning, recertification and editing
To learn more, read our latest blog about Tufin-VMware NSX-T integration.
Rule Management Made Easy
Refine rules via automated workflow
Optimizing firewall policies is one of the biggest challenges for network and security admins. It requires the review of tens of thousands of rules to identify which rules or network objects are obsolete, shadowed or overly permissive and therefore need to be updated or removed. If policy health is not a good enough reason to optimize, then regulatory compliance, such as conducting PCI-DSS mandated rule set reviews at least every six months should be a good incentive. Afterall, it’s a security and operational best practice since unused rules and objects can lead to productivity losses and increase the attack surface, as they can be exploited by malicious users to access sensitive assets.
Take for example an overly permissive rule that holds multiple network objects in its source and destination. With Tufin, you can quickly identify which objects are being used and which are not, and then, using Tufin 19-3’s new workflow, remove the object from the rule’s source and destination field via a simplified, controlled process.
Starting from Tufin 19-3 you can make granular modifications to an existing firewall rule using a simple three-step process:
Step 1: Identify which rules need to be modified by running the ‘Rule and Object Usage Report’ in Tufin SecureTrack. This will take a couple of seconds or minutes, depending on the size of your rule base. The result is a list of either unused rules that should be considered for removal, or rules that are very heavily used and may be moved up in the rule base. You’ll also be able to identify objects that need to be removed from a rule, even if the rule itself is still relevant.
In addition, you can also use the Policy Browser in Tufin SecureTrack to run a query on your rule base and identify rules that require modification based on ‘hit count’ or other criteria.
Alternatively, you can run the Tufin Automatic Policy Generator (APG). This tool enables you to run ad-hoc or scheduled reports to detect overly permissive firewall rules by inspecting the traffic that flows through them and then recommending a set of rules/objects to replace the original. Within a matter of hours, APG can process weeks or months of log data from any of the leading firewall vendors and create an effective new rule base derived from network traffic. For improved network performance, the APG orders rules according to usage, placing the most‐used rules on top and the least‐used rules on the bottom.
Step 2: Based on the report results (APG and/or ‘Rule and Object Usage Report’ and/or policy browser results), you can submit a rule modification ticket in Tufin SecureChange to vet the changes.
Step 3: After ticket approval by relevant stakeholders, Tufin automatically checks if the changes are compliant with security mandates and implements the change to all relevant firewalls.
Enhanced Support for Next-Generation Firewalls
Change automation for Palo Alto Networks dynamic objects (FQDNs)
With Tufin R19-3, users can easily submit access requests using dynamic objects for enhanced cloud security. This can be done by deploying an automated workflow for network change request review and implementation that includes Palo Alto Networks Fully Qualified Domain Name (FQDN) objects.
Users can browse and select a specific FQDN object/group (no need to know IP addresses) as part of the ticket handling process of a new or changed access request.
Want to learn more about Tufin R19-3’s new features and enhancements? Check out this Tufin R19-3 Webinar.