Posted on Mar 1st, 2021 by Roi Alon

Tufin 21-1 is packed full of new features and product enhancements, including incorporating many of our customers’ requests, to help users extend their policies and visibility across the hybrid cloud – specifically for AWS and Azure, enhanced support for NGFW policies with User-IDs for better app access control, and incident response. To view the full list of Tufin 21-1 new features and enhancement, click here

Here’s a brief summary of what’s inside the Tufin 21-1 release: 

Policy Change Management Across Your Hybrid Environment (on-premise and cloud) with Tufin SecureChange

One of the main challenges network and security admins report, is that making changes to firewall rules and/or security groups to enable access between apps/workloads across cloud, on-premise, SDNs, etc., is a time-consuming, error-prone process. This is because rule changes are usually done manually on different security management solutions (e.g. Panorama, FortiManager, Azure NSGs, etc.), which often results in missing SLAs, and configuration errors.

Tufin SecureChange Access Request workflow can now be used to automatically design and provision new access between apps/workloads in Azure and across the on-premise environment, , avert manual misconfigurations, and reduce redo rates, without exposing the network to potential risks. In addition, you can integrate Tufin SecureChange with your third party platform to handle access changes for non-managed Tufin environments.

Automatically Manage Azure Network Security Groups for North-south and East-west Connectivity

You can now use Tufin SecureChange Access Request workflow to automatically and accurately manage N/S and E/W connectivity -- within the Azure environments or between Azure and the on-premise environments.

An access request ticket can be opened in SecureChange for Azure ASG object (VNets, subscription ID, IP address, NSG, etc.). SecureChange will then automatically run target selection to identify all targets in the path, whether on-premise or in Azure, conduct access risk assessment against your security policy or vulnerability management data, and implement the change if no violations are found.

Following is an example of the Tufin zero-touch automation access request workflow. Keep in mind that this workflow is fully customizable, and can also be integrated into your ITSM workflow.

Figure 1: Example of a zero-touch automation workflow supported by Tufin 21-1, spanning visibility and control of both on-premise and public cloud connectivity.

Can Tufin manage changes for environments that are not natively supported in SecureChange?

Yes. Tufin SecureChange can be integrated with third party platforms to help you manage and implement access changes across any environment, securely and accurately. To learn more about this integration option, contact us [link].

Once integrated, SecureChange retrieves the relevant static/dynamic objects (e.g. tags, labels, etc.) and runs the access request workflow (similar to the example above).

With Tufin SecureChange, complex access changes can be implemented automatically throughout your hybrid environment with minimal human interaction, avoiding many possible misconfigurations, while taking into consideration security and compliance policies, for secure, accurate, and efficient changes.

Enhanced Visibility into AWS VPC Peering and Transit GW Traffic

In 21-1, we enhanced our cloud-related topology view to include AWS Transit Gateway and VPC Peering connection to model communication routes traversing your AWS environment. Users can now run traffic simulation queries, ‘what it’ analysis, and troubleshoot connectivity issues for E/W traffic running in AWS.

This new visibility is added to already existing Azure VNet traffic visibility implemented in our previous release – Tufin R20-2, where N/S and E/W visibility for VNets is available. Here, we support a range of connectivity options, including ExpressRoute, VNet Peering, IPSEC VPN, and third-party firewalls deployed in the cloud.

Complete Visibility into Multi-vendor User-ID NGFW Policies

Many of our customers are moving towards a user-aware approach to security. With 21-1, we extended our NGFW support, where you can now use LDAP user groups to run traffic simulation queries and set polices based upon User-ID (not only IP addresses) for Check Point, and Palo Alto Networks policies. This helps you control which apps users can access, in turn, reducing the chances for internal threats.

As users are added/removed from groups, or new groups are added, Tufin updates the policies accordingly, so your segmentation policy always reflects users’ access permissions.

We also extended our NGFW policies with User-ID support for Fortinet, providing unified visibility into users’ access permissions as defined in Check Point, Palo Alto Networks, and Fortinet policies. This will help you to maintain an accurate picture of users’ available access to resources, and accelerate incident investigation and response using always up-to-date user access data.

Here’s an example of a path analysis with LDAP user group and the corresponding rule:

Figure 2: Screenshot from Tufin SecureTrack showing a topology view with User-ID in the source.

NSX-T Declarative API Support In 21-1

we added support for NSX-T declarative API (also called the policy API), now supporting both interfaces, the NSX-T declarative and imperative APIs. Users can now gain visibility and manage changes for policy API objects and rules.

View and Track Changes for Check Point CloudGuard Policies with AWS, NSX, and Cisco-ACI (in addition to Azure)

With 21-1, users can use Tufin to view and track changes for AWS, NSX, and ACI objects in Check Point CloudGuard security policies. Tufin automatically maps traffic flows based on CloudGuard policies for AWS, NSX, Cisco-ACI, and Azure workloads. Users can view and monitor any changes in real time with Check Point dynamic objects, and detect violations. This is another improvement to help you gain end-to-end visibility, and manage your hybrid environment in unison.

As with every new release, we put our efforts and resources into adding new features, and enhancing existing ones, to help boost your day-to-day productivity by extending your visibility and segmentation policy management capabilities across your multi-vendor, hybrid cloud environment.

To learn more about Tufin 21-1, and to see these and other new features in action, contact us.