juniper and tufin security lifecycle management...
TRANSCRIPT
SOLUTION BRIEF
1
Challenge
Large enterprises maintain and operate
multiple firewalls spread across
different time zones and business
units which involves a great deal of
repetitive, manual work. Security
administrators have to keep track
of all changes while also ensuring
compliance with corporate policies and
stringent regulatory requirements.
Solution
Tufin’s solutions provide complete
visibility into all firewall operations. With
powerful change tracking, risk analysis
and security optimization capabilities,
they enable Juniper Networks’ firewall
teams to increase network security and
automate day-to-day tasks.
Benefits
• Dramatic reduction of manual,
repetitive, error-prone tasks
• Optimized infrastructure utilization
and performance
• Proactive enforcement of corporate
security policies
• Compliance with corporate, industry
and regulatory standards
• Enforcement of vendor best
practices
• Improved risk management
JUNIPER AND TUFIN SECURITY LIFECYCLE MANAGEMENT SOLUTIONS Gain a Unified, Top-Down View of Juniper Networks Firewalls to Manage Change, Secure Risks and Ensure Compliance
Implementing today’s complex corporate security policies has become a resource-
intensive process. Maintaining and operating multiple firewalls with numerous objects and
rule bases involves a great deal of repetitive, manual work. Whenever a change has been
made to the firewall rule base, administrators have to keep track of which changes have
been made, when and by whom—and then to make sure that every change was correctly
implemented in accordance with corporate policy and regulatory requirements. As security
operations grow, it becomes increasingly difficult to keep track of the details and be sure
that there were no human errors. In response, forward-thinking IT leaders are turning to
Tufin’s solutions for Juniper Networks® firewall operations management, which automates
and simplifies firewall change management and security policy compliance.
The Challenge
Providing network security for today’s enterprise is a continuous process of enforcing
corporate policy, fielding and implementing daily change requests, and demonstrating
compliance with standards. For large organizations, managing the security lifecycle is
a complex, resource-intensive operation. Networks include hundreds of infrastructural
components located at distributed sites and maintained by multiple teams. At the same
time, regulatory agencies and industry consortiums are demanding increasingly rigorous
standards of transparency and accountability.
To meet these challenges, security teams must use a variety of vendor-specific
administration tools and perform an extensive amount of repetitive, manual tasks.
Without a comprehensive, top-down view of the entire security infrastructure, manual
errors and inefficient configurations are difficult to avoid. And without process
automation, security audits are time-consuming, painstaking, and ineffective in identifying
threats before they occur.
To successfully align day-to-day operations with organizational business objectives,
security teams need complete visibility into security policy across the organization—as
well as the necessary tools to manage the security lifecycle efficiently. Tufin offers a
comprehensive solution for security managers that enable them to implement, manage
and audit security policy faster, more easily, and more accurately than ever before.
2
Tufin’s Solution for Juniper Networks Firewall Management
The Tufin SecureTrack™ and SecureChange™ Workflow solutions
for Juniper firewall management address these challenges.
SecureTrack and SecureChange Workflow integrate seamlessly
with Juniper Networks firewall/VPN solutions and products
enhancing security while reducing service interruptions and
automating day-to-day tasks.
“IDC sees an accelerated demand for solutions that combine change management, risk and business continuity management along with enterprise helpdesk products integration.”
Dan Yachin,
IDC EMEA, Emerging Technologies
Firewall Policy Change Management
To meet modern network security requirements, large enterprises
currently manage dozens, if not hundreds, of individual firewalls.
Each firewall has its own policy—a complex set of rules defining
the access privileges and restrictions for specific users and
services. Tufin SecureTrack for Juniper firewalls provides a unified
top-down view of all firewall policies allowing security teams to
individually supervise each piece of the puzzle.
Tufin SecureTrack continuously monitors firewall policies,
detecting and reporting configuration changes. With real-time
monitoring, you receive detailed notifications on changes as soon
as they are made. The system maintains a complete and accurate
account of each incremental configuration change and can
attribute each action to the firewall administrator who performed
it. This gives security officers unprecedented abilities to see who
made what change and when, analyzing its effects on the network.
Security Policy Optimization and Cleanup
As thousands of tickets (change requests) are processed by the
firewall operations team, and organizational security objectives
evolve over time, the underlying rule base that contains the firewall
policy becomes extremely large and intricate. In fact, many of
the rules and objects in a typical firewall rule base are obsolete.
These unused rules represent a potential security hole and should
be eliminated. But firewall operators do not have an easy way of
identifying these rules using standard administration tools.
In addition to security risks, a poorly maintained rule base can
have a major impact on performance. The entire rule base is
parsed from top to bottom with every network connection, and as
the rule base grows, hardware requirements also increase. Overly
complex rule bases are difficult to maintain and must be cleaned
up regularly.
SecureTrack’s Rule and Object Usage analysis records traffic logs
from Juniper firewall modules and Juniper Networks Network and
Security Manager (NSM) devices to provide statistical analysis
on the actual use of each of the rules and objects over different
Figure 1: SecureTrack Rule and Object Usage Analysis allows administrators to optimize rule base and firewall performance.
3
time spans. Reviewing each firewall’s entire rule base with this
information allows you to optimize its operation and clean up
unused rules.
Risk Analysis and Business Continuity Management
The implications of a firewall policy error can be severe—from a
security breach to network service interruption, or even network
downtime. Therefore, it is important to analyze the impact of every
change before it is implemented on the ground. Given the size and
complexity of the firewall rule base, this task is very complicated,
yet it is generally performed manually by firewall administrators
who lack the proper tools for rule base analysis.
Tufin SecureTrack’s Policy Analysis feature allows simulation of
the rule base to test whether a traffic pattern is currently blocked
or allowed and to provide a recommendation for corrective action
to be taken. In addition, in order to prevent security breaches
and service interruptions, a Compliance Alerts mechanism
analyzes every change and alerts on changes that allow or block
unauthorized traffic.
IT Automation and Operational Efficiency
As the complexity of network security infrastructure grows,
organizations are employing more and more highly skilled
administrators to manage operations. Rather than focusing their
expertise on strategic goals, administrators spend most of their
time on repetitive, manual tasks in an attempt to enforce corporate
policies over thousands of distributed infrastructure components.
Tufin’s SecureChange Workflow manages the entire lifecycle of
a policy change request from submission through design, risk
analysis, approval, implementation and auditing. SecureChange
Workflow automates repetitive components of the security
lifecycle in order to reduce the time spent on time-consuming
tasks and to invest resources more effectively. With SecureChange
Workflow, many manual analysis and auditing operations can be
reduced from days to a matter of hours.
Corporate Security Policy Auditing, Regulatory Compliance and Industry Best Practices
Companies have come to understand the business impact of
network security and to demand a high level of transparency and
accountability. To meet these requirements, organizations need the
ability to perform periodical audits to ensure compliance with three
different levels of security directives: corporate policy, regulatory
requirements and industry best practices. Due to the size and
dynamic nature of firewall security policies, it is too complicated
and time-consuming to perform these audits manually.
SecureTrack and SecureChange Workflow allow you to use
your organization’s corporate security policy as a basis for daily
firewall management. Every change is monitored against the
corporate policy and notification of non-conformance is received
in real time. Tufin’s products also improve security management
procedures and processes, such as firewall policy analysis, which
are the fundamental requirements for IT security in industry
and government regulations. They allow compliance with these
standards by adding effective controls and measures on IT
operations and reducing risks associated with firewall changes.
Given the variety of devices—different versions and administration
tools—it is difficult to enforce industry best practices throughout
the organization. For example, best practices have been
developed for naming changes and creating comments to explain
each change. Through SecureTrack and SecureChange Worklfow,
managers can define best practices and are able to identify non-
conformance for the full range of security devices.
“SecureTrack’s extensive real-time monitoring and analysis facilities can make light work of firewall change management and security policy compliance.”
SC Magazine
Features and Benefits
Tufin’s SecureTrack and SecureChange Workflow help security
operations teams to manage change, minimize risks and
dramatically reduce manual, repetitive tasks through automation.
Features
Change Management: Monitors firewall policy changes, reports
them in real time and maintains a comprehensive, accurate audit
trail for full accountability.
Security Policy Optimization and Cleanup: Analysis and clean-up
of complex rule bases and objects to eliminate potential security
breaches and improve performance.
Risk Analysis and Business Continuity: Powerful simulation and
risk analysis to identify potential security risks, ensure compliance
with organizational security standards, and prevent service
interruptions.
Change Automation: Automatic processing of security change
requests to simplify the user experience while making network
administrators more effective. The entire lifecycle of a policy
change request is managed, from submission through design, risk
analysis, approval, implementation and auditing.
4
Cross-Platform Visual Monitoring: Intuitive, graphical views of
firewall policies, rule bases and configuration changes for Juniper
Networks and other vendor firewalls.
Auditing and Regulatory Compliance: Thorough auditing of
firewall policy changes by an objective third party supports
industry regulations including PCI-DSS, SOX, HIPAA, ISO 17799
and Basel II.
Benefits
• Dramatic reduction of manual, repetitive, error-prone tasks
• Optimized infrastructure utilization and performance
• Improved network security and uptime
• Enforcement of corporate security policies
• Assurance of business continuity
• Compliance with corporate, industry and regulatory standards
• Enforcement of vendor best practices
• Improved risk management
SecureTrack and SecureChange Workflow are offered as software
products or as appliance-based products. The software is
installed on a Redhat Linux or CentOS server. The appliance is a
hardened Linux server. Customers that deploy SecureTrack and
SecureChange Workflow use the products to automate security
change management and monitor firewall devices of several
Juniper product families such as Juniper Networks SSG Series
Secure Services Gateways and Juniper Networks ISG Series
Integrated Security Gateways. Typically, Tufin’s products are
deployed in the operations center and connect to devices that are
located in operations centers, datacenters and remote sites.
SeucreTrack and SecureChange Workflow are complementary
solutions for comprehensive management and auditing of Juniper
Networks firewalls.
Through SecureChange Workflow, change requests are managed
from end-user request all the way to change implementation.
The request forms, design and approval tools are customized to
Juniper firewall change processes.
SecureTrack uses Syslog to track all the changes made to
ScreenOS5.X and to ScreenOS6.X devices in real-time. Every time
SecureTrack is notified of a change by the firewall device or by
NSM, it retrieves the current policy via SSH. SecureTrack stores the
policies as a revision in its database.
The revisions are stored in a format that allows quick and efficient
analysis for change management, compare and audit purposes.
“Compliance and complexity are driving the requirement for better capability in optimizing the existing firewall rules base, and examining the impact of any proposed rule changes.”
Greg Young,
Gartner
For optimization of your Juniper rule base, SecureTrack also
collects rule and object usage data from devices and from NSM
using Syslog information. This functionality allows users to
identify unused rules and objects that should be considered for
removal, as they might pose a potential security risk. It can also
be used to optimize the rule base and firewall performance by
identifying rules that are least used (may be moved down the rule
base) and rules which are very heavily used (may be moved up in
the rule base).
Monitor/Keyboard
ADMIN PCDATA CENTER
NOC
REMOTE OFFICE
DMZ
SIM Syslog
SNMP
SSH/Syslog
SSH/Syslog
SSH/Syslog
SSH/Syslog
HTTPS
SecureTrack/SecureChange
Workflow
SSG Series
SSG20
SSG Series
ISG Series
Figure 2: SecureTrack and SecureChange Workflow Network Environment
5
Summary—Meeting Today’s Network Security Requirements
Tufin’s SecureTrack and SecureChange Workflow provide security
operations teams with unprecedented control over network
security policy management – from the first policy request
through its design, risk analysis, approval, implementation and
auditing. Tufin’s solutions automate critical operational processes,
saving organizations a significant amount of time and money
while improving their network security posture.
Next Steps
For further information, product demonstration or evaluation
requests please visit www.tufin.com or contact one of the
following Tufin offices:
US Sales
Email: [email protected]
Phone: 1-877-270-7711
UK Sales
Email: [email protected]
Phone: +44-780-230-4500
Central and Eastern European Sales
Email: [email protected]
Phone: +49-89-99-216-441
Italy Sales
Email: [email protected]
Phone: +39-06-43-40-90-17
Benelux Sales
Email: [email protected]
Phone: +31-64-178-9667
International Headquarters
Email: [email protected]
Phone: +972-3-612-8118
About Tufin Technologies
Tufin Technologies is the leading provider of Security Lifecycle
Management solutions that enable large organizations to enhance
security, ensure business continuity and increase operational
efficiency. Tufin’s products SecureTrack™ and SecureChange™
Workflow help security operations teams to manage change,
minimize risks and dramatically reduce manual, repetitive
tasks through automation. With a combination of accuracy
and simplicity, Tufin empowers security officers to perform
reliable audits and demonstrate compliance with corporate and
government standards. Founded in 2005 by leading firewall
and business systems experts, Tufin now serves more than
375 customers around the world, including leading financial
institutions, telecom service providers, transportation, energy and
pharmaceutical companies. For more information visit www.tufin.
com, or follow Tufin on: Twitter at http://twitter.com/TufinTech,
LinkedIn at www.linkedin.com/groupRegistration?gid=1968264,
FaceBook at www.facebook.com/group.php?gid=84473097725,
and the Tufin Blog at http://tufintech.wordpress.com/.
About SecureTrack
Tufin SecureTrack™ is the market-leading Security Lifecycle
Management solution. SecureTrack enables organizations to
enhance security, reduce service interruptions and automate day-
to-day tasks through powerful firewall management capabilities
and reporting. SecureTrack helps security operations teams to
control and manage policy changes, analyze risks, and ensure
business continuity and allows managers to easily understand the
big picture and align operations with corporate and government
security standards.
About SecureChange Workflow
Tufin SecureChange™ Workflow is a unique change management
solution designed specifically for security policy change requests.
SecureChange Workflow manages the entire lifecycle of a policy
change request, from submission through design, risk analysis,
approval, implementation and auditing.
About Juniper Networks
Juniper Networks, Inc. is the leader in high-performance
networking. Juniper offers a high-performance network
infrastructure that creates a responsive and trusted environment
for accelerating the deployment of services and applications
over a single network. This fuels high-performance businesses.
Additional information can be found at www.juniper.net.
3510401-003-EN Jan 2010
Copyright 2010 Juniper Networks, Inc. All rights reserved. Juniper Networks, the Juniper Networks logo, Junos, NetScreen, and ScreenOS are registered trademarks of Juniper Networks, Inc. in the United States and other countries. All other trademarks, service marks, registered marks, or registered service marks are the property of their respective owners. Juniper Networks assumes no responsibility for any inaccuracies in this document. Juniper Networks reserves the right to change, modify, transfer, or otherwise revise this publication without notice.
EMEA Headquarters
Juniper Networks Ireland
Airside Business Park
Swords, County Dublin, Ireland
Phone: 35.31.8903.600
EMEA Sales: 00800.4586.4737
Fax: 35.31.8903.601
APAC Headquarters
Juniper Networks (Hong Kong)
26/F, Cityplaza One
1111 King’s Road
Taikoo Shing, Hong Kong
Phone: 852.2332.3636
Fax: 852.2574.7803
Corporate and Sales Headquarters
Juniper Networks, Inc.
1194 North Mathilda Avenue
Sunnyvale, CA 94089 USA
Phone: 888.JUNIPER (888.586.4737)
or 408.745.2000
Fax: 408.745.2100
www.juniper.net
To purchase Juniper Networks solutions,
please contact your Juniper Networks
representative at 1-866-298-6428 or
authorized reseller.
Printed on recycled paper