SOLUTION BRIEF

1

Challenge

Large enterprises maintain and operate

multiple firewalls spread across

different time zones and business

units which involves a great deal of

repetitive, manual work. Security

administrators have to keep track

of all changes while also ensuring

compliance with corporate policies and

stringent regulatory requirements.

Solution

Tufin’s solutions provide complete

visibility into all firewall operations. With

powerful change tracking, risk analysis

and security optimization capabilities,

they enable Juniper Networks’ firewall

teams to increase network security and

automate day-to-day tasks.

Benefits

• Dramatic reduction of manual,

repetitive, error-prone tasks

• Optimized infrastructure utilization

and performance

• Proactive enforcement of corporate

security policies

• Compliance with corporate, industry

and regulatory standards

• Enforcement of vendor best

practices

• Improved risk management

JUNIPER AND TUFIN SECURITY LIFECYCLE MANAGEMENT SOLUTIONS Gain a Unified, Top-Down View of Juniper Networks Firewalls to Manage Change, Secure Risks and Ensure Compliance

Implementing today’s complex corporate security policies has become a resource-

intensive process. Maintaining and operating multiple firewalls with numerous objects and

rule bases involves a great deal of repetitive, manual work. Whenever a change has been

made to the firewall rule base, administrators have to keep track of which changes have

been made, when and by whom—and then to make sure that every change was correctly

implemented in accordance with corporate policy and regulatory requirements. As security

operations grow, it becomes increasingly difficult to keep track of the details and be sure

that there were no human errors. In response, forward-thinking IT leaders are turning to

Tufin’s solutions for Juniper Networks® firewall operations management, which automates

and simplifies firewall change management and security policy compliance.

The Challenge

Providing network security for today’s enterprise is a continuous process of enforcing

corporate policy, fielding and implementing daily change requests, and demonstrating

compliance with standards. For large organizations, managing the security lifecycle is

a complex, resource-intensive operation. Networks include hundreds of infrastructural

components located at distributed sites and maintained by multiple teams. At the same

time, regulatory agencies and industry consortiums are demanding increasingly rigorous

standards of transparency and accountability.

To meet these challenges, security teams must use a variety of vendor-specific

administration tools and perform an extensive amount of repetitive, manual tasks.

Without a comprehensive, top-down view of the entire security infrastructure, manual

errors and inefficient configurations are difficult to avoid. And without process

automation, security audits are time-consuming, painstaking, and ineffective in identifying

threats before they occur.

To successfully align day-to-day operations with organizational business objectives,

security teams need complete visibility into security policy across the organization—as

well as the necessary tools to manage the security lifecycle efficiently. Tufin offers a

comprehensive solution for security managers that enable them to implement, manage

and audit security policy faster, more easily, and more accurately than ever before.

2

Tufin’s Solution for Juniper Networks Firewall Management

The Tufin SecureTrack™ and SecureChange™ Workflow solutions

for Juniper firewall management address these challenges.

SecureTrack and SecureChange Workflow integrate seamlessly

with Juniper Networks firewall/VPN solutions and products

enhancing security while reducing service interruptions and

automating day-to-day tasks.

“IDC sees an accelerated demand for solutions that combine change management, risk and business continuity management along with enterprise helpdesk products integration.”

Dan Yachin,

IDC EMEA, Emerging Technologies

Firewall Policy Change Management

To meet modern network security requirements, large enterprises

currently manage dozens, if not hundreds, of individual firewalls.

Each firewall has its own policy—a complex set of rules defining

the access privileges and restrictions for specific users and

services. Tufin SecureTrack for Juniper firewalls provides a unified

top-down view of all firewall policies allowing security teams to

individually supervise each piece of the puzzle.

Tufin SecureTrack continuously monitors firewall policies,

detecting and reporting configuration changes. With real-time

monitoring, you receive detailed notifications on changes as soon

as they are made. The system maintains a complete and accurate

account of each incremental configuration change and can

attribute each action to the firewall administrator who performed

it. This gives security officers unprecedented abilities to see who

made what change and when, analyzing its effects on the network.

Security Policy Optimization and Cleanup

As thousands of tickets (change requests) are processed by the

firewall operations team, and organizational security objectives

evolve over time, the underlying rule base that contains the firewall

policy becomes extremely large and intricate. In fact, many of

the rules and objects in a typical firewall rule base are obsolete.

These unused rules represent a potential security hole and should

be eliminated. But firewall operators do not have an easy way of

identifying these rules using standard administration tools.

In addition to security risks, a poorly maintained rule base can

have a major impact on performance. The entire rule base is

parsed from top to bottom with every network connection, and as

the rule base grows, hardware requirements also increase. Overly

complex rule bases are difficult to maintain and must be cleaned

up regularly.

SecureTrack’s Rule and Object Usage analysis records traffic logs

from Juniper firewall modules and Juniper Networks Network and

Security Manager (NSM) devices to provide statistical analysis

on the actual use of each of the rules and objects over different

Figure 1: SecureTrack Rule and Object Usage Analysis allows administrators to optimize rule base and firewall performance.

3

time spans. Reviewing each firewall’s entire rule base with this

information allows you to optimize its operation and clean up

unused rules.

Risk Analysis and Business Continuity Management

The implications of a firewall policy error can be severe—from a

security breach to network service interruption, or even network

downtime. Therefore, it is important to analyze the impact of every

change before it is implemented on the ground. Given the size and

complexity of the firewall rule base, this task is very complicated,

yet it is generally performed manually by firewall administrators

who lack the proper tools for rule base analysis.

Tufin SecureTrack’s Policy Analysis feature allows simulation of

the rule base to test whether a traffic pattern is currently blocked

or allowed and to provide a recommendation for corrective action

to be taken. In addition, in order to prevent security breaches

and service interruptions, a Compliance Alerts mechanism

analyzes every change and alerts on changes that allow or block

unauthorized traffic.

IT Automation and Operational Efficiency

As the complexity of network security infrastructure grows,

organizations are employing more and more highly skilled

administrators to manage operations. Rather than focusing their

expertise on strategic goals, administrators spend most of their

time on repetitive, manual tasks in an attempt to enforce corporate

policies over thousands of distributed infrastructure components.

Tufin’s SecureChange Workflow manages the entire lifecycle of

a policy change request from submission through design, risk

analysis, approval, implementation and auditing. SecureChange

Workflow automates repetitive components of the security

lifecycle in order to reduce the time spent on time-consuming

tasks and to invest resources more effectively. With SecureChange

Workflow, many manual analysis and auditing operations can be

reduced from days to a matter of hours.

Corporate Security Policy Auditing, Regulatory Compliance and Industry Best Practices

Companies have come to understand the business impact of

network security and to demand a high level of transparency and

accountability. To meet these requirements, organizations need the

ability to perform periodical audits to ensure compliance with three

different levels of security directives: corporate policy, regulatory

requirements and industry best practices. Due to the size and

dynamic nature of firewall security policies, it is too complicated

and time-consuming to perform these audits manually.

SecureTrack and SecureChange Workflow allow you to use

your organization’s corporate security policy as a basis for daily

firewall management. Every change is monitored against the

corporate policy and notification of non-conformance is received

in real time. Tufin’s products also improve security management

procedures and processes, such as firewall policy analysis, which

are the fundamental requirements for IT security in industry

and government regulations. They allow compliance with these

standards by adding effective controls and measures on IT

operations and reducing risks associated with firewall changes.

Given the variety of devices—different versions and administration

tools—it is difficult to enforce industry best practices throughout

the organization. For example, best practices have been

developed for naming changes and creating comments to explain

each change. Through SecureTrack and SecureChange Worklfow,

managers can define best practices and are able to identify non-

conformance for the full range of security devices.

“SecureTrack’s extensive real-time monitoring and analysis facilities can make light work of firewall change management and security policy compliance.”

SC Magazine

Features and Benefits

Tufin’s SecureTrack and SecureChange Workflow help security

operations teams to manage change, minimize risks and

dramatically reduce manual, repetitive tasks through automation.

Features

Change Management: Monitors firewall policy changes, reports

them in real time and maintains a comprehensive, accurate audit

trail for full accountability.

Security Policy Optimization and Cleanup: Analysis and clean-up

of complex rule bases and objects to eliminate potential security

breaches and improve performance.

Risk Analysis and Business Continuity: Powerful simulation and

risk analysis to identify potential security risks, ensure compliance

with organizational security standards, and prevent service

interruptions.

Change Automation: Automatic processing of security change

requests to simplify the user experience while making network

administrators more effective. The entire lifecycle of a policy

change request is managed, from submission through design, risk

analysis, approval, implementation and auditing.

4

Cross-Platform Visual Monitoring: Intuitive, graphical views of

firewall policies, rule bases and configuration changes for Juniper

Networks and other vendor firewalls.

Auditing and Regulatory Compliance: Thorough auditing of

firewall policy changes by an objective third party supports

industry regulations including PCI-DSS, SOX, HIPAA, ISO 17799

and Basel II.

Benefits

• Dramatic reduction of manual, repetitive, error-prone tasks

• Optimized infrastructure utilization and performance

• Improved network security and uptime

• Enforcement of corporate security policies

• Assurance of business continuity

• Compliance with corporate, industry and regulatory standards

• Enforcement of vendor best practices

• Improved risk management

SecureTrack and SecureChange Workflow are offered as software

products or as appliance-based products. The software is

installed on a Redhat Linux or CentOS server. The appliance is a

hardened Linux server. Customers that deploy SecureTrack and

SecureChange Workflow use the products to automate security

change management and monitor firewall devices of several

Juniper product families such as Juniper Networks SSG Series

Secure Services Gateways and Juniper Networks ISG Series

Integrated Security Gateways. Typically, Tufin’s products are

deployed in the operations center and connect to devices that are

located in operations centers, datacenters and remote sites.

SeucreTrack and SecureChange Workflow are complementary

solutions for comprehensive management and auditing of Juniper

Networks firewalls.

Through SecureChange Workflow, change requests are managed

from end-user request all the way to change implementation.

The request forms, design and approval tools are customized to

Juniper firewall change processes.

SecureTrack uses Syslog to track all the changes made to

ScreenOS5.X and to ScreenOS6.X devices in real-time. Every time

SecureTrack is notified of a change by the firewall device or by

NSM, it retrieves the current policy via SSH. SecureTrack stores the

policies as a revision in its database.

The revisions are stored in a format that allows quick and efficient

analysis for change management, compare and audit purposes.

“Compliance and complexity are driving the requirement for better capability in optimizing the existing firewall rules base, and examining the impact of any proposed rule changes.”

Greg Young,

Gartner

For optimization of your Juniper rule base, SecureTrack also

collects rule and object usage data from devices and from NSM

using Syslog information. This functionality allows users to

identify unused rules and objects that should be considered for

removal, as they might pose a potential security risk. It can also

be used to optimize the rule base and firewall performance by

identifying rules that are least used (may be moved down the rule

base) and rules which are very heavily used (may be moved up in

the rule base).

Monitor/Keyboard

ADMIN PCDATA CENTER

NOC

REMOTE OFFICE

DMZ

SIM Syslog

SNMP

SSH/Syslog

SSH/Syslog

SSH/Syslog

SSH/Syslog

Email

HTTPS

SecureTrack/SecureChange

Workflow

SSG Series

SSG20

SSG Series

ISG Series

Figure 2: SecureTrack and SecureChange Workflow Network Environment

5

Summary—Meeting Today’s Network Security Requirements

Tufin’s SecureTrack and SecureChange Workflow provide security

operations teams with unprecedented control over network

security policy management – from the first policy request

through its design, risk analysis, approval, implementation and

auditing. Tufin’s solutions automate critical operational processes,

saving organizations a significant amount of time and money

while improving their network security posture.

Next Steps

For further information, product demonstration or evaluation

requests please visit www.tufin.com or contact one of the

following Tufin offices:

US Sales

Email: sales@tufin.com

Phone: 1-877-270-7711

UK Sales

Email: uksales@tufin.com

Phone: +44-780-230-4500

Central and Eastern European Sales

Email: centeusales@tufin.com

Phone: +49-89-99-216-441

Italy Sales

Email: itasales@tufin.com

Phone: +39-06-43-40-90-17

Benelux Sales

Email: beneluxsales@tufin.com

Phone: +31-64-178-9667

International Headquarters

Email: sales@tufin.com

Phone: +972-3-612-8118

About Tufin Technologies

Tufin Technologies is the leading provider of Security Lifecycle

Management solutions that enable large organizations to enhance

security, ensure business continuity and increase operational

efficiency. Tufin’s products SecureTrack™ and SecureChange™

Workflow help security operations teams to manage change,

minimize risks and dramatically reduce manual, repetitive

tasks through automation. With a combination of accuracy

and simplicity, Tufin empowers security officers to perform

reliable audits and demonstrate compliance with corporate and

government standards. Founded in 2005 by leading firewall

and business systems experts, Tufin now serves more than

375 customers around the world, including leading financial

institutions, telecom service providers, transportation, energy and

pharmaceutical companies. For more information visit www.tufin.

com, or follow Tufin on: Twitter at http://twitter.com/TufinTech,

LinkedIn at www.linkedin.com/groupRegistration?gid=1968264,

FaceBook at www.facebook.com/group.php?gid=84473097725,

and the Tufin Blog at http://tufintech.wordpress.com/.

About SecureTrack

Tufin SecureTrack™ is the market-leading Security Lifecycle

Management solution. SecureTrack enables organizations to

enhance security, reduce service interruptions and automate day-

to-day tasks through powerful firewall management capabilities

and reporting. SecureTrack helps security operations teams to

control and manage policy changes, analyze risks, and ensure

business continuity and allows managers to easily understand the

big picture and align operations with corporate and government

security standards.

About SecureChange Workflow

Tufin SecureChange™ Workflow is a unique change management

solution designed specifically for security policy change requests.

SecureChange Workflow manages the entire lifecycle of a policy

change request, from submission through design, risk analysis,

approval, implementation and auditing.

About Juniper Networks

Juniper Networks, Inc. is the leader in high-performance

networking. Juniper offers a high-performance network

infrastructure that creates a responsive and trusted environment

for accelerating the deployment of services and applications

over a single network. This fuels high-performance businesses.

Additional information can be found at www.juniper.net.

3510401-003-EN Jan 2010

Copyright 2010 Juniper Networks, Inc. All rights reserved. Juniper Networks, the Juniper Networks logo, Junos, NetScreen, and ScreenOS are registered trademarks of Juniper Networks, Inc. in the United States and other countries. All other trademarks, service marks, registered marks, or registered service marks are the property of their respective owners. Juniper Networks assumes no responsibility for any inaccuracies in this document. Juniper Networks reserves the right to change, modify, transfer, or otherwise revise this publication without notice.

EMEA Headquarters

Juniper Networks Ireland

Airside Business Park

Swords, County Dublin, Ireland

Phone: 35.31.8903.600

EMEA Sales: 00800.4586.4737

Fax: 35.31.8903.601

APAC Headquarters

Juniper Networks (Hong Kong)

26/F, Cityplaza One

1111 King’s Road

Taikoo Shing, Hong Kong

Phone: 852.2332.3636

Fax: 852.2574.7803

Corporate and Sales Headquarters

Juniper Networks, Inc.

1194 North Mathilda Avenue

Sunnyvale, CA 94089 USA

Phone: 888.JUNIPER (888.586.4737)

or 408.745.2000

Fax: 408.745.2100

www.juniper.net

To purchase Juniper Networks solutions,

please contact your Juniper Networks

representative at 1-866-298-6428 or

authorized reseller.

Printed on recycled paper