Tufin Tracks Applications for Better Firewall Policy Management

Tufin Technologies has added another arrow to its quiver to help network administrators improve firewall management and security with SecureApp, which specifically addresses the connectivity of enterprise applications.

Ruvi Kitov, Tufin's co-founder and CEO, says enterprises are regularly challenged by complexity, change and compliance when managing firewalls and policies. Large IT environments mean multiple routers, switches and load balancers that all need to be governed. "You have this complex environment that is constantly changing because the business side wants changes and access to services."

Changes to firewall rules may take hours, putting added pressure on network administrators who must also comply with regulatory issues that affect the organization, says Kitov. Tufin already offers SecureTrack, which enables enterprise to have visibility and control over all firewalls, routers and switches on their network and alerts them to compliance violations and other risks so they can be addressed quickly.

He says the development of SecureApp was driven by the recognition of two additional items customers are dealing with: connectivity and communications required by enterprise applications, which often means exceptions to existing firewall rules. "You're poking small holes in the firewall, and about 90% of changes are triggered by the application side," says Kitov.

As an addition to Tufin's security suite, SecureApp provides network administrators and application owners with a central repository detailing how every application in the enterprises is connecting, allowing them to commission or decommission applications as well as fix any connectivity problems.

Kitov says there's often a gap between the application owners and the team managing firewalls. SecureApp enables these two groups to communicate more effectively to help save time and avoid errors that might put the organization at risk.

Other features of SecureApp include an interface for defining and documenting an application's network connectivity requirements at the level of network source, service and destination. It also automatically detects any policy rule changes and removals that must be made when an application is no longer in use.

By abstracting application connectivity information from the company's network security policy and framing it within the context of business requirements, SecureApp eliminates the need for network administrators to manually extract data that is usually spread across thousands of rules, firewalls and routers, says Kitov.

Diana Kelley, a principal analyst at SecurityCurve, says application connectivity is not a new concern for network administrators managing firewalls and policies. What's changed is how many apps there are. "Today we're putting a lot more applications and services through firewalls, which raise the complexity and stakes of managing the connectivity securely," she says. Certain ports are now passing different types of traffic, too. For example, Port 80 used to be reserved for vanilla HTML--now it's used for video, messaging and games, "so controlling what can and can't go through port 80 is a challenge now, too."

Kelley says policies that limit access based on port and IP addresses are still very valid, and there are still many ports that companies don't want any traffic over, such as very high ports that aren't in use by approved business applications or services. Blocking those ports outright is the best approach, she explains.

Application-aware connectivity and management in the firewall world have been promoted for years by companies such as Palo Alto Networks and Cisco in next-generation firewalls, says Kelley. "Firewall policy management tools like Tufin need to keep pace with the firewalls they're managing," she adds.

Jim Frey, a research director at Enterprise Management Associates, says the main challenge for network administrators is keeping up with the rate of changes and growth of enterprise applications. "It's very rare that I speak to someone who's reducing or consolidating applications," he says. "The number is increasing and, more importantly, the frequency of change is increasing."

This growth is being driven in part by virtualization and cloud computing, says Frey, and it means a bigger workload for firewall managers trying to keep up. Tufin's SecureApp specifically addresses this challenge, he says, by trying to make the job easier. It's still about monitoring ports and IP addresses, but SecureApp provides a tool to more easily identify what applications are connecting through them. "This is helpful because you have to really keep up with these changes based on which applications are being affected and how this in turn affects firewall rules."

Frey says tying these two elements together has not been formalized very well in available products to date. A lot of attention has to be paid to managing rules, making sure they're consistent across firewalls and devices and that old ones are retired. "All of this is typically driven by changes to the applications."

One potential scenario happening in enterprises occurs when application developers exploit the same connectivity rules over and over again for different applications. This is not a very good practice, says Frey. "The only reason to do that is because they perceived a significant barrier when it came to dealing with the firewall team." Old rules should be retired and new ones should set up properly, he says. "Organizations need a tool like Tufin to make that easier to do."