www.tufin.club

The latest version of Tufin Orchestration Suite (TOS) is now 16-3. This GA Version delivers some improvements for its software parts, e.g.

Cloud:

  • AWS Security Groups are automatically recommended per required access
  • Changes are automatically verified per required access

Security Change Automation:

  • New Role in SecureChange allowing "Assign tickets to any handler"
  • "Modify Group" allows adding/removing IP ranges now
  • Designer suggestion is shown in Policy Context, i.e. suggested changes are shown in existing policy
  • Palo Alto Networks Panorama Device Group Policy Automation
    • Automatic selection of Device Group per required access
    • Automatic risk/compliance Analysis
    • Automatic Change Design and Provisioning incl. AppID
    • Automatic verification after changes
  • REST API allows now to export Designer results
  • Designer CLI

Security and Compliance:

  • Rule Documentation (Policy Browser) now allows to search for disabled rules
  • Palo Alto Networks Panorama Device Group integraion
    • Changes are tracked and monitored
    • Full visibility into Panorama Device Group hierarchy
    • Full intetration into Policy Browser (including rule usage information)
    • Cleanup support
    • Integration into SecureTrack Unified Security Policies
    • Reports are possible
    • Support of Tufin SeureTrack Topology
    • SecureApp connection status monitoring (currently not for AppID)

Application Management:

  • Introduction of application-centric User Permissions

Devices and Platforms:

  • Juniper: Topology Support for Virtual Routers in SRX Routes
  • Fortinet: Support of FortiManager 5.4.1
  • VMware: Support of NSX 6.2.4
  • F5: F5 12-1 is supported by TOS, but no iApps
  • Cisco: Support of ASA

 

Further improvements and corrections are included.

The latest version of the Tufin Orchestration Suite can be found at the Tufin Portal: https://portal.tufin.com

 

 

Tufin has released a Security Announcement regarding "Dirty COW" (CVE-2016-5195)

Background:

A race condition has been found in the way the Linux kernel's memory subsystem handles the copy-on-write (COW) breakage of private read-only memory mappings.
An unprivileged, local user could use this flaw to gain write access to otherwise read-only memory mappings, and thus increase their privileges on the system.

Vulnerable Systems:

All versions of TufinOS are affected: TufinOS 1.8 - 1.22 as well as 2.00 - 2.12
Installations using Red Hat Enterprise Linux and CentOS are affected also. Please find a patch on the website of the Linux distribution itself.

Remediation:

Tufin will publish a fix for TufinOS 2.12 on November, 2nd. A fix for TufinOS 1.22 will be published after Red Hat has published a fix for RHEL 5.
If you are not running the latest version of TufinOS, you should upgrade to be able to install the fix.

 

Update (20161102):

The fix for TufinOS 2.x is included in TufinOS 2.13 which is available since November, 1st.
A patch for TufinOS 2.12 will be released on November, 6th. This is relevant if an update to TufinOS 2.13 isn't possilble.

Update (20161104):

The fix for TufinOS 1.x is included in TufinOS 1.23 which is available since November, 4th. An upgrade to this version is recommended if still TufinOS 1.x is used.
Please be aware that TufinOS 1.x reaches its End of Live (EOL) on March 31st, 2017 - as CentOS 5 does. After this date, no updates or security patches will be created for TufinOS 1.x, so upgrading to TufinOS 2.x before this date is recommended.

 

 

 

Bug in TOS if SecureChange is run in HA mode

Tufin points out a potential vulnerability in Tufin Orchestration Suite (TOS) if SecureChange is run as a cluster. It might happen that MongoDB provides a simple HTTP interface that might be accessable from external sources. This could deliver information to external persons.

 

Affected are only HA deployments running SecureChange R15-3 or higher. Clusters running SecureTrack only aren't affected as standalone installations of SecureChange are. A fix will be included in R16-2 HF4, R16-3 GA and R16-4 RC1 and above. If you run an elder version not being able to upgrade, you will need to check the configuration of your HA installation of SecureChange.

 

To address this issue, just edit the configuration of MongoDB on the systems:

  1. Backup the original file /etc/mongod.conf
  2. Edit the file /etc/mongod.conf and add this option at the end of the file:
       nohttpinterface = true
  3. Save the file with your changes
  4. Restart the MongoDB service using
       # service mongod restart

Tufin states that this change won't interfere with the performance, stability, or functionality of TOS.

 

 

To find a serial number of a Tufin Appliance like T-1100 is quite easy - just have a look at the hardware and you will find this number. But what if there is no physical access to the box itself? You can find out the serial number via console also by using the command

[root@TufinOS ~]# dmidecode -s chassis-serial-number

It sounds easy, and yes - it's easy to get the serial number of a Tufin Appliance using CLI.

 

 

In SecureChange an Access Request can be configured. If wanted, the use of ANY for Source, Destination and Service can be allowed.

If a requestor wants access from a specific IP to ANY he or she will write e.g.:

If (accidently) an IP address has been entered into the Destination field, there is (at the first glance) no chance to re-configure an ANY or any accepted by the system.

 

Solution:
Just delete the entry in the Destination, so you have an empty field. Pressing OK delivers the Destination ANY back again.

 

 

 

Since TufinOS is a Linux working with networks, these settings need to be configured for the management interface. One way to do so is using the "traditional" way by editing files like e.g.

/etc/sysconfig/network
/etc/sysconfig/network-scripts/ifcfg-eth0

etc. This is not always the easiest way, esp. if an administrator isn't too familiar with Linux. An easier way is to use a command of TufinOS:

/usr/local/sbin/config_mgmt_if

Since this directory is mostly in the environment path, the command can be used also as a single command without typing the whole path:

config_mgmt_if

This command asks the administrator for all important settings to configure the management interface of the system, as shown in the example below
(Please use YOUR IP-ADDRESSES ONLY for lab and productive environment). It also restarts the network service so the changes become active.

[root@TufinOS ~]# config_mgmt_if
Please enter the network details for the TOS management interface (eth0).
IP address: 192.168.1.1
Netmask: 255.255.255.0
Default gateway: 192.168.1.254
IP address for DNS server 1, or press ENTER to continue: 192.168.1.253
IP address for DNS server 2, or press ENTER to continue: 192.168.2.253
IP address for DNS server 3, or press ENTER to continue:
Do you want to configure IPv6 (yes|no)?: no

Network settings for TOS management interface
=============================================

(1) IP address:           192.168.1.1
(2) Netmask:              255.255.255.0
(3) Gateway IP:           192.168.1.254
(4) DNS Servers:          192.168.1.253, 192.168.2.253

To change the settings, enter the item number to change.
Enter c to apply the changes and continue, or enter e to exit
> c
Warning: The current network settings for the eth0 adapter will be overridden.
Are you sure you want to continue (yes|no)?: yes
Configuring eth0 settings...
Restarting network service...
Done.
[root@TufinOS ~]#

 So this command might help to configure the management interface of TufinOS.