www.tufin.club

Potential vulnerability in TOS

Bug in TOS if SecureChange is run in HA mode

Tufin points out a potential vulnerability in Tufin Orchestration Suite (TOS) if SecureChange is run as a cluster. It might happen that MongoDB provides a simple HTTP interface that might be accessable from external sources. This could deliver information to external persons.

Affected are only HA deployments running SecureChange R15-3 or higher. Clusters running SecureTrack only aren't affected as standalone installations of SecureChange are. A fix will be included in R16-2 HF4, R16-3 GA and R16-4 RC1 and above. If you run an elder version not being able to upgrade, you will need to check the configuration of your HA installation of SecureChange.

To address this issue, just edit the configuration of MongoDB on the systems:

Backup the original file /etc/mongod.conf
Edit the file /etc/mongod.conf and add this option at the end of the file:
nohttpinterface = true
Save the file with your changes
Restart the MongoDB service using
# service mongod restart

Tufin states that this change won't interfere with the performance, stability, or functionality of TOS.

Serial number of Tufin Appliances

To find a serial number of a Tufin Appliance like T-1100 is quite easy - just have a look at the hardware and you will find this number. But what if there is no physical access to the box itself? You can find out the serial number via console also by using the command

[root@TufinOS ~]# dmidecode -s chassis-serial-number

It sounds easy, and yes - it's easy to get the serial number of a Tufin Appliance using CLI.

Use of ANY in Access Request

In SecureChange an Access Request can be configured. If wanted, the use of ANY for Source, Destination and Service can be allowed.

If a requestor wants access from a specific IP to ANY he or she will write e.g.:

If (accidently) an IP address has been entered into the Destination field, there is (at the first glance) no chance to re-configure an ANY or any accepted by the system.

Solution:
Just delete the entry in the Destination, so you have an empty field. Pressing OK delivers the Destination ANY back again.

Network Settings for Management Interface in TufinOS

Since TufinOS is a Linux working with networks, these settings need to be configured for the management interface. One way to do so is using the "traditional" way by editing files like e.g.

/etc/sysconfig/network
/etc/sysconfig/network-scripts/ifcfg-eth0

etc. This is not always the easiest way, esp. if an administrator isn't too familiar with Linux. An easier way is to use a command of TufinOS:

/usr/local/sbin/config_mgmt_if

Since this directory is mostly in the environment path, the command can be used also as a single command without typing the whole path:

config_mgmt_if

This command asks the administrator for all important settings to configure the management interface of the system, as shown in the example below
(Please use YOUR IP-ADDRESSES ONLY for lab and productive environment). It also restarts the network service so the changes become active.

[root@TufinOS ~]# config_mgmt_if
Please enter the network details for the TOS management interface (eth0).
IP address: 192.168.1.1
Netmask: 255.255.255.0
Default gateway: 192.168.1.254
IP address for DNS server 1, or press ENTER to continue: 192.168.1.253
IP address for DNS server 2, or press ENTER to continue: 192.168.2.253
IP address for DNS server 3, or press ENTER to continue:
Do you want to configure IPv6 (yes|no)?: no

Network settings for TOS management interface
=============================================

(1) IP address:           192.168.1.1
(2) Netmask:              255.255.255.0
(3) Gateway IP:           192.168.1.254
(4) DNS Servers:          192.168.1.253, 192.168.2.253

To change the settings, enter the item number to change.
Enter c to apply the changes and continue, or enter e to exit
> c
Warning: The current network settings for the eth0 adapter will be overridden.
Are you sure you want to continue (yes|no)?: yes
Configuring eth0 settings...
Restarting network service...
Done.
[root@TufinOS ~]#

So this command might help to configure the management interface of TufinOS.

"Redo Step" not working?

When a ticket is worked on, the ticket goes step for step through the workflow.
There is an option called "Redo Step" to jump back to an earlier step which will be redone then. To do so, just select the earlier step and press the "Redo Step" button.

In this example we are currently at step 5 while step 3 shall be repeated (and therefore step 4 and 5 also becuse in the repeated step a change could have be configured).
Here, in step 5 the step 3 is selected and shown (read only).

After having selected the step, press the "Redo Step"button.

So the ticket goes back in the workflow to the step selected (in this case back from step 5 to step 3).

BUT - this sometimes doesn't seem to work

In the upper example, step 2 is shown with a "skip" sign. This sign is shown if the step of the workflow has been skipped in this ticket. Due to this, a "Redo Step" can't be assigned. At the first glance, it seems to be strange that this step can't be selected, but with a second look it's quite logical. Btw - if a ticket using other conditions is going through the step, a "Redo Step" for this step can be configured later on. In this case, the "skip" sign doesn't show up in the ticket.

Lesson learned:

The option "Redo Step" can be used to go back to any step the ticket has passed before.
If a step has been skipped, going back to this step using "Redo Step" isn't possible.

Manager Approvals in SecureChange

How to work with the field "Manager" in Tufin SecureChange

To use this feature, first of all it needs to be defined in the workflow. To do so, in the definition of a step of the workflow select the option Add Field to let a menu open.

In the Drop Down Menu select the option Manager.

If done so, the field is shown to the user. Since it's marked as Mandatory, it will show up with a red dot. Therefore the user is required to fill this field in the step.

To have this option work, in the NEXT STEP the Assignment needs to be defined correctly. For this following step, the selection of Manager Assignment is mandatory. Since the user might provide an incorrect E-Mail Address, a "Default Manager" needs to be defined. This is a user of Tufin SecureChange. So if the E-Mail to the Manager can't be delivered, this user will get an E-Mail to work on the ticket.

Hints:

This option can be used in multiple steps, i.e. the Manager Field can be used for the step when opening a ticket and also at a later step (additionally)
Using the Manager Field requires the next step to be configured with "Manager Assignment"
Even in a step that is "Manager Assigned", a (new) Manager Field can be defined and used
If the step has "Dynamic Assignment" configured (e.g. to have different Approvers for different destination networks) the Manager Field is not supported and can't be used!