www.tufin.club
Authentcating ST Users with LDAP Server
- Details
- Category: SecureTrack
Since many years it's possible to authenticate users and administrators of SecureTrack via LDAP Server. This method is different to the others using TACACS+ or RADIUS. Here, a user needs to be defined. In this profile, the authentication method is selected: Local, TACACS+ or RADIUS.
Authentication using LDAP is a little different. First of all attaching a LDAP Server to SecureTrack needs to be done by Menu > Configuration > External Authentication > LDAP
Testing if the authentication of SecureTrack at the LDAP Server with LDAP Bind password isn't possible yet.
The "Administrators group DN" includes a group of AD users that are entitled to have administrative rights in SecureTrack. "Users" with restricted rights are located in the "Users group DN".
These users are not listed in Menu > Configuration > Users until their first login, they don't need to be imported.
When a LDAP user logs in to SecureTrack the first time, SecureTrack will check his name and credentials using LDAP. Depending in which group the user is found he will geht the corresponding rights.
- Administrators group:
User gets full administrative rights, if a Multi-Domain environment is configured, the right will be "Super-Admin" - Users group:
User has restricted rights as "user", if a Multi-Domain environment is configured the right will be "Multi-Domain Users". But with the first login no device is showed to the user. This right has to be configured manually by an administrator after first login of the users.
Besides this, the user is shown in the list of configured users in SecureTrack with Authentication method LDAP.
Each time such a user authenticates, the password is checked against the LDAP server.
How to manage Licenses in SecureTrack
- Details
- Category: SecureTrack
Licensing in Tufin Orchestration Suite is done centrally in SecureTrack. Even if SecureChange / SecureApp is run on a separate server, licenses are stored in SecureTrack and published to the other machine. If a license is installed, it needs to be activated. This is quite easy using the "Generate" button. When getting the activated license, it should be installed in SecureTrack so it's bound to this system.
When switching from an Eval license to a permanent license (and vice versa) it might happen that the newly installed license isn't recognized correctly. In this case, some CLI commands regarding the database are useful.
Before you continue, create a BACKUP of your installation of SecureTrack!
It includes all configuration and also the license. Be careful when you use the commands below - without license Tufin Orchestration Suite will not work at all!
For getting further information or deleting licenses CLI access to SecureTrack is necessary.
As usual for Tufin commands, this needs to be done as root or using the sudo command.
Next steps could be:
Show the currently installed licenses
[root@TufinOS ~]# psql securetrack -Upostgres -c "select * from st_licenses"
Delete all licenses of type "full", i.e. "real" licenses
[root@TufinOS ~]# psql securetrack -Upostgres -c "delete from st_licenses where license_type='full'"
Delete all licenses of type "evaluation"
[root@TufinOS ~]# psql securetrack -Upostgres -c "delete from st_licenses where license_type='evaluation'"
Delete all licenses of both types, i.e. "full" and "evaluation"
[root@TufinOS ~]# psql securetrack -Upostgres -c "delete from st_licenses"
As written above, be careful with these commands and use them only when a current Backup is done!
Tufin Orchestration Suite 18-2
- Details
- Category: Version update
Tufin has released R18-2, the second version of the Tufin Orchestration Suite in 2018. TOS 18-2 is available as GA now, delivering some improvements, e.g.
Cloud
- SecureTrack
Automatically Onboard AWS VPCs
VPCs are automatically detected now, which covers adding or removing them.
Security Policy Change Automation and Orchestration
- SecureChange
Commit Policy Changes. Using this function, policies are pushed from the Management Server to the Firewalls using the Designer. Supported for Check Point, Palo Alto and Fortinet - SecureTrack, SecureChange
The feature Change Windows allows to schedule time slots for committing policies from Management Server to Firewalls, including new report features - SecureChange
Customizable Rule Names for FortiManager allow to define a rule name directly from the SecureChange Designer when changes are implemented. - SecureChange
Change Automation Enhancements for Cisco Firepower allow to implement changes of the security policy automatically.
Devices and Platforms
- SecureTrack
Inline Layer Support for Check Point R80.10 - SecureTrack
Migrate or Delete Multiple Devices for some Cisco and Check Point Devices using “Device Bulk Tasks” - Support of new devices
- VMware NSX 6.4.0
- Cisco ASA 9.8
- Fortinet FortiManager 5.6.3
- Fortinet FortiGate 5.4.7 and 5.6.3
- Forcepoint SMC 6.4
- Palo Alto Panorama 8.1
REST API
- Improvements for SecureTrack/SecureChange/SecureApp
Upgrades of REST API Stanadard (JAX_RS) from 1.1 to 2.1, compliant with Java EE8 Apache CXF (which implements JAX_RS 2.1) upgraded from 2.6.16 to 3.2.1 - Improvements for SecureTrack
- Unified Returned JSON Array Format for these APIs:
Get devices, Get device by Id, Add offline device, Update offline device, Get rules by device, Get specific rule, Rule Search APIs - Generic Devices APIs:
Fully manage adding, deleting, or modifying generic devices to the Interactive Map via the REST APIs. New argument “update_topology”. - Sync Topology APIs
Synchronization of Interactive Map by “Fast Topology Sync” or “Full Topology Snyc” - Generic VPN connections API
Retrieval of a list of generic VON in the Topology Map - Check Point Inline Layer Support
Parameter “include_subpolicy” allows support of this mode - Additional Data Returned for Check Point Devices
API responses for “get devices”, “installed_policy” and “parent_id" - Filtering Service Group Members
Optional parameter “show_members” with more information - Support for Pagination in USP Exceptions
Better management of a large number of USP Exceptions - Retrieve Domains from SecureTrack
New “Synchronize Domains” API retrieves all domains from SecureTrack, also synchronizing SecureChange Domains
- Unified Returned JSON Array Format for these APIs:
Further improvements as well as corrections are included.
The latest version of the Tufin Orchestration Suite can be found at the Tufin Portal: https://portal.tufin.com
SegmentSmack vulnerability in TufinOS
- Details
- Category: TufinOS
TufinOS is based on Linux. Here a flaw called SegmentSmack has been found. Due to the handling of special TCP Packets a Denial-of-Service (DoS) can be triggered remotely. To maintain a DoS condition, continouos two-way TCP sessions to a reachable port are required.
So if your device running TufinOS isn't reachable from untrusted sources or protected by a firewall, the risk of a DoS isn't too high. But an upgrade should be installed when availalble.
Tufin points out that all versions of TufinOS are affected (TufinOS 1.8 - 1.23 as well as TufinOS 2.0 - 2.16).
Update 30.08.2018: A patch is integrated in TufinOS 2.17 which is available now for Download.
If you are still using TufinOS 1.x please upgrade since this version isn't supported any more by Tufin.
XXE Vulnerability in SecureTrack
- Details
- Category: SecureTrack
Tufin points out that a vulnerability has been found in Tufin SecureTrack.
It's a XXE (XML External Entity) vulnerability described in Top 10-2017 A4-XML External Entities (XXE) which alows attackers to exploit vulnerable XML processors. They can upload XML or include hostile content in a XML document.
Tufin has provided a first fix to address this issue:
For these versions fixes will be available and included, respectively:
TOS 18-1 HF 3 - scheduled to be published on September 5th, 2018
TOS 18-2 GA - Fix will be included in GA scheduled for release on August 22nd, 2018
Due to Tufin's policy regarding earlier versions no fix will be published for them. So if you use an older version, please do an upgrade to a supported version.
Access Request with NAT
- Details
- Category: SecureChange
Sometimes the question arises if Access Requests can consider NAT Rules also
Option 1:
End users opening an Access Request ticket are mostly not interested if NAT is necessary for ther request or not. In most cases they even won't know if NAT is neccessary. So in this case the question if NAT should be considered in the ticket is not that important.
Option 2:
An administrator knows that NAT is needed and tries to configure it in the ticket. This is possible:
Opening the object browser allows to provide IP addresses and NAT addresses
This results in a specific entry for Destination:
So everything seems ok, BUT this needs to be considered:
- Risk Analysis doesn't use NAT information
- Designer doesn't use NAT information
- Verifier doesn't use NAT information
Due to these facts, it's not really recommended to use NAT in Access Request tickets.
Page 12 of 21