www.tufin.club

Vulnerability in SecureChange

Details

Category: SecureChange

Last Updated: 23 August 2017

A problem with PrimeFaces Expression Language (EL) in Tufin SecureChange has been found. CodeWhite points out that in SecureChange an EL Injection is possible, allowing unauthenticated attackers to inject arbitrary EL code to PrimeFaces custom EL Parser.

Tufin has published a Security Advisory regarding this fact on August, 24th.

All TOS versions with SecureChange installed are affected. Not affected are systems if SecureTrack only is installed.
Fixes are available for most supported TOS versions.

TOS R17-2: Fix will be published End of August
TOS R17-1: Fix is included in R17-1HF3 which is available in Tufin Download Center
TOS R16-4: Fix is included in R16-4HF5 which is available in Tufin Download Center

If a fix is needed for TOS R16-3 or TOS R16-2 Tufin asks customers to contact Tufin Support
(support at tufin dot com).

Earlier versions are no more supported, so a fix will not be published. In this case, upgrading to a supported version is strongly recommended.

 

 

 

New Zones and USP

Details

Category: SecureTrack

Last Updated: 07 July 2017

Sometimes it's necessary to have zones defined that include "new" or "unknown" networks.

---

Traditional Approach

The traditional approach in Tufin SecureTrack is to have devices monitored. These devices deliver information about Networks and Routes to SecureTrack. This information is used to build the Topology.
The next step would be to define Zones manually. These zones include networks included in the Topology. So finally, only "known networks" are defined in zones which can be used to define the Unified Security Policy (USP).

---

Another Approach

Some administrators have a tool for IPAM (IP Address Management) that includes all IP-Adresses and Networks, even if they are not registered in SecureTrack Topology. This information at all shall be used for compliance rules ini the USP. Since an import of zones is possible and no check is done if the networks exist in SecureTrack, exporting these data from IPAM helps, e.g.

Known: Zone a (Network 10.1.1.0/24), Zone b (Network 10.1.2.0/24)

in IPAM: Network 10.1.3.0/24 which should be imported into a new zone

File for import into SecureTrack Zones:

"#Zone Properties"
"zone name","description"
"Internet","Internet zone is all public addresses, excluding the addresses defined in all other zones"
"Users Networks","Users Networks zone should include the address space from which users can come within your organization"
"a",""
"b",""
"c","new zone"

"#Zone Hierarchy"
"parent","child"

"#Zone Subnets"
"zone name","subnet","description"
"a","10.1.1.0/24",
"b","10.1.2.0/24",
"c","10.1.3.0/24","new"

"#Zone Security Groups"
"zone name","security group name","description"

Even if the new zone isn't known in SecureTrack before and the network isn't in the Topology the import works.
After having imported the zones including the new zone c, the USP can be adapted and imported, too. Even if the following example isn't really a USP, it can be shown that it works.

"from zone","to zone","severity","access type","services","rule properties","flows"

"a","a","high","allow all","","",""
"a","b","critical","allow all","","",""
"b","a","low","allow all","","",""
"b","b","high","allow all","","",""
"c","c","high","allow all","","",""
"a","c","critical","allow all","","",""
"c","a","low","allow all","","",""
"b","c","critical","allow all","","",""
"c","b","low","allow all","","",""

After import, the new zone c is shown in the USP, even if the network isn't included in the SecureTrack Topology.

 

Lesson learnt: If an IPAM hosts all information about the networks, exporting relevant information in the correct format allows to define a USP with networks not even included in the Topology.

 

 

 

 

TufinOS 2.14 available

Details

Category: TufinOS

Last Updated: 12 June 2017

Tufin has published TufinOS 2.14. This version updates all RPMs to the latest releases based on CentOS 6.9.

As in the Tufin Portal pointed out, these are the new features and updates:

• Patched Anaconda rpm 13.21.263
• Updated RAID driver for ASR 8805/7805/71605 to version 1.2.1
• Updated Adaptec AR CCONF Command Line Utility to version 2.03.22476
• Updated PostgreSQL to version 9.4.11
• Updated MongoDB to version 2.4.14
• Updated stunnel rpm to version 5.40
• Updated nss util rpm to version 3.28.4 1.el6_9 to resolve CVE 2017-5461 vulnerability
• Added sTunnel patch to apply new configuration
• Added pam_passwdqc rpm

If you are using a Distributed Architecture, an upgrade of sTunnel might be necessary.Please consult the Tufin Portal for further information.

 

 

 

Monitoring Check Point R80 with SecureTrack

Details

Category: SecureTrack

Last Updated: 12 May 2017

How to connect a "traditional" Check Management Server R77.x to SecureTrack has been described before:
Now let's see how a R80.x Check Point Management Server (SMS) can be connected to SecureTrack.

 

---

Prepare the Check Point SMS

First of all, a Permission Profile needs to be defined. Since R80, a profile needs to allow write access to SMS due to the new Management API.
To do so, in SmartConsole navigate at top left to Manage & Settings > Permissions & Administrators > Permission Profiles.

You will need an Administrator for Tufin SecureTrack using the Management API. So it's necessary to navigate to Manage & Settings > Permissions & Administrators > Administrators to define it.

Next, an object of the type Host Node is needed representing the System Tufin SecureTrack is running on. This is necessary because the IP address is needed when the OPSEC Application is defined in a later step. To define it, navigate to the top right in SmartConsole and select Object Catetories > Network Objects > New > Host.

To initiate the Secure Internal Communication (SIC), defining an OPSEC Application is necessary. To do so, navigate to Object Categories > Servers > OPSEC Applications > Applications and define a new one. Necessary protocols are LEA (Log Export API) to have access to logs as well as CPMI (Check Point Management Interface) to have access to the objects and rules.

It's necessary to configure the permissions of Tufin SecureTrack within Check Point. For CPMI as well as for LEA a Read-Only Permission Profile should be sufficient. You are free to allow further access, but it's not necessary if the use of only SecureTrack is planned.

After these steps, the SIC should be initiated by setting an Activation Key. This is a One-Time Password for authenticating Tufin SecureTrack at the SMS. When this authentication is successful, a newly generated certificate is transferred to SecureTrack. From then on, authentication is based on this certificate. The communication is encrypted as it is between the Check Point components like e.g. SMS and Firewall Module.

 

When the password is typed twice, the button Initialize finishes this part of the configuration.

 Please don't forget to make this newly generated certificate available by installing the Database. This is done by Menu > Install Database. If you forget to install the database on the SMS, the connection to SecureTrack won't work.

 

---

Prepare the Check Point Rulebase

If there is a Firewall between Tufin SecureTrack and Check Point SMS, a rule must allow the necessary access. Besides the access using LEA and CPMI furhter connections are needed, e.g. for Certificate Management:

• 443/tpc
  Connection from SecureTrack Server to SMS when using the Management API
• 18184/tcp
  Connection from SecureTrack to SMS / Logserver to retrieve log data (statistics) and Audit log data (recognition of actions done by administrators)
• 18190/tcp
  Connection from SecureTrack to SMS with a CPMI client to retrieve the latest revision
• 18210/tcp
  Connection to SMS for authenticating using the one-time password and for retrieving the certificate
• 18264/tcp
  Connnection needed to access the CRL running on the SMS to check if the certificate presented by SMS is valid

So a rule needs to be configured. This is necessary if any firewall is between SecureTrack and SMS. When a Check Point Firewall is in between, the rule could look like this:

 

---

 Configure Check Point SMS in Tufin SecureTrack

The Check Point SMS needs to be defined in SecureTrack so the configuration can be monitored. To do so, some steps are necessary. First of all, connect with administrative rights to Tufin SecureTrack using a web browser using HTTPS (443/tcp). In the default configuration doesn't redirect a HTTP request from port 80/tcp to the correct port.

 

In the Menu go to Settings > Monitoring > Manage Devices. On the left pane all monitored devices are listed. On the right side a new device can be definded. Here, select Check Point SmartCenter.

After this selection a wizard starts, asking for several configuration options in six steps.

The Device Type can't be changed here since this option has been selected before. The other options are:

• Name for Display
  Name shown in SecureTrack for this device
• Domain
  If SecureTrack is configured to use Domains, the corresponding Domain can be selected there. Please be aware that using this option clearly separates all data.
• Get revisions from <IP> or <Offline File>
  If the SMS is monitored live, the IP Address of the SMS is provided here. If there is no direct access, configuration data can be imported. Please be aware that this option requires a license also - even if there is no monitoring of the changes.
• Usage Analysis
  Here it's selected which data are collected. Esp. when "Rule and Object Usage" reports are required, the first two options need to be selected.
• Topology
  It's recommended to select the enablement of the Topology because in this case, all information that require Topology is available (e.g. Policy Analysis, Zones, Compliance Rules...).
• Version of Check Point SMS
  If you are using R80, be sure to select R80 here since the connection differs from the "traditional one".

The next step is to authenticate using the One-Time Password and to retrieve the certificate used from then on to authenticate.

It's necessary to provide the name of the OPSEC Application configured in Check Point SmartDashboard. The Activation Key is the One-Time Password provided during configuration in Check Point SMS.

 

In many cases the next windows can be kept using "default" for the OPSEC settings.

If there were changes configured in $CPDIR/conf/sic_policy.conf they can be considered here. It's all about authentication used for LEA and CPMI. All relevant Check Point options can be selected, so a successful authenticated connection from Tufin SecureTrack to Check Point SMS is possible.

The next step has been introduced with R80. For use of the Management API it's necessary to have an administrative user defined at the SMS (see above). Tufin SecureTrack uses this administrator to connect to the SMS via HTTPS.

In some cases the configuration for the timing of monitoring needs to be adjusted.

As in many cases, the default setting is useful when the global configured timing is sufficient.

Finally, the configured connection should be tested. If this is ok, the buttons Save and Done finalize the configuration.

 

---

Monitoring the Check Point R80 SMS

The status of monitoring the SMS can be checked using Menu > Settings > Administration > Status. Depending on the connection and the load on the Check Point SMS the status will remain some time in "Starting" and "Yellow". When it has changed to "Green" the SMS is shown under Menu > Compare also in green and after a short time the first revision will show up.

 

 

 

 

Tufin Orchestration Suite 17-1

Details

Category: Version update

Last Updated: 04 May 2017

The new and first GA version in 2017 of the Tufin Orchestration Suite (TOS) is available: 17-1.
This GA Version delivers some improvements, e.g.

Cloud:

• USP Based Security Groups in SecureTrack
  Dynamic micro-segmentation policies for cloud environments, USP Policies that are not based on specific IP addresses and simplified compliance and risk analysis
• AWS Direct Connect Support
  Integration of AWS Direct Connect in Topology, including the interfaceS

Security Change Automation and Orchestration:

• Zero-touch, end-to-end full automation for Palo Alto Panorama UserID (NGFW)
• End-to-end Rule Decommission workflow with Provisioning
• Cisco ASA IPv6 Change Automation

Security, Risk and Compliance:

• Rules and Objects Report support for Panorama Device Groups Policies
• Palo-Alto Pre- and Post-rules Marked in Policy Browser
• Rules and Objects Report support for FortiManager ADOM Policies

Application Management:

• IPv6-based Application Management

Devices and Platforms:

• Forcepoint (formerly Stonesoft SMC): Support of Stonesoft SMC 6.1
• Juniper: Support of SRX 12.3x48

REST API:

• LDAP
  Retrieve the base DN entry, details about a specific DN below the base DN entry, search for all entries that match (EXACT, CONTAINS, STARTS_WITH, ENDS_WITH) a specific string, or search for entries that exactly match a set of strings.
• Network Zone Manager - Patterns
  Retrieve, create, and modify security group patterns for identifying violations.
• Rule Decommission Designer Results and Provisioning Commands
  Retrieve Designer results and Provisioning commands for Rule Decommission.

 

Further improvements as well as corrections are included.
The latest version of the Tufin Orchestration Suite can be found at the Tufin Portal: https://portal.tufin.com