www.tufin.club
Interactive Map: Display complex search results
- Details
- Category: SecureTrack
Using the latest versions of SecureTrack, the "good old" Topology isn't available any more.
The new Interactive Map offers more possibilities and doesn't need Flash.
Searching a path from A to B is possible inside this map.
The result is shown inline. Especially in komplex environments, the result is shown very small and many administrators have difficulties to have a "good graph for documentation". In this case, it's useful to take the REST API for the request.
The URL https://forum.tufin.com/support/kc/R16-3/securetrack/apidoc/#!/Network_Topology/getPathCalcImage shows the syntax how to request the path which is shown in the browser afterwards.
Just an easy example: We want to know the way from 10.100.1.1/32 to 40.50.60.1/32 using SSH. In the Interactive Map the request is configured and the result is shown. This example delivers a simple output:
The result could be much more detailed, so it might happen that the output is too small. In this case, or if a graphic file is wanted directly, the same request can be done by using this URL:
https://<IP_SecureTrack>/securetrack/api/topology/path_image?src=10.100.1.1:32&dst=40.50.60.1:32&service=ssh%20protocol
The result is a png graphic file which can be saved and easily put into a documentation.
Tufin Orchestration Suite 17-2
- Details
- Category: Version update
Today Tufin has released the latest version of the Tufin Orchestration Suite. So TOS 17-2 is available in its GA version, delivering some improvements, e.g.
Cloud:
- SecureTrack for Azure Resource Manager
Working with VNETs and NSGs for the Azure Resource Manager Cloud Environment
Security Change Automation and Orchestration:
- Separation of steps for Design and Provisioning
Both is done by the Designer, but separate teams are able to work with different duties (Design Team, Provisioning Team). - Full Automation for Palo Alto Panorama NGFW Security Profile Groups using Content-ID
Zero-Touch end-to-end automated changes for PAN NGFW policies that include Security Profile Groups and Content-ID Inspection - Full Automation for Palo Alto Panorama NGFW Log Forwarding Profiles
Zero-Touch end-to-end automated changes for PAN NGFW policies that include Log Forwarding Profiles. - End-to-end Server Decommission Automation
Working with Designer and Provisioning for Check Point R80/R80.10, Palo Alto Panorama, Cisco ASA, Cisco IOS, Juniper SRX, and Fortinet FortiManager
Security Risk and Compliance:
- Unified Security Policy (USP) Alerts
It's possible to use USP alerts in SecureTrack now.
Devices and Platforms:
- Support of Cisco Firepower Management Center (FMC) by SecureTrack
- Full Cross-Suite Support of Check Point R80.10
- Support of Palo Alto Dynamic Access Group (DAG) Objects for VMware NSX by SecureTrack and SecureChange
- Support of Fortinet Fortigate 5.4.4 and FortiManager 5.4.3
- Support of Juniper JM/MX 13.3
- Support of Palo Alto Panorama PanOS 8.0.1
REST API:
- SecureTrack: additional_parameters API (parameter: type), devices API (parameter: sort), rule_search API (parameter: start, count)
- USP Alerts: creation, modification, retrieval and deletion with Unified Security Policy Alerts commands
- Better modification of Designer Suggestions using the command modify designer suggestion
Further improvements as well as corrections are included.
The latest version of the Tufin Orchestration Suite can be found at the Tufin Portal: https://portal.tufin.com
Continue to use (old) Topology Map
- Details
- Category: SecureTrack
Some administrators of Tufin SecureTrack are used to the old Topology Map, which has been removed in TOS 16-4. Instead of the Topology Map the new Interactive Map has been integrated. It shows some advantages and doesn't require the Adobe Flash. But still some administrators want the "good old Topology Map".
This is the view administrators have today - only the Interactive Map is shown in the Menu. It's possible to enable the Topology Map using this command at the CLI of the server:
[root@TufinOS]# /usr/local/st/manage_old_topology_tab.sh enable
Restarting httpd service to apply changes
[root@TufinOS]#
The change becomes visible when the page is reloaded or the user has logged off and logged on again.
As you see, even in the latest versions the Topology Map can be used. Due to improved options, the Interactive Map should be the preferred way to work with the Topology in SecureTrack.
PS: To disable the Topology Map, this command can be used:
[root@TufinOS]# /usr/local/st/manage_old_topology_tab.sh disable
Restarting httpd service to apply changes
[root@TufinOS]#
Vulnerability in SecureChange
- Details
- Category: SecureChange
A problem with PrimeFaces Expression Language (EL) in Tufin SecureChange has been found. CodeWhite points out that in SecureChange an EL Injection is possible, allowing unauthenticated attackers to inject arbitrary EL code to PrimeFaces custom EL Parser.
Tufin has published a Security Advisory regarding this fact on August, 24th.
All TOS versions with SecureChange installed are affected. Not affected are systems if SecureTrack only is installed.
Fixes are available for most supported TOS versions.
TOS R17-2: Fix will be published End of August
TOS R17-1: Fix is included in R17-1HF3 which is available in Tufin Download Center
TOS R16-4: Fix is included in R16-4HF5 which is available in Tufin Download Center
If a fix is needed for TOS R16-3 or TOS R16-2 Tufin asks customers to contact Tufin Support
(support at tufin dot com).
Earlier versions are no more supported, so a fix will not be published. In this case, upgrading to a supported version is strongly recommended.
New Zones and USP
- Details
- Category: SecureTrack
Sometimes it's necessary to have zones defined that include "new" or "unknown" networks.
Traditional Approach
The traditional approach in Tufin SecureTrack is to have devices monitored. These devices deliver information about Networks and Routes to SecureTrack. This information is used to build the Topology.
The next step would be to define Zones manually. These zones include networks included in the Topology. So finally, only "known networks" are defined in zones which can be used to define the Unified Security Policy (USP).
Another Approach
Some administrators have a tool for IPAM (IP Address Management) that includes all IP-Adresses and Networks, even if they are not registered in SecureTrack Topology. This information at all shall be used for compliance rules ini the USP. Since an import of zones is possible and no check is done if the networks exist in SecureTrack, exporting these data from IPAM helps, e.g.
Known: Zone a (Network 10.1.1.0/24), Zone b (Network 10.1.2.0/24)
in IPAM: Network 10.1.3.0/24 which should be imported into a new zone
File for import into SecureTrack Zones:
"#Zone Properties"
"zone name","description"
"Internet","Internet zone is all public addresses, excluding the addresses defined in all other zones"
"Users Networks","Users Networks zone should include the address space from which users can come within your organization"
"a",""
"b",""
"c","new zone"
"#Zone Hierarchy"
"parent","child"
"#Zone Subnets"
"zone name","subnet","description"
"a","10.1.1.0/24",
"b","10.1.2.0/24",
"c","10.1.3.0/24","new"
"#Zone Security Groups"
"zone name","security group name","description"
Even if the new zone isn't known in SecureTrack before and the network isn't in the Topology the import works.
After having imported the zones including the new zone c, the USP can be adapted and imported, too. Even if the following example isn't really a USP, it can be shown that it works.
"from zone","to zone","severity","access type","services","rule properties","flows"
"a","a","high","allow all","","",""
"a","b","critical","allow all","","",""
"b","a","low","allow all","","",""
"b","b","high","allow all","","",""
"c","c","high","allow all","","",""
"a","c","critical","allow all","","",""
"c","a","low","allow all","","",""
"b","c","critical","allow all","","",""
"c","b","low","allow all","","",""
After import, the new zone c is shown in the USP, even if the network isn't included in the SecureTrack Topology.
Lesson learnt: If an IPAM hosts all information about the networks, exporting relevant information in the correct format allows to define a USP with networks not even included in the Topology.
TufinOS 2.14 available
- Details
- Category: TufinOS
Tufin has published TufinOS 2.14. This version updates all RPMs to the latest releases based on CentOS 6.9.
As in the Tufin Portal pointed out, these are the new features and updates:
- Patched Anaconda rpm 13.21.263
- Updated RAID driver for ASR 8805/7805/71605 to version 1.2.1
- Updated Adaptec AR CCONF Command Line Utility to version 2.03.22476
- Updated PostgreSQL to version 9.4.11
- Updated MongoDB to version 2.4.14
- Updated stunnel rpm to version 5.40
- Updated nss util rpm to version 3.28.4 1.el6_9 to resolve CVE 2017-5461 vulnerability
- Added sTunnel patch to apply new configuration
- Added pam_passwdqc rpm
If you are using a Distributed Architecture, an upgrade of sTunnel might be necessary.Please consult the Tufin Portal for further information.
Page 17 of 22