www.tufin.club

Sometimes the question arises if Access Requests can consider NAT Rules also

Option 1:
End users opening an Access Request ticket are mostly not interested if NAT is necessary for ther request or not. In most cases they even won't know if NAT is neccessary. So in this case the question if NAT should be considered in the ticket is not that important.

Option 2:
An administrator knows that NAT is needed and tries to configure it in the ticket. This is possible:

Opening the object browser allows to provide IP addresses and NAT addresses

This results in a specific entry for Destination:

So everything seems ok, BUT this needs to be considered:

  • Risk Analysis doesn't use NAT information
  • Designer doesn't use NAT information
  • Verifier doesn't use NAT information

Due to these facts, it's not really recommended to use NAT in Access Request tickets.

 

 

 

 

 

 

 

AERAsec is proud to announce that we are one of the worldwide first three Tufin Service Delivery Partners (SDP) and currently the only one in Central Europe

https://tcw-8egzwiavysvuu1nzct.netdna-ssl.com/sites/default/files/service-delivery-partner_0.png

Tufin has announced that a new partner program is launched in June 2018. The Service Delivery Partner Program enables partner to be more service-ready.

AERAsec has a wide experience from many projects helping customers to get their values by the Tufin Orchetration Suite. The way of working closely together with Tufin Technologies will be continued in an even more intense way. So customers will have additional value not only from experience, but also from a more intense cooperation between AERAsec and Tufin. Customers purchasing Tufin products from AERAsec will have an additional advantage because of special conditions regarding these services.

Please This email address is being protected from spambots. You need JavaScript enabled to view it. if you want to know more about AERAsec delivering Tufin Products and Services.

 

 

 

In Red Hat Enterprise Linux (and therefore also in CentOS as well as TufinOS) a new vulnerability has been found.

An industry-wide issue has been found in the way many modern microprocessor designs have implemented speculative execution of Load & Store instructions (a commonly used performance optimization). As a result, an unprivileged attacker could use this flaw to read privileged memory by conducting targeted cache side-channel attacks.
See more details here: Speculative Store Bypass and Rogue System Register Read.

This issue will be addressed in TufinOS 2.17 and not by a patch for 2.16. The reasons are a local attack vector and a high attack complexity. The second flaw is rated with a low base score.

So in Tufin 2.17 these issues are addressed. This version is planned for August 2018.
The release of this version will be published by Tufin - and here in this Blog.

 

 

 

In Red Hat Enterprise Linux (and therefore also in CentOS as well as TufinOS) a command injection flaw has been found in the NetworkManager integration script included in the DHCP Client packages.
It allows attackers spoofing responses of a DHCP Server to execute arbitrary commands with the privileges of root on vulnerable systems using NetworkManager and configured to obtain network configuration via DHCP.
Further information can be found at Red Hat under CVE-2018-1111 as well as at Tufin.

Since TufinOS 1.x isn't supported any more, no fix will be published.
In TufinOS 2.x this issue is addressed in TufinOS 2.16. Since this is the current version from now, the upgrade should also be done if no DHCP Client packages are used.

Please be aware that when using TOS in HA configuration, starting with TufinOS 2.16 the upgrade can be done in an easier way as before.

 

 

 

Tufin has released the first version of the Tufin Orchestration Suite in 2018: R18-1. TOS 18-1 is available as GA now, delivering some improvements, e.g.

Cloud

  • SecureTrack
    Support of AWS AssumeRole as part of the AWS Security Token Service
  • SecureTrack
    Support of the latest Microsoft Azure SDK 1.2.0

Security Policy Change Automation and Orchestration

  • SecureTrack, SecureChange
    Rule Recertification Automation by a specific workflow
  • SecureTrack, SecureChange
    Cisco Firepower Automation (including Target Suggestion, Risk Analysis, Designer and Verifier)
  • SecureChange
    New Workflow Customization Triggers (e.g. when Automatic Step fails, Pre-Assignment Script)
  • SecureChange
    Enhancements for Manual Target Selection
  • SecureTrack, SecureChange
    Stealth Rule is considered now by Designer

Security, Risk, and Compliance

  • SecureTrack
    Automatic Policy Generator (APG) for Palo Alto Panorama and Fortinet FortiManager

Devices and Platforms

  • SecureTrack
    Dynamic Routing Support for Palo Alto and Fortinet
  • SecureTrack, SecureChange
    Extended Generic NAT for Palo Alto
  • SecureTrack, SecureChange
    Topology Support for Cisco Firepower
  • Support of new devices
    • Fortinet FortiManager 5.4.4
    • Fortinet FortiGate 5.2.11
    • F5 13.0
    • Cisco Security Manager 4.15
    • Cisco Firepower 6.2.3
    • Microsoft Azure SDK 1.2.0

REST API

  • Improvements for SecureTrack
    • Parameter show_members for Network Object APIs
    • Network Topology APIs for NSX
    • Retrieve Total Available Records
    • Offline Device APIs
  • Improvements for SecureChange
    • new Tickets API - Confirm

 

Further improvements as well as corrections are included.
The latest version of the Tufin Orchestration Suite can be found at the Tufin Portal: https://portal.tufin.com

 

 

The Interactive Map of Tufin SecureTrack allows to find a Path from A to B combined with a service / protocol / application.
This has the advantage that matching rules of firewalls involved are shown also.

Using earlier versions, it was very easy to select a specific service, e.g. tcp:8080
This is still stated in the (i), but when a newer version is used, the Button "Find Path" is still greyed out when some information is provided in the "Service" field.

So it seems that a search isn't possible...
Tufin has changed the use of this field, so please be sure to type "protocol:port" as needed and press <return> afterwards.
Only then the configured Service is taken by the system - and therefore only then a search in the Interactive Map is possible.