Tufin Firewall Management Suite Supports Palo Alto Networks' Application-Identity Capabilities

Tufin Technologies has extended its firewall audit and change management capabilities to "next generation" firewalls with support for Palo Alto Networks products. In addition to standard network-based firewall capabilities, Palo Alto enables organizations to create fine-grained policies and rules based on application and user identity using deep packet inspection (DPI) technology.

"The ability to identify applications by type, rather than port number, was the key feature for us, says Craig Hanrahan, senior manager of IT infrastructure for Sonus Networks. His company started deploying Palo Alto Networks firewalls about two years ago and has been using Tufin SecureTrack for a year. "Most applications can change ports; they're user-configurable, and as soon as you lock it down one way, the user finds another."

Firewall audit tools automate the analysis of complex and bloated rule sets to verify and demonstrate enterprise access controls and configuration change management processes. The market has been driven by compliance, particularly Payment Card Industry Data Security Standard (PCI DSS).

Beyond compliance, enterprises can improve network performance, reduce downtime, improve security and divert manpower from firefighting firewall issues and analyzing configurations. It's not unusual for firewalls to have hundreds or even thousands of rules, many of them redundant and obsolete. Analyzing firewall configurations, especially in large networks with scores firewalls, has grown beyond manual effort.

"We had a very manual process for change management, and Tufin helps automate the process," says Hanrahan. "Now the network admin makes the changes and the security people can review them immediately. It was a primary driver for buying the tool." He says it has also helped Sonus streamline its firewall rule sets, eliminating unused rules.Tufin's suite includes SecureTrack for firewall operations management and SecureChange Workflow for automating the change management lifecycle. Palo Alto Networks expects other firewall audit vendors to add support for their products. In addition to Tufin, the market includes companies such as AlgoSec, Secure Passage and Athena Security, as well as RedSeal Systems and Skybox Security, which are primarily risk assessment/risk management vendors.

Palo Alto's DPI enables enterprises to create firewall policies based on specific applications, users and intrusion prevention capabilities through what it calls Content-ID. The technology identifies network- and application-layer threats based on a combination of packet scanning, application analysis and a URL database.

The Palo Alto Networks announcement is wrapped into version 5.3 of the Tufin Security Suite. Other changes include:

See more on this topic by subscribing to Network Computing Pro Reports Informed CIO: Remote Control: 9 Steps to Ensuring Access, Safely (subscription required).