Tufin Technologies has extended its firewall audit and change management capabilities to "next generation" firewalls with support for Palo Alto Networks products. In addition to standard network-based firewall capabilities, Palo Alto enables organizations to create fine-grained policies and rules based on application and user identity using deep packet inspection (DPI) technology.
"The ability to identify applications by type, rather than port number, was the key feature for us, says Craig Hanrahan, senior manager of IT infrastructure for Sonus Networks. His company started deploying Palo Alto Networks firewalls about two years ago and has been using Tufin SecureTrack for a year. "Most applications can change ports; they're user-configurable, and as soon as you lock it down one way, the user finds another."
Firewall audit tools automate the analysis of complex and bloated rule sets to verify and demonstrate enterprise access controls and configuration change management processes. The market has been driven by compliance, particularly Payment Card Industry Data Security Standard (PCI DSS).
Beyond compliance, enterprises can improve network performance, reduce downtime, improve security and divert manpower from firefighting firewall issues and analyzing configurations. It's not unusual for firewalls to have hundreds or even thousands of rules, many of them redundant and obsolete. Analyzing firewall configurations, especially in large networks with scores firewalls, has grown beyond manual effort.
"We had a very manual process for change management, and Tufin helps automate the process," says Hanrahan. "Now the network admin makes the changes and the security people can review them immediately. It was a primary driver for buying the tool." He says it has also helped Sonus streamline its firewall rule sets, eliminating unused rules.