Upcoming Events

Where the Cloud Touches Down: Simplifying Data Center Infrastructure Management

Thursday, July 25, 2013
10:00 AM PT/1:00 PM ET

In most data centers, DCIM rests on a shaky foundation of manual record keeping and scattered documentation. OpManager replaces data center documentation with a single repository for data, QRCodes for asset tracking, accurate 3D mapping of asset locations, and a configuration management database (CMDB). In this webcast, sponsored by ManageEngine, you will see how a real-world datacenter mapping stored in racktables gets imported into OpManager, which then provides a 3D visualization of where assets actually are. You'll also see how the QR Code generator helps you make the link between real assets and the monitoring world, and how the layered CMDB provides a single point of view for all your configuration data.

Register Now!

A Network Computing Webinar:
SDN First Steps

Thursday, August 8, 2013
11:00 AM PT / 2:00 PM ET

This webinar will help attendees understand the overall concept of SDN and its benefits, describe the different conceptual approaches to SDN, and examine the various technologies, both proprietary and open source, that are emerging. It will also help users decide whether SDN makes sense in their environment, and outline the first steps IT can take for testing SDN technologies.

Register Now!

More Events »

Subscribe to Newsletter

  • Keep up with all of the latest news and analysis on the fast-moving IT industry with Network Computing newsletters.
Sign Up

Tufin Tracks Applications for Better Firewall Policy Management

Tufin Technologies has added another arrow to its quiver to help network administrators improve firewall management and security with SecureApp, which specifically addresses the connectivity of enterprise applications.

Ruvi Kitov, Tufin's co-founder and CEO, says enterprises are regularly challenged by complexity, change and compliance when managing firewalls and policies. Large IT environments mean multiple routers, switches and load balancers that all need to be governed. "You have this complex environment that is constantly changing because the business side wants changes and access to services."

More Insights


More >>

White Papers

More >>


More >>

Changes to firewall rules may take hours, putting added pressure on network administrators who must also comply with regulatory issues that affect the organization, says Kitov. Tufin already offers SecureTrack, which enables enterprise to have visibility and control over all firewalls, routers and switches on their network and alerts them to compliance violations and other risks so they can be addressed quickly.

He says the development of SecureApp was driven by the recognition of two additional items customers are dealing with: connectivity and communications required by enterprise applications, which often means exceptions to existing firewall rules. "You're poking small holes in the firewall, and about 90% of changes are triggered by the application side," says Kitov.

As an addition to Tufin's security suite, SecureApp provides network administrators and application owners with a central repository detailing how every application in the enterprises is connecting, allowing them to commission or decommission applications as well as fix any connectivity problems.

Kitov says there's often a gap between the application owners and the team managing firewalls. SecureApp enables these two groups to communicate more effectively to help save time and avoid errors that might put the organization at risk.

Other features of SecureApp include an interface for defining and documenting an application's network connectivity requirements at the level of network source, service and destination. It also automatically detects any policy rule changes and removals that must be made when an application is no longer in use.

By abstracting application connectivity information from the company's network security policy and framing it within the context of business requirements, SecureApp eliminates the need for network administrators to manually extract data that is usually spread across thousands of rules, firewalls and routers, says Kitov.

Diana Kelley, a principal analyst at SecurityCurve, says application connectivity is not a new concern for network administrators managing firewalls and policies. What's changed is how many apps there are. "Today we're putting a lot more applications and services through firewalls, which raise the complexity and stakes of managing the connectivity securely," she says. Certain ports are now passing different types of traffic, too. For example, Port 80 used to be reserved for vanilla HTML--now it's used for video, messaging and games, "so controlling what can and can't go through port 80 is a challenge now, too."

Kelley says policies that limit access based on port and IP addresses are still very valid, and there are still many ports that companies don't want any traffic over, such as very high ports that aren't in use by approved business applications or services. Blocking those ports outright is the best approach, she explains.

Application-aware connectivity and management in the firewall world have been promoted for years by companies such as Palo Alto Networks and Cisco in next-generation firewalls, says Kelley. "Firewall policy management tools like Tufin need to keep pace with the firewalls they're managing," she adds.

Jim Frey, a research director at Enterprise Management Associates, says the main challenge for network administrators is keeping up with the rate of changes and growth of enterprise applications. "It's very rare that I speak to someone who's reducing or consolidating applications," he says. "The number is increasing and, more importantly, the frequency of change is increasing."

This growth is being driven in part by virtualization and cloud computing, says Frey, and it means a bigger workload for firewall managers trying to keep up. Tufin's SecureApp specifically addresses this challenge, he says, by trying to make the job easier. It's still about monitoring ports and IP addresses, but SecureApp provides a tool to more easily identify what applications are connecting through them. "This is helpful because you have to really keep up with these changes based on which applications are being affected and how this in turn affects firewall rules."

Frey says tying these two elements together has not been formalized very well in available products to date. A lot of attention has to be paid to managing rules, making sure they're consistent across firewalls and devices and that old ones are retired. "All of this is typically driven by changes to the applications."

One potential scenario happening in enterprises occurs when application developers exploit the same connectivity rules over and over again for different applications. This is not a very good practice, says Frey. "The only reason to do that is because they perceived a significant barrier when it came to dealing with the firewall team." Old rules should be retired and new ones should set up properly, he says. "Organizations need a tool like Tufin to make that easier to do."

Related Reading

Network Computing encourages readers to engage in spirited, healthy debate, including taking us to task. However, Network Computing moderates all comments posted to our site, and reserves the right to modify or remove any content that it determines to be derogatory, offensive, inflammatory, vulgar, irrelevant/off-topic, racist or obvious marketing/SPAM. Network Computing further reserves the right to disable the profile of any commenter participating in said activities.

Disqus Tips To upload an avatar photo, first complete your Disqus profile. | Please read our commenting policy.
Vendor Comparisons
Network Computing’s Vendor Comparisons provide extensive details on products and services, including downloadable feature matrices. Our categories include:

Research and Reports

Network Computing: April 2013

TechWeb Careers