WIXLIB

different security controls implement ingress andegress filtering to allow only those ports andprotocols with an explicit and documentedbusiness need. All other ports and protocolsshould be blocked with default‐deny rules byfirewalls, network‐based IPS, and/or routers.unapproved traffic or zones. You can create customcompliance policies that define black list, white list andbusiness continuity policies and SecureTrack will makesure that they are enforced continuously.Configuration/Hygiene: All new configurationrules beyond a baseline‐hardened configurationthat allow traffic to flow through networksecurity devices, such as firewalls and network‐based IPS, should be documented and recordedin a configuration management system, with aspecific business reason for each change, aspecific individual’s name responsible for thatbusiness need, and an expected duration of theneed. At least once per quarter, these rulesshould be reviewed to determine whether theyare still required from a business perspective.Expired rules should be removed.SecureTrack’s Rule Documentation and Recertificationenables you to assign a justification, a business andtechnical owner, and an expiration date to every accessrule. You can schedule alerts and reports about expiringrules so that administrators can review their currentbusiness justification and either delete or recertify.Configuration/Hygiene: The latest stable versionof a network device’s inter‐network operatingsystem (IOS) or firmware must be installed within30 days of the update being released from thedevice vendor.Use the Software Version Compliance report to indicatethe correct version that should be installed and checkcompliance on each of the devices on your network.Advanced: The network infrastructure should bemanaged across network connections that areseparated from the business use of that network,relying on separate VLANs or, preferably, onentirely different physical connectivity formanagement sessions for network devices.Use SecureTrack’s Policy Analysis to simulate networktraffic and verify separation of networks.Sensor: File Integrity SoftwareMeasurement: Standard images for theinstallation of systems have been created basedon an accepted security standard published byorganizations such as CIS, NSA, DISA, and others.Score: Pass/FailTufin’s change monitoring automatically detects everychange on every firewall, router and switch along withmany additional devices including IPSs. Every change issaved and reported as part of a comprehensive audit trailwith full accountability.Sensor: Standard imagesSecureTrack can be used to check all of the layers thatcomprise a “standard image” or configuration for asecurity device. First, the Software Version Compliancereport checks that the correct updates are installed onevery device. Second, the Best Practices Audit checksthat every device is configured according to the leadingsecurity standards. For Cisco devices, there is also theCisco Device Configuration report that checks forcommon errors and misconfigurations.Measurement: Standard images for theinstallation of systems have been created basedon an accepted security standard published byorganizations such as CIS, NSA, DISA, and others.Score: Pass/FailYou can also use the Rule and Object usage report toidentify unused rules and objects on each device removethem if they are not longer necessary.On top of these norms, you can define your corporatecompliance policy, and use automatic alerts as well asthe Corporate Compliance report to ensure that devicesare continuously in accordance with your policy.7/14

Sensor: Packet generation toolsMeasurement: Confirm that the networkinfrastructure properly handles, routes and filtersIPv6 traffic.Score: Pass or Fail.Policy analysis enables you to simulate traffic and testyour firewall and router configuration. It tests offline soyou do not have to load your network with test traffic.8/14

Critical Control 5: Boundary DefenseThe 5th control focuses on the importance of establishing secure boundaries at a time when clearphysical perimeters no longer exist. “It should be noted that boundary lines between internal andexternal networks are diminishing as a result of increased interconnectivity within and betweenorganizations as well as the rapid rise in deployment of wireless technologies. These blurring linessometimes allow attackers to gain access inside networks while bypassing boundary systems.However, even with this blurring of boundaries, effective security deployments still rely on carefullyconfigured boundary defenses that separate networks with different threat levels, sets of users, andlevels of control.”4Procedures and tools for implementing and automating this control“The boundary defenses included in this control build on Critical Control 4. The additionalrecommendations here focus on improving the overall architecture and implementation of bothInternet and internal network boundary points. Internal network segmentation is central to thiscontrol because once inside a network, many intruders attempt to target the most sensitivemachines.”Tufin Security Suite can help organizations to comply with this control in two key ways: Policy Analysis: SecureTrack’s sophisticated policy analysis enables you to check networkaccess between any source and destination. Using Network Topology Intelligence, it showsyou all of the devices along the access path on a dynamic, visual map. With Policy Analysisyou can ensure that there is no unjustified access to and from sensitive internal networks. Automatic Policy Generator: SecureTrack’s Automatic Policy Generator (APG) to quickly andsafely deploy firewalls on additional internal network segments without threateningbusiness continuity. APG analyzes network traffic logs and designs a firewall policy thatallows only the traffic that is actually required.How can this control be implemented, automated, and its effectiveness measured?Quick Win, Metric or SensorTufin SolutionQuick wins: Organizations should denycommunications with (or limit data flow to)known malicious IP addresses (black lists) or limitaccess to trusted sites (white lists). Tests can beperiodically carried out by sending packets frombogon source IP addresses into the network toverify that they are not transmitted throughnetwork perimeters. Lists of bogon addresses(unroutable or otherwise unused IP addresses)are publicly available on the Internet fromvarious sources, and indicate a series of IPDefine a Compliance Policy in SecureTrack that includesblack list and white list traffic. Use the compliance alertsto notify about any configuration change that couldviolate the policy. Schedule the Compliance Audit reportto periodically run and verify that all firewalls and routersare configured correctly.4SANS 20 Critical Security Controls, Control 5 /control.php?id 5 – All quotes in this section are from this control9/14

addresses that should not be used for legitimatetraffic traversing the Internet.Visibility/Attribution: Define a networkarchitecture that clearly separates internalsystems from DMZ and extranet systems. DMZsystems are machines that need to communicatewith the internal network as well as the Internet,while extranet systems are those whose primarycommunication is with other systems at abusiness partner. DMZ systems should nevercontain sensitive data and internal systemsshould never be directly accessible from theInternet.Define a zone‐based Compliance Policy that ensures thattraffic from the internal network cannot pass to theinternet. Use the automatic alerts and reports to verifythe network design and ensure that configurationchanges do not violate the design in real time.Visibility/Attribution: Design and implementnetwork perimeters so that all outgoing web, filetransfer protocol (FTP), and secure shell traffic tothe Internet must pass through at least one proxyon a DMZ network. The proxy should supportlogging individual TCP sessions; blocking specificURLs, domain names, and IP addresses toimplement a black list; and applying white lists ofallowed sites that can be accessed through theproxy while blocking all other sites. Organizationsshould force outbound traffic to the Internetthrough an authenticated proxy server on theenterprise perimeter. Proxies can also be used toencrypt all traffic leaving an organization.With Policy Analysis, you can verify that no sensitiveprotocols go directly from the internal network to theinternet, but pass through a proxy. Implement thesetests as a compliance policy and use alerts and scheduledreports to enforce the policy and ensure continuouscompliance.Configuration/Hygiene: Organizations shouldperiodically scan for back‐channel connections tothe Internet that bypass the DMZ, includingunauthorized VPN connections and dual‐homedhosts connected to the enterprise network andto other networks via wireless, dial‐up modems,or other mechanisms.Use Policy Analysis to verify that there are no back‐doorconnections to the firewalls.Configuration/Hygiene: To limit access by aninsider or malware spreading on an internalnetwork, organizations should devise internalnetwork segmentation schemes to limit traffic toonly those services needed for business useacross the internal network.With the Automatic Policy Generator, you can implementfirewalls on additional network segments that have anon‐permissive policy yet do not threaten businesscontinuity. Use Rule Documentation to add a businessjustification to ever access rule and to trigger alerts forexpiring rules that require recertification.Configuration/Hygiene: Organizations shoulddevelop plans to rapidly deploy filters on internalnetworks to help stop the spread of malware oran intruder.Using policy analysis can help you to plan where to installthose changes, effectively assuring that when they aredeployed, they are 100% effective.Advanced: To minimize the impact of an attackerpivoting between compromised systems, onlyallow DMZ systems to communicate with privatenetwork systems via application proxies orUse Policy Analysis and a Compliance Policy to ensurethat the DMZ can only access proxy servers.10/14

application‐aware firewalls over approvedchannels11/14

Critical Control 6: Maintenance, Monitoring, and Analysis of Audit LogsThis control focuses on the need for thorough, meticulous logging of security systems and the abilityto analyze those logs to identify both threats and security events. “Deficiencies in security logging andanalysis allow attackers to hide their location, malicious software used for remote control, andactivities on victim machines. Even if the victims know that their systems have been compromised,without protected and complete logging records they are blind to the details of the attack and tosubsequent actions taken by the attackers. Without solid audit logs, an attack may go unnoticedindefinitely and the particular damages done may be irreversible.”5Procedures and tools for implementing and automating this controlIn the realm of firewalls and routers, Tufin SecureTrack maintains a complete audit trail of everyconfiguration change that is made to every device configuration, rule base, or ACL through a read‐only connection. SecureTrack’s audit trail provides detailed information about every change includingfull accountability on the part of the administrator who made the change. This change record isstored in the SecureTrack database separated from the device maintaining an independent securityaudit trail along with the complete device configuration.SecureTrack includes several reports including the Best Practices report and the Cisco DeviceConfiguration Report (DCR) that check that other devices are set to log correctly.With the Automatic Policy Generator (APG), SecureTrack also analyzes firewall traffic logs to locateoverly permissive rules that may be abused by hackers. It proposes new, tighter rules based on actualusage traffic that can permit network traffic without preventing access for justified business needsand eliminate unnecessary access that was granted by old access rules.How can this control be implemented, automated, and its effectiveness measured?5Quick Win, Metric or SensorTufin SolutionVisibility/Attribution: Each organization shouldinclude at least two synchronized time sources(i.e., Network Time Protocol ‐ NTP) from which allservers and network equipment retrieve timeinformation on a regular basis so thattimestamps in logs are consistent.The Cisco Device Configuration Report (DCR) checks toverify that your device is configured to the proper NTPservers.Visibility/Attribution: Network boundarydevices, including firewalls, network‐based IPS,and inbound and outbound proxies, should beconfigured to verbosely log all traffic (bothallowed and blocked) arriving at the device.The Best Practice Report includes a check for “rules withno log tracking” across all firewall controls/control.php?id 612/14

Critical Control 13: Limitation and Control of Network Ports, Protocolsand ServicesControl 13 addresses the need to protect remotely accessible services and applications. “Attackerssearch for remotely accessible network services that are vulnerable to exploitation. Commonexamples include poorly configured web servers, mail servers, file and print services, and domainname system (DNS) servers installed by default on a variety of different device types, often without abusiness need for the given service. Many software packages automatically install services and turnthem on as part of the installation of the main software package without informing a user oradministrator that the services have been enabled. Attackers scan for such issues and attempt toexploit these services, often attempting default user IDs and passwords or widely availableexploitation code.”6Procedures and tools for implementing and automating this controlSecureTrack’s sophisticated policy analysis enables you to check network access between any sourceand destination. Using Network Topology Intelligence, it shows you all of the devices along the accesspath on a dynamic, visual map. With Policy Analysis you can identify the services that can be accessedfrom untrusted networks as well as the presence of internal firewalls.With Rule Documentation and Recertification, you can document the business owner and justificationof each network access rule along with an expiration date. Alerts and reports will let you know whenrules are expiring so that you can review business justification for access regularly.How can this control be implemented, automated, and its effectiveness measured?6Quick Win, Metric or SensorTufin SolutionVisibility/Attribution: Any server that is visiblefrom the Internet or an untrusted networkshould be verified, and if it is not required forbusiness purposes it should be moved to aninternal VLAN and given a private address.Use SecureTrack Policy Analysis to identify the serversthat are visible from an untrusted network. To validateand maintain business justification for visible servers, useRule Documentation and Recertification to identify thebusiness owner, and Rule and Object Usage Analysis tomake sure that the access is being used.Configuration/Hygiene: Services needed forbusiness use across the internal network shouldbe reviewed quarterly via a change controlgroup, and business units should re‐justify thebusiness use. Sometimes services are turned onfor projects or limited engagements, and shouldbe turned off when they are no longer needed.See section ntrols/control.php?id 1313/14

Configuration/Hygiene: Operate critical serviceson separate physical host machines, such as DNS,file, mail, web, and database servers.Use SecureTrack Policy Analysis to check these services.This check is standard in the PCI DSS compliance report.Advanced: Application firewalls should be placedin front of any critical servers to verify andvalidate the traffic going to the server. Anyunauthorized services or traffic should beblocked and an alert generated.Use Policy Analysis to verify that critical services are allbehind application firewalls. With Palo Alto NetworksNext Generation firewalls, you can use Policy Analysis toverify that application filtering is in place for criticalservices.ConclusionThe SANS 20 Critical Controls are a valuable tool for evaluating the efficacy of your securityoperations and for defining a roadmap for ongoing improvement. A number of the controls areconcerned with the configuration, monitoring and auditing of firewalls and other network securityinfrastructure. Tufin Security Suite is an essential solution for organizations that need to assuresecurity and compliance for networks. It includes automation capabilities that enable you to track andaudit every network configuration change, with full personal accountability. It gives you the in‐depthanalysis tools that you need in order to proactively evaluate risks and eliminate potential securityloopholes. Given the complexity of today’s networks – the number of devices, the size of rule basesand ACLs, and the assortment of vendors – it is virtually impossible for security teams to managedevice configuration manually.Around the world, hundreds of customers are using Tufin Security Suite to improve security,streamline operations, and assure compliance with standards. Customers report that on average,Tufin cuts the time and cost of change management and auditing in half. It eliminates the routine,painstaking manual tasks that not only take up valuable time, but can lead to potentially dangerouserrors. According to Frost & Sullivan, SecureTrack can reduce audit preparation time by as much as75% ‐ and just as important, can enable you to be continuously compliant.For more information about Tufin and how it can help you to comply with the SANS 20 CriticalControls, visit us at www.tufin.com. Copyright 2015 TufinTufin, Unified Security Policy, Tufin Orchestration Suite and the Tufin logo are trademarks of Tufin. All other productnames mentioned herein are trademarks or registered trademarks of their respective owners.14/14

3/14 Introduction The SANS Twenty Critical Security controls is an important initiative designed to consolidate a number of the most important security standards and initiatives into one, clear set of guidelines.