Tufin™ is the leading provider of Security Lifecycle Management solutions that enable companies to cost-effectively manage their network security policy, comply with regulatory standards, and minimize IT risk. With the award-winning Tufin Security Suite, security teams are successfully managing firewall operations and performing audits and risk assessments – often in half the time. Founded in 2005 by leading firewall and business systems experts, Tufin serves more than 800 customers in industries from telecom and financial services to energy, transportation and pharmaceuticals. Tufin partners with leading vendors including Check Point, Cisco, Juniper Networks, Palo Alto Networks, Fortinet, F5, Blue Coat, McAfee and BMC Software, and is known for technological innovation and dedicated customer service.

In the following interview, Ruvi Kitov, CEO and Co-Founder of Tufin Technologies, discusses 1:1 with Rake Narang, Editor-in-Chief of Info Security Products Guide, what are Next Generation Firewalls and why has it become critical to detect application-specific attacks.

Rake Narang, Editor-in-Chief: What are Next Generation Firewalls and how are they evolving with the changing business processes and security threats? How does one separate hype from reality when it comes to NGFWs today?

Ruvi Kitov: Unlike traditional network layer firewalls, which filter traffic based on IP addresses, port numbers and IP protocols, next-generation firewalls drill into traffic to identify the applications traversing the network and the identity of the users.  A next-generation firewall is a gateway device that looks at a packet from more than just a simple Layer-3 perspective to determine whether it should be allowed through a port. It looks at Layers 3 through 7 and gains an application-level and identity based understanding of the connection, allowing it to make more sophisticated decisions.   

This changes the inherent structure of a firewall rule, which is what we at Tufin are concerned with.  Instead of writing a generic rule such as “Allow server A to connect to server B over port 80,” firewall administrators can write laser-focused rules: “Allow Joe to use LinkedIn, but block him from using Facebook if he’s within the corporate network.”

Having the ability to filter and manage traffic at the application level increases the relevance of firewalls, but with this new responsibility comes added complexity. Determining if a change on a network firewall introduced a new threat has already become incredibly hard to do without automation. Rule changes on next-gen firewalls are even harder because they are application and identity -aware.  Crafting -- not to mention auditing -- granular, application-aware policies and rules is harder, because there are so many more possible decision points. Tufin’s automation not only eliminates the increased management burden, but ensures administrators can fully leverage the enhanced functionality of next generation firewalls.

Rake Narang: How have first-generation firewalls become ineffective in dealing with current and emerging threats? Why has it become critical to detect application-specific attacks?

Ruvi Kitov: Few enterprises had a pressing need for an application-aware firewall until we had core business services running through port 80 (the standard port for web traffic).  Over time, HTTP has become a platform running countless individual applications -- chat, video, file transfer, social networks, games, and even enterprise applications such as Salesforce.com. These applications are all going over the Internet, so network firewalls lump a vastly diverse set of business applications together because all they can see is if they are HTTP or HTTPS applications, to be routed through Port 80 (for HTTP) or Port 443 (for HTTPS).  As a result, firewall administrators with traditional network-layer firewalls had no choice but to allow port 80 and port 443 through their firewalls, and have little or no control over what type of traffic actually uses those openings. Next generation firewalls have similar protection against application-specific attacks as do network-layer firewalls, but allow a much more versatile security policy, in which application access is granted only to certain networks and individual, which in turn enables lower exposure to application-specific attacks.

Rake Narang: Your organization has recently added network topology graphs to your products. What benefits do these topology graphs provide to network administrators?

Ruvi Kitov: Tufin’s topology mapping provides several benefits to network administrators. The first and most obvious one is the understanding of your network topology: knowing which network devices will be traversed by any type of connection between two points on your network. Implementing a corporate security policy across a complex network with multiple firewalls, routers and switches requires exactly this type of understanding, for risk analysis and compliance management. Security-conscious organizations are implementing governance controls to analyze proposed network configuration changes that are scheduled for approval. A comprehensive approach to network configuration change analysis requires a broader view of each proposed configuration change, to answer several important questions:

1. Which network devices will be traversed by the proposed connection, and therefore need to be reconfigured in order to implement this change?
2. Is the proposed change secure and compliant with corporate and regulatory compliance policies, on each of the affected network devices?

With the advent of Tufin’s Network Topology Intelligence, these questions can be answered, to enable much faster decision making and correct change implementation.

Company: Tufin Technologies
15 New England Executive Office Park,
Burglington, MA 01803

Founded in: 2005
CEO: Ruvi Kitov
Public or Private: Private
Investors: Independently funded
Products: Tufin has two core products:  SecureTrack, its firewall operations management and auditing product, and SecureChange, its security change automation solution.

Tufin SecureTrack™ is the industry-leading Security Operations Management solution for network and next generation firewalls as well as network infrastructure including routers, switches, load balancers and web proxies. SecureTrack features powerful tools that eliminate routine, manual tasks while assuring security and business continuity for large and small enterprises.  It also enables organizations to comply with regulatory standards and successfully pass security audits. SecureTrack combines triggered compliance alerts with built-in reports such as PCI DSS 2.0 to dramatically reduce audit preparation times.

SecureChange - Security Change Automation - Tufin’s pioneering SecureChange solution enables companies to automate security change management and risk analysis for the network. With SecureChange, companies can automate business processes to proactively enforce security policies and support governance initiatives.

Company’s Goals: To continue to lead the market in delivering solutions that enable security administrators to more proactively, strategically, and efficiently manage network security operations.