Tufin Review

Helps our security admin become more accurate, reducing errors

What is our primary use case?

Our primary use case is rule automation, but we also use it for rule cleanup, auditing, and policy management, for the ease of use. 

To better understand the problem we're addressing, we have about 2,000 firewalls globally. It would be easiest to manage them all by territory. For example, all the firewalls on the African continent would get managed as a group. The North American policy would include Canada, US, and Mexico. We would do the same for South America, the Asian continent and China. That's the way we'd like to divide it. Right now we're working on trying to fix that so that we can address all these issues as a business. Right now, they're all individual sites and there a lot of sites, hundreds.

How has it helped my organization?

This tool allows our security admins to check their work before they implement a security change. When applications require firewall changes in order to work, those application teams will submit a firewall change request. The security admin will implement the firewall change, and it may or may not work. This tool helps them become more accurate. So, it reduces errors.

We have found that the change workflow process is flexible and customizable.

We have seen a reduction in unused policies.

We use this solution to automatically check if a change request will violate any security policy rules. We flag rules with no login turned on, promiscuous protocols (by default), clear text protocols, unsecured protocols, and Telnet.

This solution allows us to get rid of all of those any-any rules. Or, it flags all of the any-any rules. When we implement new software, and we do that a lot, of course the software technicians will say, "Hey, I need you to open up all the ports to these servers." And we have a few hundred sites. So the best way to get that service or that software, that technology or application, working is to allow all the traffic to and from that particular service. But that's a very bad security practice. And once a developer gets something working, they're done. They're not thinking about securing it. Once it's done they don't go back and say, "Oh, hey listen. I need you to close some of those ports down or restrict some of the traffic." They're not worried about that. So those things stay open until we can figure out how to clean it up.

This tool is our first step toward globalization. It gives us the ability to deploy shared policies around the world. Those items which are in the shared policy, they apply to all our firewalls, no matter what. It is not just in certain territories. What is in the shared policy goes to Africa, Canada, Zimbabwe, China, and Russia. It goes everywhere. This tool does that.

What is most valuable?

The Topology Map is its most valuable feature. With hundreds of sites, thousands of firewalls, and a lot of people touching every element of the firewall, we have security administrators all over the world. And a lot of the security administration, the rule changes, etc., is outsourced. When it gets outsourced, the person who is making the changes will make them as best they can, but may not know our topology well enough to make an intelligent change. In other words, they've been making a lot of mistakes. There have been a lot of errors breaking some stuff, and rules made that don't necessarily work. The reason they do that is because they don't know where the firewalls are. The topology map is a very easy way to illustrate that. There's a feature with Topology where you can put in two points, and it will show you the path. That's definitely what they need.

The visibility that the solution provides us is unsurpassed. 

What needs improvement?

I would like better management of BitTeller boxes. BitTeller reduces complexity in the Cisco environment. Right now, Tufin doesn't handle those well. BitTeller devices are basically like smart switchers or smart routers. Normally, when you have switches and routers in an organization, somebody has to program the traffic to calculate the fastest path between any two points. BitTeller does that automatically. And because it's done automatically, and it's done with a proprietary solution or code, we don't really know how it works. It just works. It's kind of a "magic box." When Tufin interacts with a switcher or router, what it usually does is download the routing table and, according to what's listed in the routing table, it can route traffic or develop the topology map. But when it runs across a BitTeller device, it doesn't really know what to do with it at all. It comes up with a question mark or a broken link. But they're working on that.

For how long have I used the solution?

We bought it three years ago, but we just started the implementation about six months ago. Our SecureTrack is version 19-1.

What do I think about the stability of the solution?

We have had a couple of stability issues, but it is not due to Tufin. It probably has more to do with what we do and how we implemented it. I've not noticed any instability, but both PwC and Tufin have noticed a lot of latency. Therefore, we're both taking steps toward reducing it.

What do I think about the scalability of the solution?

Aside from the latency that we have seen, the scalability has been awesome. 

We are at a place where we have roughly 2500 objects in Tufin. Most of those are firewalls. If you can imagine, that is a significant undertaking. We see thousands of changes a day. We are at the top of the scale. If anybody is going to blow up something, it would be us.

How are customer service and technical support?

The technical support is awesome and unsurpassed. They meet with us twice a week.

Eric Opp has been a big help to us.

If you previously used a different solution, which one did you use and why did you switch?

We didn't have a solution before Tufin. We were manual before that. The whole reason for even trying to go to Tufin was to stop being so manual in what we do and to try to standardize the way some of these functions happen. We have a higher level of directive to reduce the amount of staff needed to perform some of these tasks. So, automation is imminent.

How was the initial setup?

While it was before my time, I think the initial setup was straightforward.

What about the implementation team?

I think we went direct for the deployment.

What was our ROI?

We have seen ROI. Today, other teams call us when they can't get something to work. The reason they call us is because we can use the Topology Map to help them troubleshoot solutions. When something is not working and they know they have opened rules, they know they can look at what they have, but we can look at the Topology Map and see what else is in the way. It has been priceless.

What's my experience with pricing, setup cost, and licensing?

Go with Tufin before the price triples.

Which other solutions did I evaluate?

We considered other solutions, but Tufin has the best offering. It's much further along. I've seen other people trying to use other solutions. Also, nobody else is really doing this. We could attempt to go with someone else, but they are not even close. Even if they were, we are going to have the same roadblocks and same problems, probably more, with less support.

Tufin is pretty intuitive, even I if you don't know how to use it. For the most part, the pieces are logical. Secondly, implementation is fairly straightforward, for the most part. It depends on the complexity of the environment. And for us, we're moving to Palo Alto and Tufin manages Palo Alto fairly well. If you were in a Check Point environment, that might be a little different. And usually, other solutions only manage one type of device. They'll claim they can integrate with others, but it's almost always just the one type of device. What that means for your organization is that all 2,000 firewalls have to be the same device, and that's not practical.

What other advice do I have?

While the solution could help us reduce the time it takes to make changes, we use it more to perform an integrity check for those changes. 

Our engineers are not yet spending less time on manual processes, but they will be. We are getting there. That is the overall objective: to reduce the amount of time that goes into these changes.

For their mission, I give them a ten out of 10. For their vision, a ten. For where they are trying to go a ten. For maturity, getting there, and being there, I would give them more like a nine, but they are not that far off from a ten. They are very close, just not quite there. They are getting closer. They will be there within a year.

Disclosure: I am a real user, and this review is based on my own experience and opinions.
See it in Action

Schedule Your Tufin Demo Now

Add a Comment
Sign Up with Email