skyboxdownloads.skyboxsecurity.com/files/installers/skybox_view/9.0/9.0.200/docs/skybox...skybox...

Skybox

Release Notes

9.0.200

Revision: 12

Proprietary and Confidential to Skybox Security. © 2018 Skybox Security, Inc. All rights reserved.

Due to continued product development, the information contained in this document may change without notice. The information and intellectual property contained herein are confidential and remain the exclusive intellectual property of Skybox Security. If you find any problems in the documentation, please report them to us in writing. Skybox Security does not warrant that this document is error-free.

No part of this publication may be reproduced, stored in a retrieval system, or transmitted in any form or by any means—electronic, mechanical, photocopying, recording, or otherwise—without the prior written permission of Skybox Security.

Skybox®, Skybox® Security, Skybox Firewall Assurance, Skybox Network Assurance, Skybox Vulnerability Control, Skybox Threat Manager, Skybox Change Manager, Skybox Appliance 5500/6000/7000/8000, and the Skybox Security logo are either registered trademarks or trademarks of Skybox Security, Inc., in the United States and/or other countries. All other trademarks are the property of their respective owners.

Contact information

Contact Skybox using the form on our website or by emailing [email protected]

Customers and partners can contact Skybox technical support via the Skybox Support portal

https://lp.skyboxsecurity.com/ContactMe1.html

mailto:[email protected]

https://www.skyboxsecurity.com/support/portal

https://www.skyboxsecurity.com/support/portal

Skybox version 9.0.200 3

Introduction ........................................................................................... 4

Skybox minimal system requirements........................................................ 5

What’s new in this version ........................................................................ 6 Skybox platform ....................................................................................... 6 Skybox Firewall Assurance and Network Assurance ..................................... 10 Skybox Change Manager ......................................................................... 11 Skybox Vulnerability Control .................................................................... 13

What’s new in previous versions .............................................................. 14 Skybox platform ..................................................................................... 14 Skybox Firewall Assurance ....................................................................... 19 Skybox Change Manager ......................................................................... 21 Skybox Network Assurance ...................................................................... 26 Skybox Vulnerability Control .................................................................... 27

Contents


Chapter 1

This document includes information about new features and updates in version 9.0.200, with a feature list for this version as well as a list for previous versions (8.5.500 and higher).

› Skybox 7.5 and 8.0 are no longer supported. › Support for all releases of Skybox 8.5 ends in February 2019.

About Skybox products Skybox Security’s powerful risk analytics platform provides security teams with continuous intelligence about vulnerabilities and network security risks, with no network disruption.

› Skybox solutions prioritize the most critical risks in minutes, and provide detailed remediation options.

› Skybox solutions automate the complex security management processes required to maintain security controls and eliminate attack vectors, filtering out irrelevant data and delivering accurate results in a fraction of the security management time.

For more details visit the Skybox Security website or see the product documentation

Introduction

https://www.skyboxsecurity.com/

http://downloads.skyboxsecurity.com/files/Installers/Skybox_View/9.0/9.0.200/Docs

http://downloads.skyboxsecurity.com/files/Installers/Skybox_View/9.0/9.0.200/Docs


Chapter 2

The minimal system requirements for Skybox are available here

Skybox minimal system requirements

https://www.skyboxsecurity.com/sites/default/files/System_Requirements.pdf


Chapter 3

This chapter includes a description of the new features and updates in Skybox version 9.0.200.

In this chapter

Skybox platform ................................................................... 6

Skybox Firewall Assurance and Network Assurance ................. 10

Skybox Change Manager ..................................................... 11

Skybox Vulnerability Control ................................................ 13

Skybox platform

Supported Linux versions

› CentOS 6 and RHEL 6 are no longer supported for new installations; you must use CentOS 7 or RHEL 7.

› As of June 2019, CentOS 6 and RHEL 6 will no longer be supported at all.

Linux installation packages As specified in the Installing packages section in the Skybox Installation and Administration Guide: after installing Linux and before installing Skybox, you must install additional software packages. The list of packages has been updated to include NUMA, which is required because of changes in MySQL.

To check which CentOS version you have, use the commad get_appliance_details

› For CentOS 7, the package is installed using the following command: yum -y install numactl-libs

› For existing CentOS 6 installations using Skybox ISO, the package is installed by running the command yum -y install numactl

› For existing CentOS 6 custom installations, do the following:

• Check whether the NUMA package is already installed by running the command rpm -qa | egrep numa

If the package is not installed, install it by running the command yum -y install numactl

Note: It is not necessary to install NUMA on remote Collectors.

What’s new in this version

Chapter 3 What’s new in this version


Skybox licenses For users of Skybox in virtual network environments, there is now a new license called Network Assurance for Cloud.

The Network Assurance for Cloud license provides users full visibility of their cloud environment and the entire hybrid network, and enables them to perform access path analysis of north-south traffic as well as east-west traffic, and to ensure full security using end-to-end Access Compliance for devices in virtual network environments. Network Assurance for Cloud is accessible from the Network Assurance workspace.

Important: This license can only be used with version 9.0.205 and above.

SOAP APIs Support for Axis-1 SOAP APIs has been deprecated. Skybox supports only JAX-WS SOAP APIs.

Asset search Asset search was improved and now searches on all the asset name fields (Asset Name and also Other Names).

Qualys collection Tasks of type Scanners - Qualys Collection can now retrieve vulnerability occurrence data from Qualys databases as well as Qualys scans.

Skybox Release Notes


In the Filter area of the task, set the Collection Method field to Database.

Cisco ACI

Note: The release date for this feature is March 26th, 2018.

› Skybox now integrates with Cisco ACI, to enable visibility and end-to-end access analysis in ACI software defined networks. Skybox imports the ACI configuration from the Cisco Application Infrastructure Controller (APIC) and creates a virtual model of the fabric layer, including bridge domains and virtual routers as well as the access control layer, EPGs and contracts. Skybox supports APIC versions 2.x and 3.x using RESTful APIs.



› Data from Cisco ACI servers can be collected using Cloud & Virtualization – Cisco ACI Collection tasks.

The following table shows the mapping between entities and their names in Skybox, Azure, AWS, and Cisco ACI.

Skybox Azure AWS Cisco ACI

Asset VM Ec2 VM

Virtual Domain

VNET VPC Tenant

Security Group

Network Security Group

Security Group EPG (Endpoint Group)

Security Tag -- -- Contract

Network Subnet Subnet Subnet

LB Rules Load Balancer Load Balancer --

ACL Network Security Group

Network ACL Filter

NAT Rule Public IP Elastic IP --

VRF Routing Table Route Table VRF



Skybox Azure AWS Cisco ACI

VPN Express Route (not yet supported by Skybox)

DirectConnect --

Skybox Firewall Assurance and Network Assurance

Asset analysis Asset analysis was improved and now supports reporting of assets which had configuration differences between running and startup configs.



Skybox Change Manager

Custom fields for custom change requests Administrators can now create better custom change requests by including different types of custom fields (string, number, date, boolean, and list) in each custom change request type. The custom fields can also be set as mandatory.

In addition, specific custom change request types can now be enabled per workflow, just as other change request types can.



Modify rule position You can now use Modify Rule change requests to submit a request to modify a rule's position.

Automatic implementation for Panorama and FortiManager The automatic implementation feature was extended and now supports Modify Rule change requests for firewalls managed by FortiManager and Panorama.

Recertification field group enhancement The Recertification field group now includes the following fields to help you figure out whether the rules should be recertified.

› Usage › Actual Rule Usage › Hit Count

New API methods for automatic implementation The following API methods were added to support automatic implementation of change requests from Change Manager tickets:

› getImplementedChangeRequests: This method retrieves the list of implemented change requests in Skybox Change Manager.



› getNotImplementedChangeRequests: This method retrieves the list of not yet implemented change requests in Skybox Change Manager.

› implementChangeRequests: This method implements the change requests that it receives.

Skybox Vulnerability Control

Web Application vulnerabilities & configuration weaknesses Coverage for security issues was extended and now supports web application vulnerabilities and configuration weaknesses collected by Tenable scanners.


Chapter 4

This chapter includes information about new features and updates in previous Skybox versions 8.5.500 and higher.

In this chapter

Skybox platform ................................................................. 14

Skybox Firewall Assurance ................................................... 19

Skybox Change Manager ..................................................... 21

Skybox Network Assurance .................................................. 26

Skybox Vulnerability Control ................................................ 27

Skybox platform

Check Point vSEC The Firewalls - Check Point R80 Security Management collection task was enhanced and now supports collection of vSEC, the firewalls for cloud environments.

Note: No parameters were changed in the task.

Palo Alto Networks VM series The Firewalls - Panorama collection task was enhanced and now supports collection of Palo Alto Networks VM Series, the firewalls for cloud environments

Note: No parameters were changed in the task.

Global Exclude list The global exclude list (available in Tools > Options > Server Options > Task Settings > Global Task Settings) was enhanced and now supports an advanced mode that enables you to exclude devices by additional criteria, including:

› Asset Type › Operating Systems › OS Vendor › Services

• No Services

• Specific Services

What’s new in previous versions

Chapter 4 What’s new in previous versions


› Products

Connectors

› Asset Management – Active Directory Collection tasks retrieve device data from a Microsoft Active Directory database and add the data to the current model.



Changes to the Network API The following API methods were added. They are the same as the previous versions except that they also return the description field (the access rule comment).

› findAccessRulesV2 › getAccessRulesV2 › findObjectAffectedAccessRulesV2 › createRecertifyTicketV2

Vulnerability Detector for Network Devices Vulnerability occurrences can now be extracted from firewall configuration data of additional devices using Analysis – Vulnerability Detector for Network Devices tasks. The following devices are now supported:

› Arista (new) › Check Point › Cisco ASA and FWSM firewalls › Juniper NetScreen › Juniper Junos › Palo Alto (new)

Model encryption password can be changed Skybox encrypts the model with a password when saving it and uses the same password to decrypt it when loading the model. A default password has always been used. This password can now be changed if required for security purposes. However, if the password is changed, you will not be able to load models encrypted with the previous password.



Connectors

› Firewalls – Check Point GAIA Collection tasks retrieve Check Point GAIA firewall configuration data from Check Point Management Servers and add it to the model.

› Routers – Dionis Collection tasks retrieve configuration data from Dionis NX routers and add it to the model.

› Operational Technology – SecurityMatters Collection tasks retrieve configuration data from SecurityMatters platforms and add it to the model.

› Firewalls – Forcepoint NGFW Collection tasks retrieve configuration data from Forcepoint NGFW firewalls and add it to the model.

This task replaces the StoneGate parser. However, unlike the parser:

• The task does not require a mapping.txt file



• The task runs on either Linux or Windows

› Scanners – CyberX Collection was renamed to Operational Technology – CyberX Collection

Connectors

› Hit counts for Cisco IOS routers

Skybox now supports collection of hit counts for Cisco IOS based routers from the collection task.

› WhiteHat Sentinel

Scanners – WhiteHat Sentinel Collection tasks retrieve the vulnerability occurrences found by these scanners and add the data to the current model.

› Junos Space

Firewalls – Junos Space Collection tasks use a proprietary Juniper API to connect to Junos Space platforms. These tasks retrieve configuration data of Junos firewalls that are managed by the Junos Space platform and add it to the current model.

These tasks have the following limitations:

• Dynamic routing rules cannot be collected from Junos Space platforms.

• There is a difference between the information available through SSH commands (in Firewalls – Junos Collection tasks) and that available through REST APIs (in Firewalls – Junos Space Collection tasks). This



may cause differences in the way the devices are represented in the model.

FortiGate applications Skybox now supports application information on FortiGate devices.

Check Point syslog in CEF format Skybox now supports rule usage logs in CEF format for Check Point firewalls. These logs are usually forwarded from ArcSight.

Skybox Firewall Assurance

Custom user roles - reports Customizing the report permission level is now available for custom user roles, as shown below.



Rule usage analysis for Cisco IOS routers Rule usage analysis for Cisco IOS routers is now supported using the data retrieved directly by the Cisco device command (that is, show access-lists) in addition to data retrieved from syslog. The collection task was extended and now enables you to select whether to retrieve the hit counts of the access rules in addition to the configuration of the device.

Rule usage analysis is then immediately available after collection of the routers.

STIG Configuration Policy for Cisco IOS routers The STIG Configuration Policy now includes a section for Cisco IOS routers, in addition to the existing section for CISCO firewalls.

If you do not see this policy after updating, right-click Configuration Policies, select Import Configuration Policy, and then select STIG_v2.xmlx



Rule Exceptions

Exceptions of types Firewall Exception, Access Policy Exception, and Rule Policy Exception are no longer created, though they are still supported for backward compatibility.

Note: Existing exceptions of type Rule Policy Exception are now listed as Rule Exception.

Skybox Change Manager

Automatic Implementation Automatic implementation was extended to support:

› Check Point R80

• Add Rule change requests (added in Skybox version 8.5.600)

• Modify Rule change requests

› Panorama

• Add Rule change requests

› FortiManager (version 5.2 and higher)



• Add Rule change requests

View the firewall rule base Users of Change Manager can now view the firewall rule base in selected workflows, in the request phase.

1 Tools > Options > Server Options > Change Manager Settings > Workflows

2 Select the workflow in which you want to enable this feature, and go to the request phase.

3 In the Phase properties, select Allow users to view firewall rules.

When this option is enabled, users creating a ticket will see a View Rules button in the Change Requests panel. They can click it, select a firewall, and see its access rules, as shown below.



Activate Rules Change Requests Change Manager now supports Activate Rules change requests.

The new change request type can be enabled per workflow. When it is enabled, users can submit change requests for activating disabled rules.

The setting is shown in the following screen capture.



The request type (as it appears in new tickets) is shown in the following screen capture.

Modify Object Name The Modify Object change request now enables users to submit a request to modify an object's name.

Automatic implementation for Check Point R80 Change Manager now enables automatic implementation of Add Rule and Add Object change requests for Check Point R80 firewalls.



Ticket notifications can now include recertification information Ticket notifications (done via triggers) were enhanced and can now include recertification information.

Zone/interface information in change requests For zone or interface based firewalls, Change Manager now automatically includes the zone or interface information when calculating Access Update and Add Rule change requests. This information is available in the Additional Details column.



Automatic implementation of rules with expiration dates Change Manager now supports automatic implementation of rules with expiration dates.

Revised upper ticket panel The upper ticket panel which contains the general ticket information is now editable. Users who can edit the ticket at each phase can also edit these fields (Title, Priority, and Description).

The Additional Information section is hidden by default, to allow more information about the phase itself to be displayed.

Rule Exceptions Only one type of exception (called Rule Exceptions) is now created in Change Manager, regardless of the way policy compliance is calculated (firewall or network mode).

Skybox Network Assurance

Rule Exceptions Skybox now uses a single type of exception – called a Rule Exception – instead of 3. From now on, exceptions will always be associated with the rule that caused the violations, and include the following fields:



Exceptions of types Firewall Exception, Access Policy Exception, and Rule Policy Exception are no longer created, though they are still supported for backward compatibility.

Note: Existing exceptions of type Rule Policy Exception are now listed as Rule Exception.

Skybox Vulnerability Control

Web Application vulnerabilities & configuration weaknesses Coverage for security issues was extended and now supports web application vulnerabilities and configuration weaknesses collected by Qualys scanners.

All security issues are modeled as custom vulnerabilities and are used in security metrics, analyses, tickets, etc.

Note: Only CVE-based vulnerabilities are used for exposure analysis.

David - Maya requested this note to NOT be in Note style. She doesn't want to emphasize it, but it must be there...



Threat Alert tickets with multiple vulnerability definitions Threat Alert tickets can now be created for several vulnerability definitions at once by selecting the vulnerability definitions and creating a ticket.

Custom vulnerability solution enhancements Custom vulnerability solutions for threat alert tickets and vulnerability occurrence tickets can now be reused by other tickets that are associated with the same vulnerability.

skyboxdownloads.skyboxsecurity.com/files/installers/skybox_view/9.0/9.0.200/docs/skybox...skybox...

Documents