skyboxdownloads.skyboxsecurity.com/files/installers/...skybox now integrates with cisco aci, to...

Skybox

Release Notes

9.0.400

Revision: 11

Proprietary and Confidential to Skybox Security. © 2018 Skybox Security, Inc. All rights reserved.

Due to continued product development, the information contained in this document may change without notice. The information and intellectual property contained herein are confidential and remain the exclusive intellectual property of Skybox Security. If you find any problems in the documentation, please report them to us in writing. Skybox Security does not warrant that this document is error-free.

No part of this publication may be reproduced, stored in a retrieval system, or transmitted in any form or by any means—electronic, mechanical, photocopying, recording, or otherwise—without the prior written permission of Skybox Security.

Skybox®, Skybox® Security, Skybox Firewall Assurance, Skybox Network Assurance, Skybox Vulnerability Control, Skybox Threat Manager, Skybox Change Manager, Skybox Appliance 5500/6000/7000/8000/8050, and the Skybox Security logo are either registered trademarks or trademarks of Skybox Security, Inc., in the United States and/or other countries. All other trademarks are the property of their respective owners.

Contact information

Contact Skybox using the form on our website or by emailing [email protected]

Customers and partners can contact Skybox technical support via the Skybox Support portal

https://lp.skyboxsecurity.com/ContactMe1.html

mailto:[email protected]

https://www.skyboxsecurity.com/support/portal

https://www.skyboxsecurity.com/support/portal

Skybox version 9.0.400 3

Introduction ........................................................................................... 4

Skybox minimal system requirements........................................................ 5

What’s new in this version ........................................................................ 6 Skybox platform ....................................................................................... 6 Skybox Web UI ........................................................................................ 7 Skybox Firewall Assurance and Skybox Network Assurance ............................ 7 Skybox Change Manager ........................................................................... 8

What’s new in previous versions .............................................................. 11 Skybox platform ..................................................................................... 11 Skybox Firewall Assurance ....................................................................... 17 Skybox Web UI ...................................................................................... 20 Skybox Change Manager ......................................................................... 24 Skybox Network Assurance ...................................................................... 31 Skybox Vulnerability Control .................................................................... 31

Contents


Chapter 1

This document includes information about new features in version 9.0.400, with a feature list for this version as well as a list for previous versions (9.0.100 and higher).

› Skybox 7.5 and 8.0 are no longer supported. › Support for all releases of Skybox 8.5 ends in February 2019.

About Skybox products Skybox Security’s powerful risk analytics platform provides security teams with continuous intelligence about vulnerabilities and network security risks, with no network disruption.

› Skybox solutions prioritize the most critical risks in minutes and provide detailed remediation options.

› Skybox solutions automate the complex security management processes required to maintain security controls and eliminate attack vectors, filtering out irrelevant data and delivering accurate results in a fraction of the security management time.

For more details visit the Skybox Security website or see the product documentation

Introduction

https://www.skyboxsecurity.com/

http://downloads.skyboxsecurity.com/files/Installers/Skybox_View/9.0/9.0.300/Docs

http://downloads.skyboxsecurity.com/files/Installers/Skybox_View/9.0/9.0.300/Docs


Chapter 2

The minimal system requirements for Skybox are available here

Skybox minimal system requirements

https://lp.skyboxsecurity.com/WICD-2017-12-DS-System-Requirements_03AssetLP.html


Chapter 3

This chapter includes a description of the new features and updates in Skybox version 9.0.400.

In this chapter

Skybox platform ................................................................... 6

Skybox Web UI ..................................................................... 7

Skybox Firewall Assurance and Skybox Network Assurance ........ 7

Skybox Change Manager ....................................................... 8

Skybox platform

Change tracking for the cloud As of this version, change tracking is available for the cloud as well as for physical firewalls.

› Change tracking for the cloud enables tracking changes in AWS, Azure, NSX, and Cisco ACI platforms and will be analyzed as part of Analysis – Change Tracking tasks. The system tracks the following changes in Security Groups:

• New rule/object/security group

• Modified rule/object/security group

• Deleted rule/object/security group

For each change, full change details and affected assets information are available, as well as comparison of the status before and after the change.

› Changes in dynamic membership criteria in supporting platforms (NSX and Cisco API) are also listed.

› Known limitations

• This feature is supported only in the Web UI, not in the Manager.

• Reconciliation is not calculated for cloud changes, so the change status is always ‘Pending’ unless it is changed manually.

What’s new in this version

Chapter 3 What’s new in this version


Connectors Firewalls – Cisco Firepower Management Center Collection tasks retrieve configuration data of Cisco Firepower Threat Defense firewalls from Cisco Firepower Management Centers and add this data to the current model.

Skybox Web UI

Change tracking for the cloud Change tracking for the cloud is supported in the Web UI. This feature enables tracking changes in AWS, Azure, NSX, and Cisco ACI platforms.

For further information, refer to Skybox platform (on page 6).

Changes to dashboard display The display of dashboards in the Web UI was improved and now includes tabs for easy access.

The tabs can be arranged according to user preferences using drag and drop to change their order. In addition, lower priority dashboards can be moved to a

drop-down list by clicking the arrow next to their name:

Skybox Firewall Assurance and Skybox Network Assurance

New trigger types Triggers (notifications) were expanded to support Firewall Assurance Rule Compliance violations and Network Assurance Access Compliance violations.

Skybox Release Notes


In addition, these trigger types and Firewall Assurance Access Compliance violations triggers can now invoke scripts as well as sending email notifications.

Skybox Change Manager

Multi-tier change requests Skybox Change Manager supports multi-tier change requests; that is, original change requests with several derived change requests that belong to different users. Each derived change request can have a different owner, based on firewall permissions. In this way, the derived change requests can be reviewed/approved simultaneously.

The owners of the derived change requests are the ones with firewall permissions to the relevant firewalls. Each firewall owner can receive notifications about the derived change requests for the firewalls under their responsibility and must review those change requests.

Users without relevant firewall permissions will not have access to all the data in the ticket (including the routes); all confidential information that does not belong to them will be obfuscated.

Chapter 3 What’s new in this version


Multi-tier change requests can be automatically promoted to the next phase when all firewall owners have completed the ticket phase review.

Activate this feature from Tools > Options > Server Options > User Settings > User Permissions.

Note: Restart the Manager after you activate or deactivate this feature.



Attachment permissions By default, all Change Manager ticket attachments can be deleted by any Change Manager user. We have added an option to limit this permission to Administrators only or to the user group of the attachment creator.


Chapter 4

This chapter includes information about new features and updates in previous Skybox versions 9.0.100 and higher.

In this chapter

Skybox platform ................................................................. 11

Skybox Firewall Assurance ................................................... 17

Skybox Web UI ................................................................... 20

Skybox Change Manager ..................................................... 24

Skybox Network Assurance .................................................. 31

Skybox Vulnerability Control ................................................ 31

Skybox platform

Custom list fields for business attributes Custom list fields can now be added to business attributes of both Access Rules and Assets. To do this, you create a business attribute of type List, and then specify a set of values. You can specify one of these values as the default value.

As with other field types, you can provide a field hint. However, when a default value is displayed, the field hint is not shown.

What’s new in previous versions



New Connectors

› Routers – Brocade VDX Collection tasks retrieve configuration data from Brocade VDX routers and add this data to the current model.

› Routers – Vyatta Collection tasks retrieve configuration data from Vyatta routers and add this data to the current model.

Supported Linux versions

› CentOS 6 and RHEL 6 are no longer supported for new installations; you must use CentOS 7 or RHEL 7.

› As of June 2019, CentOS 6 and RHEL 6 will no longer be supported at all.

Linux installation packages As specified in the Installing packages section in the Skybox Installation and Administration Guide: after installing Linux and before installing Skybox, you must install additional software packages. The list of packages now includes NUMA, which is required because of changes in MySQL.

To check which CentOS version you have, run: get_appliance_details

› For CentOS 7, the package is installed by running: yum -y install numactl-libs

› For existing CentOS 6 installations using Skybox ISO, the package is installed by running: yum -y install numactl

› For existing CentOS 6 custom installations:

• Check whether the NUMA package is already installed by running: rpm -qa | egrep numa

If the package is not installed, install it by running: yum -y install numactl

Note: It is not necessary to install NUMA on remote Collectors.

Skybox licenses For users of Skybox in virtual network environments, there is now a new license: Network Assurance for Cloud.

The Network Assurance for Cloud license provides users full visibility of their cloud environment and the entire hybrid network, and enables them to perform access path analysis of north-south traffic as well as east-west traffic, and to ensure full security using end-to-end Access Compliance for devices in virtual network environments. Network Assurance for Cloud is accessible from the Network Assurance workspace.

Important: This license can only be used with version 9.0.205 and above.

Chapter 4 What’s new in previous versions


SOAP APIs Support for Axis-1 SOAP APIs is deprecated. Skybox supports only JAX-WS SOAP APIs.

Asset search Asset search was improved and now searches on all the asset name fields (Asset Name and Other Names).

Qualys collection Tasks of type Scanners - Qualys Collection can now retrieve vulnerability occurrence data from Qualys databases as well as Qualys scans.

In the Filter area of the task, set Collection Method to Database.

Cisco ACI

Note: The release date for this feature is March 26th, 2018.

› Skybox now integrates with Cisco ACI, to enable visibility and end-to-end access analysis in ACI software defined networks. Skybox imports the ACI configuration from the Cisco Application Infrastructure Controller (APIC) and creates a virtual model of the fabric layer, including bridge domains and



virtual routers as well as the access control layer, EPGs and contracts. Skybox supports APIC versions 2.x and 3.x using REST APIs.

› Data from Cisco ACI servers can be collected using Cloud & Virtualization – Cisco ACI Collection tasks.

The following table shows the mapping between entities and their names in Skybox, Azure, AWS, and Cisco ACI.

Skybox Azure AWS Cisco ACI

Asset VM Ec2 VM

Virtual Domain

VNET VPC Tenant

Security Group

Network Security Group

Security Group EPG (Endpoint Group)

Security Tag -- -- Contract

Network Subnet Subnet Subnet

LB Rules Load Balancer Load Balancer --

ACL Network Security Group

Network ACL Filter

NAT Rule Public IP Elastic IP --

VRF Routing Table Route Table VRF



Skybox Azure AWS Cisco ACI

VPN Express Route (not yet supported by Skybox)

DirectConnect --

Check Point vSEC The Firewalls - Check Point R80 Security Management collection task was enhanced and now supports collection of vSEC, the firewalls for cloud environments.

Note: No parameters were changed in the task.

Palo Alto Networks VM series The Firewalls - Panorama collection task was enhanced and now supports collection of Palo Alto Networks VM Series, the firewalls for cloud environments

Note: No parameters were changed in the task.

Global Exclude list The global exclude list (available in Tools > Options > Server Options > Task Settings > Global Task Settings) was enhanced and now supports an advanced mode that enables you to exclude devices by additional criteria, including:

› Asset Type › Operating Systems › OS Vendor › Services

• No Services

• Specific Services



› Products

Connectors

› Asset Management – Active Directory Collection tasks retrieve device data from a Microsoft Active Directory database and add this data to the current model.



Changes to the Network API The following API methods were added. They are the same as the previous versions except that they also return the description field (the access rule comment).

› findAccessRulesV2 › getAccessRulesV2 › findObjectAffectedAccessRulesV2 › createRecertifyTicketV2

Skybox Firewall Assurance

Rule ticket history A new field called Ticket History was added to access rules. This field contains a list of all the Change Manager tickets associated with the rule, including recertification tickets. It is available for all rules for which change requests can be opened.

› The field is hidden by default. › The existing Ticket ID field in Firewall Assurance (e.g. in ‘Rule Review’) was

renamed to Recertification Ticket ID.

Duplicate objects in Optimization and Cleanup CSV exports A new report type - Duplicate Objects - was added to CSV – Optimization and Cleanup Export tasks.

This report type provides information about objects in the same firewall and/or management server that have the same value.

The Affected Access Rules column shows, for each object, in how many access rules it is used.



Unreferenced objects in Optimization and Cleanup CSV exports A new report type - Unreferenced Objects - was added to CSV – Optimization and Cleanup Export tasks.

This report type produces a list of all the objects which are not referenced by any of the following fields in any access rule in the firewall scope:

› Source › Destination › Service › Application (AKA rule application) › Translated Source › Translated Destination › Translated Service

The following object types are relevant for this report:

› Firewall address related objects (e.g. host, address range, network, group) › Firewall service objects (e.g. service, service group) › Firewall application objects (e.g. application, application group)



Security profiles in access rules Access rules for Palo Alto firewalls now display the security profiles and security groups assigned to them. The rules can be searched by their security profiles and group values, and a new column was added to the CSVs for this information.

Asset analysis Asset analysis was improved and now supports reporting of assets which had configuration differences between running and startup configs.



Custom user roles - reports Customizing the report permission level is now available for custom user roles, as shown below.

Skybox Web UI Skybox is proud to introduce you to the new Web User Interface for Skybox Firewall & Network Assurance.

We’ve combined the feedback of hundreds of users to design an interface that’s intuitive, insightful, and flexible enough to meet the needs of all. It’s not just about ‘look and feel’ – the new UI merges data from firewalls, networks, and clouds into a single interface, and adds intuitive new capabilities including:

› Operational dashboards to quickly identify risk with customizable views and one click drill-downs

› Cross-device violation reporting to prioritize risky violations and provide a top-down view of the infrastructure

› Process-oriented design to fit how you work, providing data in fewer clicks and linked actions for immediate remediation

This version of the Web UI is a pre-release version, designed for most day-to-day use cases. We are sharing this version to get input from our customer base before the final version is released.

The Web UI is composed of functional modules. Each module provides a graphical overview through a customized dashboard, where you can drill down to views that expose all relevant module data.



Currently supported modules

› Overview: A dashboard that combines data from all Skybox Web UI modules and provides a condensed visualization of the infrastructure security.

› Compliance: Composed of Rulebase and Configuration Policy engines to ensure compliance with network security policies and regulations.

• Rulebase Compliance views display a list of access rules that violate rule and access checks, or a list of access rules with exceptions.

• Configuration Compliance views display a list of configuration tests to ensure enforcement of device security best practices, where each test is a Configuration Check run on a specific device.



› Change Tracking: Change Tracking views display a list of changes to access rules and objects, including the status of each change.

› Optimization and Cleanup: Identify unused rules, rules with poor usage, and redundant and shadowed rules; and view trace data to provide you with the answers you need to clean up your devices.



Access Rule Search The Access Rule search is an advanced tool for searching access rules in the network. The search can be focused using a variety of criteria, scopes, and filters including native access rule fields, compliance, optimization, and business attributes.

The search results show the access rules that match the search criteria:

Information sources

› Welcome Page: An entrance portal to Skybox applications that includes useful marketing and technical information dedicated to Skybox users.

› Online Help: A context sensitive online user guide that assists you in the everyday work with Skybox Web UI.

Additional features

› Customizable dashboards and widgets › Export to CSV files: The detailed information viewed on Skybox Web UI can

be exported to CSV files for reporting, offline analysis, and integration purposes.

› User Roles: The ability to control and limit views and actions in the Web UI based on user’s roles in the Java UI.



› User Permissions: Enforcement for users with restricted permissions to see only their permitted firewalls in the new Web UI.

Additional capabilities are being added continuously. Future releases will include:

* Policy Viewing * Policy Editing * Network Map * Access Analyzer * User and Group Admin * Reporting

Skybox Change Manager

Implementation preview The Implementation List field group now includes an Implementation Preview button that enables users to see a preview of implementation changes prior to the implementation phase.

When a user selects a change request from the implementation list and clicks Implementation Preview, the implementation information for that change request is displayed. This is the same information shown in the Pending Implementation module, but in a read-only mode.

New API methods for setting rule attributes of access rules in change requests The following API methods were added to support setting the rule attribute data for access rules in change requests from Change Manager tickets:

› getChangeRequestRuleAttributes: This method returns the rule attribute data of the access rule in a change request (original or derived)

› setChangeRequestRuleAttributes: This method sets the rule attribute data of the access rule in a change request (original or derived)



Custom fields for custom change requests Administrators can now create better custom change requests by including different types of custom fields (string, number, date, boolean, and list) in each custom change request type. The custom fields can also be set as mandatory.

In addition, specific custom change request types can now be enabled per workflow, just as other change request types can.



Modify rule position You can now use Modify Rule change requests to submit a request to modify a rule’s position.

Automatic implementation for Panorama and FortiManager The automatic implementation feature was extended and now supports Modify Rule change requests for firewalls managed by FortiManager and Panorama.

Recertification field group enhancement The Recertification field group now includes the following fields to help you figure out whether to recertify the rules.

› Usage › Actual Rule Usage › Hit Count

New API methods for automatic implementation The following API methods were added to support automatic implementation of change requests from Change Manager tickets:

› getImplementedChangeRequests: This method retrieves the list of implemented change requests in Skybox Change Manager.



› getNotImplementedChangeRequests: This method retrieves the list of not-yet-implemented change requests in Skybox Change Manager.

› implementChangeRequests: This method implements the change requests that it receives.

Automatic Implementation Automatic implementation was extended to support:

› Check Point R80

• Add Rule change requests (added in Skybox version 8.5.600)

• Modify Rule change requests

› Panorama

• Add Rule change requests

› FortiManager (version 5.2 and higher)

• Add Rule change requests

View the firewall rule base Users of Change Manager can now view the firewall rule base in selected workflows, in the request phase.



1 Tools > Options > Server Options > Change Manager Settings > Workflows

2 Select the workflow in which you want to enable this feature and go to the request phase.

3 In the Phase properties dialog box, select Allow users to view firewall rules.

When this option is enabled, users creating a ticket see a View Rules button in the Change Requests panel. They can click it, select a firewall, and see its access rules, as shown below.



Activate Rules Change Requests Change Manager now supports Activate Rules change requests.

The new change request type can be enabled per workflow. When it is enabled, users can submit change requests for activating disabled rules.

The setting is shown in the following screen capture.



The request type (as it appears in new tickets) is shown in the following screen capture.

Modify Object Name The Modify Object change request now enables users to submit a request to modify an object’s name.



Skybox Network Assurance

Asset analysis Asset analysis was improved and now supports reporting of assets which had configuration differences between running and startup configs.

Skybox Vulnerability Control

Threat Alert tickets – custom fields for custom solutions Administrators can now add custom fields (string, number, date, Boolean and list) to the "template" for custom solutions for threat alert and vulnerability tickets. (Tools > Options > Server Options > Ticket Configuration > Threat Alert) The custom fields can also be set as mandatory.

When users create custom solutions, they can improve the solution by using these fields in addition to the standard fields (solution type, description, and solution name).



Web Application vulnerabilities & configuration weaknesses Coverage for security issues was extended and now supports web application vulnerabilities and configuration weaknesses collected by Rapid7 scanners in Nexpose reports.

Vulnerability Detector for Cisco IOS and NX-OS The Vulnerability Detector was extended to support Cisco IOS and NX-OS devices.

Web Application vulnerabilities & configuration weaknesses Coverage for security issues was extended and now supports web application vulnerabilities and configuration weaknesses collected by Tenable scanners.

Web Application vulnerabilities & configuration weaknesses Coverage for security issues was extended and now supports web application vulnerabilities and configuration weaknesses collected by Qualys scanners.

All security issues are modeled as custom vulnerabilities and are used in security metrics, analyses, tickets, and so on.

Note: Only CVE-based vulnerabilities are used for exposure analysis.

skyboxdownloads.skyboxsecurity.com/files/installers/...skybox now integrates with cisco aci, to...

Documents