skyboxdownloads.skyboxsecurity.com/files/installers/... · skybox can now collect firewall...

Skybox

Release Notes

9.0.800

Revision: 14

Proprietary and Confidential to Skybox Security. © 2019 Skybox Security, Inc. All rights reserved.

Due to continued product development, the information contained in this document may change without notice. The information and intellectual property contained herein are confidential and remain the exclusive intellectual property of Skybox Security. If you find any problems in the documentation, please report them to us in writing. Skybox Security does not warrant that this document is error-free.

No part of this publication may be reproduced, stored in a retrieval system, or transmitted in any form or by any means—electronic, mechanical, photocopying, recording, or otherwise—without the prior written permission of Skybox Security.

Skybox®, Skybox® Security, Skybox Firewall Assurance, Skybox Network Assurance, Skybox Vulnerability Control, Skybox Threat Manager, Skybox Change Manager, Skybox Appliance 5500/6000/7000/8000/8050, and the Skybox Security logo are either registered trademarks or trademarks of Skybox Security, Inc., in the United States and/or other countries. All other trademarks are the property of their respective owners.

Contact information

Contact Skybox using the form on our website or by emailing [email protected]

Customers and partners can contact Skybox technical support via the Skybox Support portal

Skybox version 9.0.800 3

Introduction ........................................................................................... 4

Skybox minimal system requirements........................................................ 5

What’s new in this version ........................................................................ 6 Skybox platform ....................................................................................... 6 Skybox Web UI ........................................................................................ 8 Skybox Change Manager ........................................................................... 9

What’s new in previous versions .............................................................. 10 Skybox platform ..................................................................................... 10 Skybox Firewall Assurance ....................................................................... 13 Skybox Web UI ...................................................................................... 13 Skybox Change Manager ......................................................................... 17 Skybox Network Assurance ...................................................................... 19 Skybox Vulnerability Control .................................................................... 20

Contents


Chapter 1

This document includes information about new features in version 9.0.800, with a feature list for this version as well as a list for previous versions (9.0.500 and higher).

› Support for all releases of Skybox 8.5 ends in February 2019.

About Skybox products Skybox’s powerful risk analytics platform provides security teams with continuous intelligence about vulnerabilities and network security risks, with no network disruption.

› Skybox solutions prioritize the most critical risks in minutes and provide detailed remediation options.

› Skybox solutions automate the complex security management processes required to maintain security controls and eliminate attack vectors, filtering out irrelevant data and delivering accurate results in a fraction of the security management time.

For more details visit the Skybox website or see the product documentation

Introduction


Chapter 2

The minimal system requirements for Skybox are available here

Skybox minimal system requirements


Chapter 3

This chapter includes a description of the new features and updates in Skybox version 9.0.800.

In this chapter

Skybox platform ................................................................... 6

Skybox Web UI ..................................................................... 7

Skybox Change Manager ....................................................... 9

Skybox platform

Elasticsearch Skybox Server now supports the export of data into Elasticsearch via Skybox tasks or REST API calls.

Further information is available in the Skybox Installation and Administration Guide.

Supported operating systems The list of operating systems on which Skybox Server can run has been expanded to include Windows Server 2016.

New connectors

› Operational Technology – Claroty Collection tasks retrieve vulnerability occurrence data collected by a Claroty Platform and add this data to the current model.

› Operational Technology – Indegy Collection tasks retrieve vulnerability occurrence data collected by an Indegy platform and add this data to the current model.

What’s new in this version

Chapter 3 What’s new in this version


Saving the model for Skybox support A new option was added to manual file backups (File > Models > Save) to specify whether to save the model without user names and passwords for Skybox tasks.

Important: Do not use this option when backing up the model for your organization; it is intended solely for sending the model to Skybox support.

Specific tasks for user roles A new field called Permitted Tasks was added to the User Role dialog box (under the Operations Console field), which enables the administrator to define a white list of task types for each custom user role.

› For user roles with full or viewing access to the Operational Console, you can select the Skybox tasks that they are permitted to run.

› Users with full access can also edit these tasks.

Skybox Release Notes


Skybox Web UI

Rule Review unit A new Rule Review unit was added to the Firewall and Network Assurance Web UI. This unit provides a convenient way to review access rules.

Dedicated widgets for this section include “Rules by Recertification Status” and “Rules by Next Review Date”.

Drill down from a widget leads to a view of the relevant rules. You can expand each rule to display its recertification information, as well as information from the other units (Compliance, Optimization & Cleanup, and Change Tracking).

The rightmost column in lists of rules for review displays the recertification status of this access rule, and when it is due or how long it is overdue.

Possible recertification statuses are:

• Certified

• Rejected

• In Progress: A recertification ticket is open

• Overdue: The review date has passed but the rule’s status was not changed to either Certified or Rejected by a closed Recertification ticket in Change Manager.

Overdue rules may or may not have open tickets associated with them.

• Unknown: For new rules and or legacy rules that have not yet started the process of recertification

Changes in rule review task The name of the Policy Rule Review task was changed to Rule Recertification. This task now performs all the relevant actions for the rule recertification process:

› Setting the initial next review date for access rules that do not yet have a next review date

The date can be set to the rule’s creation date or to another specific date.

› Computing the Next Review Date according to the defined Rule Review Policies

› Generating recertification tickets according to the defined Rule Recertification Ticket policies (the same action as Ticket – Auto Generation tasks with the Rule Recertification Ticket Policies field checked).

All the task actions are optional. The Compute Next Review Date action is selected by default, as this is the basic action necessary for the Rule Recertification process.

Chapter 3 What’s new in this version


Note: The modified task still supports users who used the Policy Rule Review task.

Skybox Change Manager

Automatic implementation for Cisco ASA The automatic implementation feature was extended and now supports Add Rule and Add Object change requests for Cisco ASA devices. Provisioning to Cisco ASA devices is done via SSH interface.

Automatic implementation for Check Point R80 The automatic implementation feature was extended and now supports Deactivate Rule (disable and delete) change requests for Check Point R80 firewalls.


Chapter 4

This chapter includes information about new features and updates in previous Skybox versions 9.0.5and higher.

In this chapter

Skybox platform ................................................................. 10

Skybox Firewall Assurance ................................................... 13

Skybox Web UI ................................................................... 13

Skybox Change Manager ..................................................... 17

Skybox Network Assurance .................................................. 19

Skybox Vulnerability Control ................................................ 20

Skybox platform

Changes to Skybox Collector In this version, the infrastructure of the Collector was migrated from a JBoss application server deployment to one based on Spring Boot version 1.5.17 with an embedded Tomcat servlet container, version 8.5.34. Additional information is available in the Migrating the Collector infrastructure chapter, in the Skybox Installation and Administration Guide.

Important: If you have done any customization of the old JBoss Tomcat server.xml file or the TLS setting in <Skybox_Home>/collector/conf/jvmargs.properties for any Collectors you are using, you must customize the new infrastructure as well. Information on customization can be found in Migrating the Collector infrastructure, in the Skybox Installation and Administration Guide.

› On Windows, when the Collector is running as an operating system service, the service is reinstalled on every update.

For this reason, if you changed the service logon options to use a service user for collection, you must specify the service user again after every update.

SSH collection limitation The current SSH client used by the Skybox Collector for remote collection can only use a Diffie-Hellman key of up to 2048 bits. Collection from remote devices that use a larger key will fail.

What’s new in previous versions

Chapter 4 What’s new in previous versions


New task: Install Python tools for Skybox Appliance This task installs the Python infrastructure (version 2.7.13) on Skybox Appliances. Python is required for the following Skybox collection tasks:

› Firewalls – Sophos UTM › Firewalls – Huawei Eudemon › Routers – Dionis NX › Routers – Vyatta › Scanners – AppScan › Scanners – WhiteHat Sentinel › Operational Security – SecurityMatters › Firewalls – Forcepoint NGFW

You only need to run this task once for each Collector (or Server) running on a Skybox Appliance that is used for these tasks.

New connectors

› Firewalls – Huawei Eudemon Collection tasks add configuration data from Huawei Eudemon firewalls to the current model.

› Asset Management – ForeScout Collection tasks retrieve device data from a ForeScout database and add this data to the current model.

Skybox REST APIs Skybox includes REST APIs to retrieve data from Skybox and use its core methods remotely. The base URL is: /skybox/webservice/jaxrs

The REST APIs use basic authentication. For more information, see https://swagger.io/docs/specification/authentication/basic-authentication/

The REST APIs can be viewed and tested at: https://<server_name>:8443/skybox/webservice/swagger-ui/index.html. You must log in with your Skybox user to access this site.

The following REST APIs are supported:

› All calls in /accesspolicytemplate/

These calls are used for managing Access Policies and zones.

› All calls in /threatalert/v1 and /threatalerttickets/v1

These calls work with threat alert tickets.

Note: Support is provided only for the API calls mentioned here. Other API calls exist but are not currently supported, and Skybox takes no responsibility for their use.

Fortinet FortiGate traffic syslog in CEF format Skybox now supports rule usage logs in CEF format for FortiGate firewalls.



NetScreen rules from non-Global zones to the Global zone Support in the Access Analyzer for NetScreen rules and packet flow from “non-Global” zones to the “Global” zone was improved.

New Connectors

› Firewalls – Sophos UTM Collection tasks retrieve configuration data from Sophos UTM firewalls and add this data to the current model.

› Scanners – Tenable.IO Collection tasks retrieve Nessus scans from Tenable.io scanners and add the vulnerability occurrence data to the current model. The following scan result types are supported:

• Basic scan

• Host discovery

• Advanced scan

Support for multiple LDAP servers Skybox now supports the ability to log in to Skybox from different domains via LDAP. Administrators can configure an LDAP server for each domain (Tools > Options > Server Options > User Settings > Authentication). Up to 10 LDAP servers can be configured.

New API methods

› The getHostCluster method (in the networks web service) returns the name and ID of the cluster of the specified firewall, or null if the host is not part of a cluster.

› New versions of the API methods for Change Manager (addOriginalChangeRequestsV6, getOriginalChangeRequestV6, getDerivedChangeRequestsV6) were released.

The methods are the same as the previous versions (V5).

The AddRuleChangeRequestV6 and RequireAccessChangeRequestV6 data structures are different from the V5 versions: a new boolean field named isLogEnabled was added to these 2 objects to support the new rule logging feature. The other fields of the data structures are the same as the V5 version.

Fortinet FortiManager – collection by read-only users Skybox can now collect firewall configurations from FortiManager using a read-only user. This collection is based on the FortiManager REST API. For details, see Configuring FortiManager Security Management appliances for data collection, in the Skybox Reference Guide.

Palo Alto Networks – support for external dynamic lists (EDLs) Skybox now supports the modeling of EDLs in Palo Alto firewalls.

Cisco ACI – support for external endpoint groups (EPGs) Skybox now supports the modeling of Cisco ACI external EPGs that filter north-south traffic, and the use of those EPGs within ACI contracts.



Skybox Firewall Assurance

Support for Check Point R80 in Configuration Compliance Support for Check Point Security Management R80 and higher has been added to Configuration Compliance. Standard V14 is a new Configuration Policy whose Check Point section was updated to include tests for these devices.

To use this policy, you must import it: right-click Configuration Policies in either the Firewall Assurance or Network Assurance tree, select Import Configuration Policies, and select Standard V14.

Support for Rule Usage Analysis on Cisco Firepower devices Skybox now supports syslog traffic for Firepower devices, thus enabling Rule Usage Analysis.

Define critical access rules for review In Firewall Assurance, users can now define critical access rules for review. They can also receive notifications when any changes are made to these rules.

› To define rules for review: When the Table pane includes a list of access rules (for example, when Rule Review for a single firewall is selected in the Tree pane), select one or more rules in the table pane, right click, and select Set Review Indication.

Display the For Review column to show the selected rules; right-click in the header row of the table, select Customize Current View, and then select For Review from the list of possible columns.

› To set up the notifications mechanism:

1. Select Tools > Administrative Tools > Triggers.

2. In the Skybox Admin window, open or create a trigger of type Change Tracking.

3. In the Change Record Filter tab, select Notify changes in rules marked for review.

› When tasks of type Analysis – Change Tracking are run and there are changes in any rules marked as For Review, the following notification is sent: “Change tracking event was recorded for rule # <Rule number> in <Firewall Name> device.”

› In addition, the For Review column was added as the last column in CSV files produced by the CSV – Access Rules Review Export task.

Note: Notifications cannot be sent when Cisco firewall rules are deleted from a firewall because these rules have no GUID.

Skybox Web UI

URL for Skybox Web UI

› The URL for Skybox Web UI has been changed to: https://<server>:8443/skybox/products/home



› The specific URL for Firewall and Network Assurance is: https://<server>:8443/skybox/products/spm

Rule Policies section A new Rule Policies section was added to the Compliance unit. This section provides a convenient way to investigate Rule Policy violations from the perspective of the entire Rule Policy.

Dedicated widgets for this section include “Checks by Rule Compliance Status” and “Rule Checks by Severity”.

As in all the other sections, drill down from a widget leads to a view of the relevant Rule Checks. You can expand each Rule Check to display the list of violating rules, the tested firewalls, and more details about the check itself.

Access Analyzer Access Analyzer is an advanced tool for checking access between different end points in the network.

To open Access Analyzer, click

You define the source and destination end points by typing or selecting, and you can also define services and applications, or reuse a recently analyzed query.

Access Analyzer searches for all relevant model entities (networks, assets, virtual domains, and so on) for this query. Access Analyzer shows all possible routes and whether there is full access, partial access, or no access between the end points.



You can then drill down into a route to see information about it.

Notes: * Users with Vulnerability Control licenses also see information about the vulnerabilities to which the accessible assets are exposed. * Access Analyzer is currently not available for users with Firewall Assurance only licenses.

Access Policies section A new Access Policies section was added to the Compliance unit.

This section provides a convenient way to investigate access violations from the Access Policy perspective, as opposed to the rules perspective shown in the Rulebase Compliance section.

The Access Policy views are based on a matrix widget that provide the full compliance view in a single pane of glass that shows the compliance level and number of violations for all zone-to-zone policy sections.

This widget also enables you to verify that the Access Policy was correctly defined and that it covers all the zone-to-zone sections.



Drilling down from any cell in the table leads to a view that displays the list of Access Checks between the 2 zones with a description, severity, and number of violations. Each check can be expanded to view a list of its tests, violations, and violating rules. In addition, you can view exceptions for each check.

Configuration Policies section A new Configuration Policies section was added to the Compliance unit. This section provides a convenient way to investigate Configuration Policy violations from the perspective of the entire Configuration Policy.

Dedicated widgets for this section include Top Configuration Checks by Status, Top Policies by Configuration Check Severity, Configuration Compliance Level.

As in all the other sections, drill down from a widget leads to a view of the relevant Configuration Checks. You can expand each Configuration Check to display the list of tested devices and more details about the check itself.



Enhancements to sorting The sorting of records in all the views was enhanced and now highlights the value of the Sort field or adds it dynamically when the value is not available in the record.

Skybox Change Manager

Implementing change requests from the ticket When a ticket is in the Implementation phase, its owner can implement the change requests by selecting them in the list and clicking Implement Change Requests.

Automatic implementation for Cisco Firepower The automatic implementation feature was extended and now supports Add Rule and Add Object change requests for firewalls managed by Cisco Firepower.

Automatic implementation of Modify Object change requests and FortiManager The automatic implementation feature was extended and now supports Modify Object change requests for firewalls managed by FortiManager. For detailed information, see Implementation of Modify Object change requests, in the Change Manager User Guide.

Rule logging Change Manager now includes an option to enable logging the rules in the firewall as part of a change request. Enabling rule logging is available as part of the following change requests:

› Access Update › Add Rule



› Modify Rule

By default, rule logging is enabled for all change requests of these types. Use Tools > Options > Server Options > Change Manager Settings > Tickets to disable this feature.

Note: The status of rule logging can be changed per request, regardless of the default status.



Skybox Network Assurance

Support for Check Point R80 in Configuration Compliance Support for Check Point Security Management R80 and higher has been added to Configuration Compliance. Standard V14 is a new Configuration Policy whose Check Point section was updated to include tests for these devices.

To use this policy, you must import it: right-click Configuration Policies in either the Firewall Assurance or Network Assurance tree, select Import Configuration Policies, and select Standard V14.

Support for Rule Usage Analysis on Cisco Firepower devices Skybox now supports syslog traffic for Firepower devices, thus enabling Rule Usage Analysis.

Define critical access rules for review In Firewall Assurance, users can now define critical access rules for review. They can also receive notifications when any changes are made to these rules.

› To define rules for review: When the Table pane includes a list of access rules (for example, when Rule Review for a single firewall is selected in the Tree pane), select one or more rules in the table pane, right click, and select Set Review Indication.

Display the For Review column to show the selected rules; right-click in the header row of the table, select Customize Current View, and then select For Review from the list of possible columns.

› To set up the notifications mechanism:

1. Select Tools > Administrative Tools > Triggers.

2. In the Skybox Admin window, open or create a trigger of type Change Tracking.

3. In the Change Record Filter tab, select Notify changes in rules marked for review.

› When tasks of type Analysis – Change Tracking are run and there are changes in any rules marked as For Review, the following notification is sent: “Change tracking event was recorded for rule # <Rule number> in <Firewall Name> device.”

› In addition, the For Review column was added as the last column in CSV files produced by the CSV – Access Rules Review Export task.

Note: Notifications cannot be sent when Cisco firewall rules are deleted from a firewall because these rules have no GUID.



Skybox Vulnerability Control

Custom business attributes for Vulnerability Definitions Business attributes are business information about Vulnerability Definitions that can be stored with the Vulnerability Definition in the model. This information can be used to provide additional business context for the Vulnerability Definitions, and for integration with other systems; the additional information can be cross-referenced by the other system.

Admins create business attributes in Tools > Options > Server Options > Business Attributes > Vulnerability Definitions. Once an attribute is defined, it can be displayed as a column in tables where Vulnerability Definitions are shown (right-click in the header row of the table, select Customize Current View and then select the desired column).

Vulnerability Detector for Fortinet firewalls The Vulnerability Detector was extended to support Fortinet firewalls.

skyboxdownloads.skyboxsecurity.com/files/installers/... · skybox can now collect firewall...

Documents