skyboxdownloads.skyboxsecurity.com/files/installers/skybox_view/9.0/9.0.1… · skybox is retiring...

Skybox

Release Notes

9.0.100

Revision: 11

Proprietary and Confidential to Skybox Security. © 2018 Skybox Security, Inc. All rights reserved.

Due to continued product development, the information contained in this document may change without notice. The information and intellectual property contained herein are confidential and remain the exclusive intellectual property of Skybox Security. If you find any problems in the documentation, please report them to us in writing. Skybox Security does not warrant that this document is error-free.

No part of this publication may be reproduced, stored in a retrieval system, or transmitted in any form or by any means—electronic, mechanical, photocopying, recording, or otherwise—without the prior written permission of Skybox Security.

Skybox®, Skybox® Security, Skybox Firewall Assurance, Skybox Network Assurance, Skybox Vulnerability Control, Skybox Threat Manager, Skybox Change Manager, Skybox Appliance 5500/6000/7000/8000, and the Skybox Security logo are either registered trademarks or trademarks of Skybox Security, Inc., in the United States and/or other countries. All other trademarks are the property of their respective owners.

Contact information

Contact Skybox using the form on our website or by emailing [email protected]

Customers and partners can contact Skybox technical support via the Skybox Support portal

https://lp.skyboxsecurity.com/ContactMe1.html

mailto:[email protected]

https://www.skyboxsecurity.com/support/portal

https://www.skyboxsecurity.com/support/portal

Skybox version 9.0.100 3

Introduction ........................................................................................... 4

Skybox minimal system requirements........................................................ 5

What’s new in this version ........................................................................ 6 Skybox platform ....................................................................................... 6 Skybox Firewall Assurance ......................................................................... 8 Skybox Change Manager ........................................................................... 8 Skybox Vulnerability Control .................................................................... 11

What’s new in previous versions .............................................................. 12 Skybox platform ..................................................................................... 12 Skybox Firewall Assurance ....................................................................... 16 Skybox Change Manager ......................................................................... 21 Skybox Network Assurance ...................................................................... 24 Skybox Vulnerability Control .................................................................... 29

Contents


Chapter 1

This document includes information about new features and updates in version 9.0.100, with a feature list for this version as well as a list for previous versions (8.5.400 and higher).

› Skybox 7.5 is no longer supported. › Support for all releases of Skybox 8.0 ends in February 2018. › Support for all releases of Skybox 8.5 ends in February 2019.

About Skybox products Skybox Security’s powerful risk analytics platform provides security teams with continuous intelligence about vulnerabilities and network security risks, with no network disruption.

› Skybox solutions prioritize the most critical risks in minutes, and provide detailed remediation options.

› Skybox solutions automate the complex security management processes required to maintain security controls and eliminate attack vectors, filtering out irrelevant data and delivering accurate results in a fraction of the security management time.

For more details visit the Skybox Security website or see the product documentation

Introduction

https://www.skyboxsecurity.com/

http://downloads.skyboxsecurity.com/files/Installers/Skybox_View/9.0/9.0.100/Docs

http://downloads.skyboxsecurity.com/files/Installers/Skybox_View/9.0/9.0.100/Docs


Chapter 2

The minimal system requirements for Skybox are available here

Skybox minimal system requirements

https://www.skyboxsecurity.com/sites/default/files/System_Requirements.pdf


Chapter 3

This chapter includes a description of the new features and updates in Skybox version 9.0.100.

In this chapter

Skybox platform ................................................................... 6

Skybox Firewall Assurance ..................................................... 8

Skybox Change Manager ....................................................... 8

Skybox Vulnerability Control ................................................ 11

Skybox platform

Check Point vSEC The Firewalls - Check Point R80 Security Management collection task was enhanced and now supports collection of vSEC, the firewalls for cloud environments.

Note: No parameters were changed in the task.

Palo Alto Networks VM series The Firewalls - Panorama collection task was enhanced and now supports collection of Palo Alto Networks VM Series, the firewalls for cloud environments

Note: No parameters were changed in the task.

Global Exclude list The global exclude list (available in Tools > Options > Server Options > Task Settings > Global Task Settings) was enhanced and now supports an advanced mode that enables you to exclude devices by additional criteria, including:

› Asset Type › Operating Systems › OS Vendor › Services

• No Services

• Specific Services

What’s new in this version

Chapter 3 What’s new in this version


› Products

Connectors

› Asset Management – Active Directory Collection tasks retrieve device data from a Microsoft Active Directory database and add the data to the current model.

Skybox Release Notes


Changes to the Network API The following API methods were added. They are the same as the previous versions except that they also return the description field (the access rule comment).

› findAccessRulesV2 › getAccessRulesV2 › findObjectAffectedAccessRulesV2 › createRecertifyTicketV2

Skybox Firewall Assurance

Custom user roles - reports Customizing the report permission level is now available for custom user roles, as shown below.

Skybox Change Manager

Automatic Implementation Automatic implementation was extended to support the following:

› Check Point R80

• Add Rule change requests (added in version 8.5.600)

• Modify Rule change requests

› Panorama

• Add Rule change requests

› FortiManager

• Add Rule change requests



View the firewall rule base Users of Change Manager can now view the firewall rule base in selected workflows, in the request phase.

1 Tools > Options > Server Options > Change Manager Settings > Workflows

2 Select the workflow in which you want to enable this feature, and go to the request phase.

3 In the Phase properties, select Allow users to view firewall rules.

When this option is enabled, users creating a ticket will see a View Rules button in the Change Requests panel. They can click it, select a firewall, and see its access rules, as shown below.



Activate Rules Change Requests Change Manager now supports Activate Rules change requests.

The new change request type can be enabled per workflow. When it is enabled, users can submit change requests for activating disabled rules.

The setting is shown in the following screen capture.



The request type (as it appears in new tickets) is shown in the following screen capture.

Modify Object Name The Modify Object change request now enables users to submit a request to modify an object's name.

Skybox Vulnerability Control

Web Application vulnerabilities & configuration weaknesses Coverage for security issues was extended and now supports web application vulnerabilities and configuration weaknesses collected by Qualys scanners.

All security issues are modeled as custom vulnerabilities and are used in security metrics, analyses, tickets, etc.

Note: Only CVE-based vulnerabilities are used for exposure analysis.


Chapter 4

This chapter includes information about new features and updates in previous Skybox versions 8.5.400 and higher.

In this chapter

Skybox platform ................................................................. 12

Skybox Firewall Assurance ................................................... 16

Skybox Change Manager ..................................................... 21

Skybox Network Assurance .................................................. 24

Skybox Vulnerability Control ................................................ 29

Skybox platform

Vulnerability Detector for Network Devices Vulnerability occurrences can now be extracted from firewall configuration data of additional devices using Analysis – Vulnerability Detector for Network Devices tasks. The following devices are now supported:

› Arista (new) › Check Point › Cisco ASA and FWSM firewalls › Juniper NetScreen › Juniper Junos › Palo Alto (new)

Model encryption password can be changed Skybox encrypts the model with a password when saving it, and uses the same password to decrypt it when loading the model. A default password has always been used. This password can now be changed if required for security purposes. However, if the password is changed, you will not be able to load models encrypted with the previous password.

What’s new in previous versions

Chapter 4 What’s new in previous versions


Connectors

› Firewalls – Check Point GAIA Collection tasks retrieve Check Point GAIA firewall configuration data from Check Point Management Servers and add it to the model.

› Routers – Dionis Collection tasks retrieve configuration data from Dionis NX routers and add it to the model.

› Operational Technology – SecurityMatters Collection tasks retrieve configuration data from SecurityMatters platforms and add it to the model.

› Firewalls – Forcepoint NGFW Collection tasks retrieve configuration data from Forcepoint NGFW firewalls and add it to the model.

This task replaces the StoneGate parser. However, unlike the parser:

• The task does not require a mapping.txt file



• The task runs on either Linux or Windows

› Scanners – CyberX Collection was renamed to Operational Technology – CyberX Collection

Connectors

› Hit counts for Cisco IOS routers

Skybox now supports collection of hit counts for Cisco IOS based routers from the collection task.

› WhiteHat Sentinel

Scanners – WhiteHat Sentinel Collection tasks retrieve the vulnerability occurrences found by these scanners and add the data to the current model.

› Junos Space

Firewalls – Junos Space Collection tasks use a proprietary Juniper API to connect to Junos Space platforms. These tasks retrieve configuration data of Junos firewalls that are managed by the Junos Space platform and add it to the current model.

These tasks have the following limitations:

• Dynamic routing rules cannot be collected from Junos Space platforms.

• There is a difference between the information available through SSH commands (in Firewalls – Junos Collection tasks) and that available through REST APIs (in Firewalls – Junos Space Collection tasks). This



may cause differences in the way the devices are represented in the model.

FortiGate applications Skybox now supports application information on FortiGate devices.

Check Point syslog in CEF format Skybox now supports rule usage logs in CEF format for Check Point firewalls. These logs are usually forwarded from ArcSight.

Connectors

› Tenable SecurityCenter scanners

Scanners - Tenable SecurityCenter Collection tasks retrieve the vulnerability occurrences found by these scanners and add the data to the current model.

› IBM Security AppScan

Skybox can import vulnerability report XML files from AppScan using Scanners - AppScan Collection tasks.

Note: To import IBM AppScan vulnerability occurrence data to a Skybox model, you must have Python installed on the machine that is running the task (as specified by the Run in field of the task). You also require the lxml package. Further details are available in the Skybox Reference Guide.

› Squid proxies

Skybox includes a parser that creates an iXML file from Squid proxy configuration files. This iXML file can then be imported into Skybox. The parser is located at <Skybox_Home>\intermediate\bin\parsers\proxy\squid\squidParser.pl

Retiring the SOAP API using Axis1 technology Skybox is retiring the SOAP API based on Axis1 technology and will be using only JAX-WS technology going forward. All the API calls are available in the new technology. The Axis technology will be supported until July 2018 to allow customers who have not done so already to migrate their integration to JAX-WS.

To identify the API version that you are using:

› Axis1: Your SOAP endpoint is https://<Skybox_server>:8443/skyboxview/webservice/services/*

› JAX-WS: Your SOAP endpoint is https://<Skybox_server>:8443/skybox/webservice/jaxws/*

Refer to the Skybox Developer's Guide for additional information about using the API.



Skybox Firewall Assurance

Rule usage analysis for Cisco IOS routers Rule usage analysis for Cisco IOS routers is now supported using the data retrieved directly by the Cisco device command (that is, show access-lists) in addition to data retrieved from syslog. The collection task was extended and now enables you to select whether to retrieve the hit counts of the access rules in addition to the configuration of the device.

Rule usage analysis is then immediately available after collection of the routers.

STIG Configuration Policy for Cisco IOS routers The STIG Configuration Policy now includes a section for Cisco IOS routers, in addition to the existing section for CISCO firewalls.



If you do not see this policy after updating, right-click Configuration Policies, select Import Configuration Policy, and then select STIG_v2.xmlx

Rule Exceptions

Exceptions of types Firewall Exception, Access Policy Exception, and Rule Policy Exception are no longer created, though they are still supported for backward compatibility.

Note: Existing exceptions of type Rule Policy Exception are now listed as Rule Exception.



Access Compliance for clouds and virtualized environments End to end Access Compliance (Access Compliance in network mode) is now supported for cloud and virtual environments. Security tags and groups can now be mapped to zones and their access compliance can be analyzed. The analysis considers all the virtual assets in the respective security tags/groups and identifies the violating rules on the security tags/groups. Access is analyzed for both east-west and north-south traffic.

To use this feature 1 Map the security tags/groups to zones.

2 Analyze the required access check.



3 View the access route.

4 View the violating rules.

PCI DSS Access Policy v3.2 The PCI DSS Access Policy was updated and it is now compliant with version 3.2.

If you do not see this policy after updating, right-click Public Access Policies, select Import Access Policy, and then select PCI_DSS_V3.2_Policy.xmlx

STIG Configuration Policy for Cisco FW A Security Technical Implementation Guide (STIG) is a cybersecurity methodology for standardizing security protocols to enhance overall security.



Skybox now includes a new STIG Configuration Policy for Cisco firewalls. This policy is intended for firewalls in organizations that must comply with STIG standards used by the United States Department of Defense. It includes those STIG standards that can be verified by analyzing device configuration files. Other standards require manual verification or can be verified by analyzing the access rules.

Note: Additional devices will be added in future versions.


Customized User roles Admins can now create new user roles for Firewall Assurance and Network Assurance based on the predefined user roles Admin – Assurance, User – Assurance, and Read-Only User – Assurance.

Permission levels (such as full access or view only) can be defined for the following features:

› Exception management › Analysis permissions › Policy management (Rule Policy, Access Policy and Configuration Policy)



› Configuration files › Operational console

Note: Permissions for all other features are according to the predefined user role. When creating a new role, it is suggested to start with the predefined role that most closely matches the new role.

User roles are managed from the new User Roles node of the Admin tree.

Skybox Change Manager

Automatic implementation for Check Point R80 Change Manager now enables automatic implementation of Add Rule and Add Object change requests for Check Point R80 firewalls.



Ticket notifications can now include recertification information Ticket notifications (done via triggers) were enhanced and can now include recertification information.

Zone/interface information in change requests For zone or interface based firewalls, Change Manager now automatically includes the zone or interface information when calculating Access Update and Add Rule change requests. This information is available in the Additional Details column.



Automatic implementation of rules with expiration dates Change Manager now supports automatic implementation of rules with expiration dates.

Revised upper ticket panel The upper ticket panel which contains the general ticket information is now editable. Users who can edit the ticket at each phase can also edit these fields (Title, Priority, and Description).

The Additional Information section is hidden by default, to allow more information about the phase itself to be displayed.

Rule Exceptions Only one type of exception (called Rule Exceptions) is now created in Change Manager, regardless of the way policy compliance is calculated (firewall or network mode).

Add deny rules Change Manager now supports Add Rule change requests for deny rules.



Enhanced user permissions User permissions for Change Manager now provide better control over what each user can do in each workflow phase. As in the past, you decide for each user whether they should have any access at all to each phase of each workflow. Now, you can also set permissions for each user (including Web Ticket Requestors) per phase to read-only if they should not be able to make changes to that phase. This means that users will have full access for phases relevant to them, and for all other phases either read-only permissions or no permissions.

Duplicate change requests Change Manager now provides indication if a change request is duplicated within the same ticket.

Text hints for custom fields Custom fields can now include a text hint property, so that users can better understand what kind of information they need to provide in the field.

Skybox Network Assurance

Rule Exceptions Skybox now uses a single type of exception – called a Rule Exception – instead of 3. From now on, exceptions will always be associated with the rule that caused the violations, and include the following fields:



Exceptions of types Firewall Exception, Access Policy Exception, and Rule Policy Exception are no longer created, though they are still supported for backward compatibility.

Note: Existing exceptions of type Rule Policy Exception are now listed as Rule Exception.

Access Compliance for Clouds and virtualized environments End to end Access Compliance (Access Compliance in network mode) is now supported for cloud and virtual environments. Security tags and groups can now be mapped to zones and their access compliance can be analyzed. The analysis considers all the virtual assets in the respective security tags/groups and identifies the violating rules on the security tags/groups. Access is analyzed for both east-west and north-south traffic.



To use this feature 1 Map the security tags/groups to zones.

2 Analyze the required access check.



3 View the access route.

4 View the violating rules.

PCI DSS Access Policy v3.2 The PCI DSS Access Policy was updated and it is now compliant with version 3.2.

If you do not see this policy after updating, right-click Public Access Policies, select Import Access Policy, and then select PCI_DSS_V3.2_Policy.xmlx

STIG Configuration Policy for Cisco FW A Security Technical Implementation Guide (STIG) is a cybersecurity methodology for standardizing security protocols to enhance overall security.



Skybox now includes a new STIG Configuration Policy for Cisco firewalls. This policy is intended for firewalls in organizations that must comply with STIG standards used by the United States Department of Defense. It includes those STIG standards that can be verified by analyzing device configuration files. Other standards require manual verification or can be verified by analyzing the access rules.

Note: Additional devices will be added in future versions.


Customized User roles Admins can now create new user roles for Firewall Assurance and Network Assurance based on the predefined user roles Admin – Assurance, User – Assurance, and Read-Only User – Assurance.

Permission levels (such as full access or view only) can be defined for the following features:

› Exception management › Analysis permissions › Policy management (Rule Policy, Access Policy and Configuration Policy)



› Configuration files › Operational console

Note: Permissions for all other features are according to the predefined user role. When creating a new role, it is suggested to start with the predefined role that most closely matches the new role.

User roles are managed from the new User Roles node of the Admin tree.

Skybox Vulnerability Control

Threat Alert tickets with multiple vulnerability definitions Threat Alert tickets can now be created for several vulnerability definitions at once by selecting the vulnerability definitions and creating a ticket.

Custom vulnerability solution enhancements Custom vulnerability solutions for threat alert tickets and vulnerability occurrence tickets can now be reused by other tickets that are associated with the same vulnerability.

skyboxdownloads.skyboxsecurity.com/files/installers/skybox_view/9.0/9.0.1… · skybox is retiring...

Documents