Skybox View Assure and Skybox View Secure review
By Rob Smithers | Network World US | Published: 16:02, 12 July 2010
Skybox uses vulnerability scanners and analysis to categorise, quantify and prioritise threats to the network. Using the Skybox Assure software suite, we could manage network policy validations, regulatory compliance audits and network device changes. With the automation features provided, we could run audit checks on thousands of firewall rule-bases.
We found that the install documentation for Skybox was excellent. The user manuals and tutorials are automatically loaded onto the C: drive.
Skybox provides several methods to import device configuration files into the Skybox View database. You can use the Add Device wizard application that has a Collect feature to import the configuration files directly from the device. There are also several ways to automate the configuration collection process. If configuration data is located in a database or file repository, the data can be directly imported into Skybox View. You need additional Skybox View Collectors if you want to directly import configuration files on segmented networks.
We used the Operational Console to create tasks using the New Task wizard and selecting a Task Type. There is a convenient option for scheduling collection that can be set for a specific hour, or to be run daily, weekly, monthly or yearly. We could also program the Task Wizard to schedule data import from file repositories with configuration files.
We could create task sequences to run the tasks at a scheduled time. Task sequences have exit codes so that if a task fails, any other tasks set to import configurations, run audits and change management will not be blocked.
We saw that APIs were also available to facilitate integration with large third party management tools, such as Opsware, to obtain stored configuration files.
Once the configuration files are loaded into Skybox View, the compliance auditor in Skybox View Assure uses its predefined best-practice access policy to analyze the firewall policies. The best practice policies are compared with the device configuration rules and policies to display security violations and configuration errors. We used the Policy Compliance Report table to view Violated Rules, Access Compliance and Rule Compliance. In the case of an Access Compliance report failure, the rule violation is highlighted and detailed information about the violation is presented.
We tested the Risk Exposure Analyzer that simulates potential attack and access scenarios. After Skybox Secure builds a virtual map of the security model, a business impact analysis is created for what-if attack scenarios. These scenarios are based on malicious code and human attackers. Using the analyser, we saw a graphical flow chart diagram displaying the step-by-step process taken by the attacker and the network access path available for the attack.
Results of the attack are used to calculate the business impact of a security breach in terms of confidentiality, integrity and availability. Skybox Secure can import business-impact rules and regulations to classify assets and determine an accurate risk assessment metric. We saw that they also had predefined regulation templates.
Rule-usage analysis requires three to 12 months of information to obtain a valid rule use analysis report. Shadowing and redundancy analysis can be run as soon as the configuration information for the network devices is imported and the network model is built.
We used the Access Analyzer feature in Skybox View Assure to answer questions about network access. It can be used for What-If model test scenarios and for connectivity analysis on live networks. Queries can be created for access within a firewall and for networks.
For tracking changes, we used the Change Tracking option in Skybox View Assure by selecting it under the expanded device object icon in the GUI. When data is collected periodically to update network models, you can display and analyse comparisons between ACL rules, routing rules and network interface changes. We saw that you could keep records of network and firewall changes for compliance recordkeeping. What-If modeling changes can be made as firewall rules in the model and then compared with the actual firewall rules.
Skybox View Assure offers change control and workflow with a ticketing system. While the Firewall Compliance Auditor supports Access Change tickets, the Network Compliance Auditor supports both Access Change and Policy Violation tickets.
We were impressed with the modeling capabilities of the SkyBox View Firewall Assurance product. We could simultaneously store three models of the network for running comparison analyses. A side-by-side analysis report makes it effortless to see the changes between two versions of the same network model.