There are lots of tools and applications with the word “compliance” stamped on the cover. What does it mean when a product tells you that you’re compliant? What are the mechanics of determining compliance?

In the end, it comes down to comparing a policy against something real and determining if the two match up.  With PCI it might be about comparing the kind of traffic that the PCI specification says should not be allowed between two subnets; whereas FISMA compliance might be ensuring that your devices are configured according to vendor best practices.

Skybox Firewall Assurance and Skybox Network Assurance represent a collection of compliance engines.  Their purpose is to facilitate the comparing of policy to reality.  We do this using three separate engines, each designed to compare different aspects of a network or a device.

Skybox straddles the fence between a “framework” and an “out-of-the-box solution”.  While we realize that nobody wants to configure their policy content from scratch, we also recognize that the “one size fits all” approach doesn’t work either.  The Skybox compliance engines provide enormous flexibility in configuring custom security policies, while our included compliance content provides quick plug-and-play functionality by including many popular security policies such as PCI, NIST, and CIS.

Compliance Engines

  • The configuration compliance engine examines the configuration elements of a network device to confirm that it is configured correctly.  This allows organizations to ensure that their devices are configured according to specifications such as vendor best practices, an internal policy, “gold standard,” or even an external policy like CIS benchmarks.  Skybox uses the power and flexibility of regular expressions in this engine to allow for easy customization.  In addition, individual configuration checks can be carried out against specific versions of devices or against devices residing in specific portions of the network.
  • The rule compliance engine helps organizations ensure that their firewall (or router) ACL rules are created according to standard security best practices.  This engine looks at the specifics of a rule and compares it against a list of checks designed to ensure that the rule is written according to the least privilege principle.  These checks are fully customizable and the user interface makes it easy to add additional policies.  Rule compliance identifies overly permissive rules and provides actionable data to support the clean-up process.
  • The heavy-hitter of the Skybox lineup is the zone-to-zone access compliance engine.  This powerful engine allows organizations to describe policies in abstract or conceptual terms and ensure that the reality of the network is in line with the policy.

An access compliance policy consists of a description of the type of traffic that should, or should not, (white or black listing) be allowed between two or more zones.  This allows an abstract sentence such as, (PCI v3 – 1.2.1) “Restrict inbound and outbound traffic to that which is necessary for the cardholder data environment, and specifically deny all other traffic” to be easily described within the compliance content.  The access compliance engine does the heavy lifting of determining all of the connection paths within the network (and the security devices along those paths) that need to be checked for compliance.  This compliance is then checked on an ongoing basis (typically daily).

Backing up these compliance engines are a host of additional features that allow an organization to take action on policy violations.

  • Exceptions allow an operator to manage the network to green by defining violations that have been approved and will no longer show up as violations.
  • Recertification supports the creation of a ticket / email that can be used to allow a rule owner attest that the rule should is needed.
  • Overly permissive rules can be trimmed down using information from Skybox’s “trace data” feature that provides specifics on what IPs or services are associated with the traffic passed by a rule with large objects (such as “any”).

When choosing a product to help assure your network and devices are compliant with internal and external policies, choose an application that has the engines, flexibility, and content to get the job done right and completely.

To learn more about Skybox’s policy compliance solutions, watch this product demo or request a free 30-day trial and give it a spin!