November 8, 2017

Verification in Forward Enterprise: Become "Absolutely Sure" of Your Network Intent

by Charlie Elliott

[vc_row][vc_column][vc_column_text]In Part 1 of this blog, I discussed the power of network verification compared to traditional network testing. Verification is the mathematical and logical analysis of your current network configurations and state to detect and highlight violations of your policies and intent. Verification can take you from being "Pretty Sure" your network is configured correctly, to being "Absolutely Sure" your intent is represented in the network. This capability is delivered in Forward Enterprise, our full-featured platform designed for large enterprise and provider networks, including multi-site data centers, private clouds, corporate backbones and telco-class infrastructure.

It is important to note that Forward Enterprise is not a monitoring or performance management tool. In fact, it doesn’t look at live traffic. Forward Networks creates a software model based on a snapshot of the network, and can perform end-to-end analysis of the range of possible behaviors under all scenarios and conditions. It doesn’t test a packet going over the link, it will find the boundary conditions that you haven't thought to test for. That will allow you to head off problems before they occur. And help you avoid tedious weeks of box-by-box analysis and root cause research.

It all starts with collection and search...

Forward Enterprise builds a software model of your network after collecting all configuration and state information from each device. Much like Google crawls the Internet for new content and links between web sites, Forward crawls devices and organizes a snapshot of all network links and information. We even understand subtle behavior differences between specific networking or firewall vendors to ensure accurate analysis of traffic behavior in the live network. From the collection, Forward builds a complete inventory and topology diagram.

Forward Enterprise Topology diagram

Forward Networks creates a mathematical model of your entire network for the purposes of analysis, troubleshooting, validation, change detection, and predictive analysis.

Most of our customers find this initial inventory and topology display immensely useful because it can identify devices you may have forgotten about, or are obviously not performing any productive function. For example, a device may be physically connected in the network, but misconfigured to not support any real traffic flows. Since all possible routes into and from each device are analyzed and displayed, it becomes immediately apparent where links are up, down, or have no potential traffic flows. But it gets much better when you can create sophisticated queries into the network model.

From search to verification

Forward Search is one of the three key functional pillars of Forward Enterprise, along with Verify and Predict. But each of the three capabilities allow you to develop extremely interesting behavioral queries about the intent and performance of the network. A simple search query could be structured such as "show all the inbound internet traffic paths reaching a rack of servers, or a particularly virtual switch, that don't use destination port 443". This might show vulnerabilities on non-SSL ports that your network might be allowing through. If that's possible, it's easy to trace flows through each device in the path that are misconfigured and how to remediate. Virtually any network attribute, protocol or device state can be queried to quickly isolate inconsistencies or violations of your network intent.

When you define your network intent as a series of network policy requirements, each requirement becomes essentially a search query and a check is performed. Again, any deviations from the pre-defined network intent are quickly identified and isolated. Forward Enterprise comes with several pre-defined policy checks, as shown below, including checking for forwarding loops, IP address uniqueness, consistency across all links for VLANs, MTU, speed, duplex-type, etc.

Forward Enterprise Verify diagram

Forward Networks provide a range of pre-defined checks to validate within your network environment, such as No Forwarding Loops, Unique IP Addresses, VLAN properly configured on both sides of each link, etc. The current network configuration above fails on several counts which can be quickly identified.

Forward also allows you to define your own policy requirements for your own network intent very easily. User-defined checks provide the ultimate flexibility to incorporate specifics of your network design and application requirements. In the example scenario below, we see the failure of the user-defined check for only SSL traffic being allowed to reach a set of web servers.

Forward Enterprise Verify after

Similarly, Forward Networks allows users to easily build their own policy-checks to meet their requirements with a flexible syntax. A check above fails for passing traffic on an open port on a web server besides port 443.

Whenever one of your intents fail, it’s not only easy to quickly drill down to the explicit scenario that violated the policy, but to analyze the individual device(s) that are misconfigured and to see the specific device configurations and states that generated the policy violations. As you make network changes and update potential errors, you can also immediately see on the dashboard if any new violations have been introduced and what overall impact any changes will have.

Forward Enterprise research diagram

From the failure above, we can quickly identify the offending traffic path violating our policy, view the configuration on the suspect device, and see the ACL rules that expose additional ports besides 443 on this device.

Forward Networks has introduced a powerful new weapon to be able to mathematically model and analyze the network in aggregate. Against live scenarios, as well as ones that are coming in the future. The ones you don’t know about. The ones you didn’t plan for. The ones you couldn’t test. That's the power of network verification. And understanding your network intent today is the first step towards intent-based networking.

Forward Enterprise can help reveal your network intent today, on any existing network, and to identify where configuration errors could be causing your problems now or in the future. It's non-intrusive, installs in minutes, and doesn't disrupt current operations. For a live demo and to see how it could model and analyze your network environment, sign up here.[/vc_column_text][vc_column_text border_color="accent" border_style="solid" css=".vc_custom_1510100564908{padding-top: 20px !important;padding-right: 20px !important;padding-bottom: 20px !important;padding-left: 20px !important;}"]

Learn the modern way that companies stay off the front page

Experience a demo of the Forward Platform

[contact-form-7 id="55294" title="Forward Enterprise - Request a Demo"][/vc_column_text][/vc_column][/vc_row]

Subscribe to our blog!

February 6, 2023
Visit Stand E08 at Cisco Live EMEA

Let the Games Begin! Cisco Live Amsterdam has officially started, and we’re delighted to be here meeting with the best and brightest of the European networking community. Stop by to say hello, and play Forward Quest to learn how easy it is to put your people back in charge of the network and register to […]

Read More
January 25, 2023
MSD Partners Leads Forward Networks $50M Series D Funding

Following 139% year-over-year growth, Forward Networks closed $50M in series D funding. The round was led by MSD Partners with support from new investors, Section 32, and Omega Venture Partners. Demonstrating ongoing support, existing investors Goldman Sachs Asset Management (Goldman Sachs), Threshold Ventures, A. Capital, and Andreessen Horowitz participated in the round. Since its last […]

Read More
January 18, 2023
Forward Networks to Host Cloud Field Day 16

I don’t know which is more exciting: the fact that there’s no rain forecast for the next two weeks or that we’re hosting Cloud Field Day 16 at the Forward Networks headquarters in Santa Clara, CA. It’s a nice dose of synchronicity that we get a break in the rain to dry out and clean […]

Read More
crossmenu linkedin facebook pinterest youtube rss twitter instagram facebook-blank rss-blank linkedin-blank pinterest youtube twitter instagram