April 26, 2018

Automate Policy Verification to Accelerate NetOps and Change Windows

by Fabrizio Maccioni

In agile network operations, network configurations need to be updated to reflect new application or policy requirements, or to implement a change in network behavior. As business and application requirements change, we have to translate new policies into specific network configuration changes in one or more devices.

In Figure 1, we describe the workflow of rolling out a network update. From the current operational state of the network, we have to respond to a new intent or policy requirement with proposed configuration changes. The development of the change candidate by network engineers is reviewed by various teams and architects, including security. These design reviews can be tedious and manual, and may highlight additional changes or corrections to minimize the impact on existing infrastructure.

Once the candidate change has been approved, it moves into the network lab for testing. But this step can usually only provide cursory testing because the lab network is not running at the scale of the production network, nor can the proposed change be evaluated under all scenarios and conditions that will actually arise over time. In order to improve network agility, testing has to be short and efficient, but this also increases risk and potential for issues post-deployment. After the proposed update has completed the test scenarios, it is pushed to a configuration repository and scheduled for deployment.

Accelerating Change Windows and NetOps with Forward Networks

How can we accelerate the above workflow to increase network agility and reliability, and better align network teams with DevOps processes? Forward Networks has developed the industry-leading solution for analyzing network behavior and verifying configurations in a software model of the network. This allows for rapid evaluation and verification of proposed changes outside the live network, and can automate many of the lengthy review and testing processes.

Automating the Verification Process

Network verification provides assurance that proposed changes accurately implement all of the defined network policies. Rather than looking at live traffic and reporting on current activity, verification proactively analyzes the network configuration files to build a behaviorally accurate software model, and then identifies scenarios under which the current implementation could fail to meet policy objectives. In Figure 2, we see how various features of the Forward Enterprise solution, our flagship product, can automate and improve our earlier workflow.

For example, the initial change of policy or intent can be defined in Forward Enterprise as a policy rule or check. That policy rule would be verified against future network implementations and any configurations that would violate that rule would be immediately flagged (as in Figure 4). The new intent rule would be added to the overall rule repository and verified along with all other rules as part of the pre- and post-change verification.

Network Analysis with Forward Search and API queries

Forward Enterprise is a large database of network configurations, state and behavior information from a series of individual snapshots in time. The software model of networking behavior simulates traffic behavior accurately and predicts which vulnerabilities or scenarios will cause policy violations. Like any database, the Forward Platform can be queried, with the behavior and policy results being displayed in an intuitive and interactive network map (see “API access” block in Figure 2 and Figure 3 below).

Similarly, candidate changes can be quickly peer reviewed automatically in Forward Enterprise (see “Acceptance Test” block in Figure 2). After an initial policy query, it becomes clear how network traffic paths will be affected by the new change (as shown in Figure 3). With the automated and more detailed review available from Forward Networks, networking teams can proceed towards deployment with greater confidence and less manually-intensive test scenarios.

Summary

In recent years, there has been a great deal of focus on network automation in order to increase IT agility and to better align network operations (NetOps) with accelerated DevOps processes. That focus has been mainly on accelerating network deployments and automating virtual network configurations to support new application requirements.

Forward Networks has now delivered a new platform that focuses on the automation of network design verification, network analysis and change processes. Network verification, a new methodology to analyze network designs and configuration changes, can both provide greater confidence by reducing network risk and preventing outages, as well as accelerating once-manual design, review and testing processes that slowed network agility and resulted in lengthy change windows.

Subscribe to our blog!

RELATED FORWARD CONTENT 
September 13, 2023
A Financial Services Company Saved “7 Figures” By Improving Network Inventory Management

Everyone knows inventory management is important – but so are the 100+ other things we need to do, and let’s face it, the inventory is not on fire. Given the benefits one customer experienced, maybe it should be.   On September 14, at 2:00pm Eastern time, we’re hosting a webinar, featuring special guests, Michael Wynston, Director of Network Architecture and […]

Read More
September 7, 2023
What’s worse than a toothache?

For me, I’d have to say it’s sitting through a high-pressure demo with a sales guy who needs to close business. Given the choice, I’ll take the dentist office visit anytime, at least they give you meds! We realize that sales demos aren’t always pleasant. And while we strive to create a comfortable environment for […]

Read More
August 23, 2023
How do you Monitor and Manage a Network Without Borders?

There are only two options for managing a global multi-cloud network: either by using a combination of inference, hope, and intuition or with mathematical certainty. When conducting 5 million financial transactions daily, it’s essential to operate with certainty, regardless of your network’s size or geographical distribution. Auditors don’t accept inferences; they demand certainty when determining […]

Read More
crossmenu linkedin facebook pinterest youtube rss twitter instagram facebook-blank rss-blank linkedin-blank pinterest youtube twitter instagram