Last June, Forward Networks announced several enhancements to the platform designed to help SecOps teams prove compliance, automate CVE (common vulnerabilities and exposures) responses, and remediate threats quickly.

Today, we’re happy to share that we’ve continued to build out our security use cases by adding new functionality to our security posture security matrix (previously known as zone-to-zone security matrix) and delivering Layer 7 application connectivity analysis. The enhancements will help security teams quickly verify compliance with mathematical certainty or instantly identify unwanted connectivity or isolation at L2, L4, and L7.

New options for defining security zones

In its initial release, the security posture matrix feature used firewall rules to determine if zones had full, partial, or zero connectivity (and if the isolation was intentional or due to misconfiguration). We used this methodology in our first release because it's commonly relied on and understood by enterprise IT shops. However, with our expansion into the cloud and continued focus on providing value to our customers with minimal change to their routines, we’ve added new ways to define zones using the L2 through L4 segmentation methodology they’ve employed in their network, e.g. VRFs, on-premises and cloud subnets, and cloud security groups. This enhancement provides engineering teams the flexibility to view the matrix in the same manner as they’ve segmented their network.

In the Security Posture matrix, admins can immediately see which zones have full connectivity, partial connectivity, or zero connectivity (full isolation). Unlike traditional security tools, Forward Enterprise analyzes L2 through L4 traffic patterns, which makes it simple for administrators to determine if isolation is due to security policies or if access is dropping due to a misconfigured router, thus giving a full picture of what is happening, and why it is happening in a single-pane-of-glass.

Layer 7 Security Analysis

As security becomes more advanced, vendors such as Palo Alto Networks and Silver Peak have added the ability to regulate connectivity at L7 using attributes such as user IDs, user group IDs, and application IDs. This gives administrators more flexibility and granular control for protecting the network. To ensure that this flexibility comes with insight, Forward Enterprise has added path search capabilities at L7. Now, using the same procedure as L2 and L4 path tracing, administrators can construct more intelligent queries that detail connectivity and security posture at the application and user ID level.

By providing connectivity traceability at L7, we are enriching the troubleshooting capabilities for administrators, so they spend less time trying to define the problem and more time on proactive strategic initiatives. Within seconds, a path trace can determine if a connectivity issue is caused by application configuration or device configuration, putting the administrator that much closer to solving the issue.

As always, we are committed to making hard things easy for operations engineers. We are excited to offer these new capabilities within the platform and will continue to find new ways to glean insight into network behavior and present them in a normalized (vendor agnostic), intuitive, and actionable manner.

As one large, global financial institution prepared for employees to return to the office, its IT team identified a significant issue with the company's more than 8,000 access switches. The switches in question were used to provide connectivity to IP Phones – a crucial part of people's work across virtually all areas of the company.

In many cases, the 8,000 phones in question had essentially been unused for almost two years, as the pandemic forced people to work from home using alternate communication devices. As some users returned to the office they found the IP phones were not functioning. The bank's IT team discovered that the recently upgraded access switches had a configuration that rendered the phones inoperable due to a software defect.

Identifying the misconfigured switches was a laborious process that required engineers to manually examine the configurations of all 8,000 switches. The problem was exacerbated by the fact that the configuration wasn't consistent across the fleet of switches. This increased the complexity of identifying which devices needed to be rolled back.

At that point, the IT team turned to Forward Networks to determine whether its Network Query Engine (NQE) could simplify the process of identifying misconfigured switches and shorten the time for rolling back the configuration. NQE enables users to easily build verification checks – like those needed by the bank – that work across the entire fleet of devices in a network.

The IT team provided a list of requirements needed to identify misconfigured switches – checking for certain characteristics, ignoring others. Additionally, the IT team wanted a report of the findings so the third party could be tasked with repairing those switches.

By utilizing NQE, the bank's IT team was able to identify all of the switches that needed to be rolled back (6,000 of 8,000) in less than a day. Instead of manually trying to identify devices that were misconfigured, the financial institution's IT team was able to simply create criteria for doing so, and the Forward Networks platform did all of the work — at a fraction of the cost and in a fraction of the time. After the configuration was rolled back, the bank’s IT team was also able to use Forward Networks NQE to validate if the rolled back configuration was accurate.

Without NQE, it would have taken an average of about five minutes per switch to check for the misconfiguration. Manually checking 8,000 devices at five minutes per switch would have taken the bank's IT team at least 667 hours. By assuming a rate of $150 per hour, the bank would have spent more than $100,000 to manually complete the project. By utilizing Forward Networks and NQE to identify the misconfigured switches, the bank was able to lower the cost of the project significantly and save time.

To learn more about how you can use Forward Networks and NQE to automate labor-intensive, costly processes, schedule a demo today. Be sure to read our other blogs in this series about how Forward Networks is impacting enterprise networks around the world, including From Days To Minutes: Digital Media Provider Uses Forward Networks To Overhaul Reconciliation and Confidence In Action: Investment Bank Uses Forward Networks To Verify Automation Software.

If you’re like most of the complex IT shops we talk with, you probably don’t even have a current security matrix to store anywhere – file cabinet or data folder. The connectivity matrix is essentially the company security posture, but almost no one has a comprehensive way to visualize and easily understand the connectivity status between the various configured security policies (zone-to-zone policies). This puts them in a dangerous position of risk because you can’t fix what you don’t know is broken.

The lack of precise insight into which firewall zones should or shouldn’t have connectivity with other zones undermines basic network security. And zero trust? Good luck implementing and enforcing that stringent security approach. Without visibility into interzone connectivity, it’s a near-impossible feat — especially because networks are always growing and changing.

Your network teams and security engineers can now use the Forward Enterprise platform to access a graphical representation of security zone connectivity. They can get a current view of the complex zone-to-zone interactions occurring in your network presented in one easy-to-understand visualization. It only takes a glance to see which zones have full, partial, or zero connectivity; color-coded status indicators to represent flow outcomes, so teams can confirm compliance at a glance:

How simple is that? Now, your teams can have a single source of truth for interzone connectivity and policy compliance that’s always up to date and always super clear. Check out our use case to learn more about how our easy-to-use, zone-to-zone connectivity matrix feature in the Forward Enterprise platform can help you confirm that your interzone connectivity posture is sound and that you’re ready to start building a zero trust environment.

Top cross