We are asked to purchase something 4,000 times every day; that’s roughly once every 13 seconds during our waking hours. These “requests to purchase'' often come in the form of marketing messages that test the bounds of credibility. In the software industry, most of us have trained ourselves to question vendor promises vociferously. And vendors have earned this skepticism through years of launching “slideware” or incomplete products that turned customers into unwitting beta testers.

Technology decision makers are rightfully skeptical. They want proof that a solution will perform as promised and that it will work in their environment. Furthermore they need to be comfortable that the solution can be deployed without introducing security risks or performance issues. As a company pioneering a new category (network digital twins), we get that.

Our co-founder, Brandon Heller, loves it when people don’t just take our word for it about the Forward Enterprise platform capabilities. He also absolutely loves talking with people who don’t believe we can do things like:

Brandon is going to be sharing our platform and how enterprises are using Forward Enterprise to solve very complex problems and show the platform live. Bring your skepticism and your questions and put him to the test.

Because Brandon says that for him to trust applications - he needs to get his hands on the keyboard. Everyone who registers will receive a free two-week trial of Forward Cloud through AWS Marketplace - that way you can put your hands on the keyboard and experience the platform for yourself.

When: 11:00 a.m. Pacific/2:00 p.m. Eastern, September 28, 2022

Where: BrightTALK

Register Now

One lucky attendee will win a new Series 8 Apple Watch (must be present during the live session to win).

If you’re too excited to wait for the session, we got you - get a personalized demo from one of our field technicians where you can ask questions and focus on the use cases that are most important to your company (Security Verification, Cloud Modeling, Network Assurance).

When your organization is inevitably hit by a cyberattack, you want your security operations engineers to move lightning fast to identify the scope, duration, and impact of the attack, contain the disruption and prevent any costly or lasting damage. To do that, they need access to actionable information about everything that’s in your network — where devices are located, how they interact, and all the relevant details about their configuration and state.

Insight for Security Engineers

Security teams need this insight so they can isolate devices and cut off all possible pathways that attackers might travel to reach your critical assets. But do your teams have that insight at their fingertips? Or is it trapped in spreadsheets, bogged down by other time-consuming, manual processes, or simply, impossible to get to? If it’s the latter, you’re allowing attackers to have the upper hand.

Now, imagine if your security operations pros had an “easy button” they could hit whenever attackers strike, which would allow them to contain and remediate cyber threats ultra-fast? Even better, what if they could use that easy button to help ensure hosts aren’t vulnerable to attack in the first place?

No need to wonder, “What if?” This easy button exists. It’s the blast radius identification and isolation feature we recently added to the Forward Enterprise platform.

Blast Radius Identification in a Single Click

The blast radius feature uses data about your network that our platform already collects. Blast radius enables security teams — with a single mouse click — to identify the full reach of a compromised host and then isolate exposed devices swiftly.

Many of our customers had told us their security teams could benefit from having access to the same searchable, actionable information about their network topology and behavior that their network engineers use every day. That feedback inspired us to develop and deliver this brand-new feature to help security teams be even more effective in their work to protect the enterprise — especially during a crisis.

Want to learn more about the blast radius for identification and isolation feature in Forward Enterprise? Check out this use case to see how easy this “easy button” truly is.

I recently published a piece in Dark Reading covering the network security challenges of M&A activity.  As we ease the restrictions put in place to combat COVID-19, we’re expecting to see business activity including M&A pick up speed, it’s important that the implications of integrating networks are fully understood to ensure that the expected business benefits are achieved as soon as possible. 

Economists from JPMorgan Chase, Goldman Sachs, Morgan Stanley, and more are predicting that the U.S. is about to enter an economic boom, with estimates ranging from 4.5% to 8% expected economic growth. With the economy recovering, Deloitte found that many companies and enterprises expect their M&A activity to return to pre–COVID-19 levels within the next 12 months – and are starting to eagerly eye the market. But today’s M&A’s are more complicated than ever, with the involved organizations needing to account for vital cybersecurity, privacy, and data management practices during this process. 

In fact, recent analyst research uncovered that the biggest hurdle to effectively managing the integration phase of a deal in today’s environment is technology integration. 20% of businesses noted effective integration was the most important factor in achieving a successful M&A – and 28% identified execution/integration gaps as the primary reason their M&A transactions didn’t generate expected value. As I mentioned in the Dark Reading article, a company being acquired is also a target for bad actors, as they look for openings and vulnerabilities in smaller companies that can later give them access to the larger enterprise’s network – Deloitte found that the top concern in executing M&A deals for U.S. executives and private-equity investor firms is cybersecurity (51%).

With technology integration being one of the most important and most difficult factors for a successful M&A – how can companies set themselves up for success?  

The secret is to have a full understanding of the IT infrastructure. Unless you know how everything is connected to everything else, you really can’t make any good architecture decisions to change things. And the starting point is always the network. But this is a herculean challenge in and of itself. Every network is uniquely crafted by the company’s distinct needs and the personal approaches of the network engineers involved. Each network with its specific devices, firewalls, and configurations is going to operate and function differently – nothing can be assumed.

To drastically accelerate and de-risk M&A integration, IT needs to have a detailed understanding of all of the network topology and behavior. But it’s very hard to discover, most network maps and inventories are incomplete or very out of date, as manual processes for these issues are near impossible. Trying to write down a device list, map out the data paths, note all the configurations, figure out the operational processes, and enforce the network-wide security postures would take a full network team months or years depending on the complexity. For businesses that find themselves in this predicament, it is vital that they invest in solutions that can analyze their digital infrastructure to discover existing assets and to map the network.

Depending on the particular pain points, network analysis solutions range from network monitoring and visualization, to intent-based capabilities like network verification and prediction. Network and application dependency mapping tools can inform teams how the various applications and devices act with and rely on one another. Even something as simple as a help desk ticketing system can provide useful data for these ends. 

With a live network map, the companies can then evaluate the infrastructure for cybersecurity compliance and for future integration. Tools like port scanning, network configuration checks, and path verification allow IT to see if the network is operating consistently and is compliant with company policies. IT will especially want to focus on solutions that root out existing liabilities, such as vulnerability assessments, penetration testing, and compliance assessments. For instance, a network digital twin allows enterprises to overlay security policies on other networks – allowing for identification of network compliance issues, flagging outdated configurations, locating forgotten equipment, proactively unveiling security violations, and alerting operators of unpatched vulnerabilities. 

It’s ideal if the chosen solutions can also normalize the network data (present the data in a vendor-agnostic manner), making it much easier for IT to quickly read and understand the various infrastructure devices and configurations. This is particularly helpful for network operations staff addressing help desk tickets – who are dealing with tickets and issues across both networks at the same time after having merged. With a normalized dataset, IT can then efficiently merge both companies’ data together to jointly analyze the infrastructure – allowing for a much faster, more simple and comprehensive examination of the networks. This is impossible to do without a comprehensive view of existing data, so many enterprises look to data management tools and platforms to help locate and consolidate their critical data. 

Connecting and integrating the network infrastructure is the moment of truth for the M&A – businesses need to ensure that everything will continue to operate properly before internal operations can actually be merged. Having a normalized and accurate network map gives the IT team a scope of the two company’s networks – allowing for the identification of conflict areas that need to be worked out before merging networks together to ensure that there is no risk to the production and client services. With the right software, the process can be automated, so it’s faster and more accurate, and intent checks can also make sure that traffic is doing what it should or pinpoint the problem for immediate resolution.

Using this information, IT can identify critical network and application paths that need to be preserved in isolation and potential points where the two companies’ infrastructures can be connected. This has several key security and financial purposes. It allows for a check of whether the network architectures are compliant with one another, and it also lets the companies see where there is excess infrastructure that can be removed. Network path verification tools can also allow IT to preemptively see any potential integration holes by visualizing what the new data paths will be, so the team can address any lack thereof ahead of time with stop-gap solutions. 

When encountering different regulatory hurdles, it’s usually best to make the higher bar the standard across both organizations – simplifying the security and compliance policies. Services like next-generation endpoint protection, next-generation firewalls, and other solutions that protect data and applications from attack — are important for securing the IT environment after a merger. 

The risk involved in merging the digital infrastructures of major enterprises is simple to summarize: if you don’t know what it is and how it works, you can’t ensure it will continue to work if changes are made – like integrating it with another network. Even worse, it can aggravate the already existing security flaws or holes that are wrapped into your security paradigm. By integrating new devices and data paths to parts already able to be compromised, IT is increasing vulnerability and risk.

In today’s world of digital transformation, it’s more important than ever that enterprises engaging in M&As both empower and protect themselves by properly approaching network integration and adopting services where needed to support network analysis.

SANTA CLARA, Calif., June 17, 2021 /PRNewswire/ -- Forward Networks, the industry leader in network assurance and intent-based verification, announced today that its Forward Enterprise solution has been named a Gold Globee® Winner for the Network Management category in the 16th Annual 2021 IT World Awards®. This award is part of The Globee® Awards' premier business awards programs and ranking lists, which recognize information technology and cybersecurity vendors with advanced, ground-breaking products, solutions, and services that are helping raise the bar for others in all areas of technology and cybersecurity.

Forward Networks' Forward Enterprise won the Gold Globee® for Network Management solutions
Forward Networks' Forward Enterprise won the Gold Globee® for Network Management solutions

Forward Enterprise helps network operations engineers be more efficient and effective while avoiding outages through its unique mathematical model. The platform creates a digital twin of the network (across on-premises devices, private and public cloud) enabling network operators to map all possible traffic paths, instantly troubleshoot, verify intent, predict network behavior and reduce MTTR (mean time to resolution). The platform helps large IT organizations make their networks more predictable, agile, and secure by providing a single source of truth for all teams. Companies using Forward Enterprise report significant time savings, cost reduction and improved ability to deploy new applications.

"We are honored that the Forward Enterprise platform is a Golden Globee recipient for Network Management solutions in the 2021 IT World Awards," said Chiara Regale, VP of product at Forward Networks. "Our purpose is to reduce the burden network operations engineers face on a daily basis by providing detailed analysis and verification of device state and configuration, visualization of all possible traffic paths and the ability to predict how changes will impact the network before they are made. Being recognized by the Globee Awards is validation that we are delivering on that promise."

More than 65 judges from around the world representing a wide spectrum of industry experts participated in the judging process. The IT World Awards are open to all Information Technology and Cyber Security organizations from all over the world and their end-users of products and services.

"The information technology industry continues to show its resilience," said San Madan, co-President of Globee Awards. "The tech sector is robust and innovative. And the pandemic has changed the way people live, work, shop, and socialize thereby accelerating demand for newer technologies and innovations everywhere."

For more information on Forward Networks and its solutions, visit www.ForwardNetworks.com.

See the complete list of 2021 winners here: https://globeeawards.com/it-world-awards/winners/.

About the Globee Awards 

Globee Awards are conferred in eleven programs and competition: the CEO World Awards®, the Consumer World Awards®, The Customer Sales & Service World Awards®, the Globee® International Best in Business Awards, the Golden Bridge Awards®, the Cyber Security Global Excellence Awards® and Security World Awards, the IT World Awards®, One Planet® American Best in Business Awards, the Globee® Employer Excellence Awards®, the Globee® Corporate Communications & Marketing World Awards, and the Women World Awards®. Honoring organizations of all types and sizes and the people behind their success, the Globee Awards recognize outstanding achievements and performances in businesses worldwide. Learn more about the Globee Awards at https://globeeawards.com.

Last month we introduced our Network Query Engine (NQE) at Cisco Live Europe and to a very impressive technical audience as part of Tech Field Day 2019. If you didn’t have the chance to read through our introduction blog, NQE leverages the internal network data model that Forward Networks builds and manages to allow users to query their network infrastructure details like a database. These queries can be quickly built to confirm network health, proper configurations, effects of a change, device or interface status, etc. A few representative queries that customers have described to us and that are now possible include:

By viewing all network details as a data source, users are able to query on issues globally across their entire network, looking for any anomalies, in one quick sweep. This has rarely been possible before, without an enormous amount of usually custom effort. The alternative is to check for conditions at each device, one at time, across a large network. Scripts that automated these kinds of custom checks across network devices are very tedious to develop and maintain, especially across different vendors and device types. Forward Networks now makes it easy to build queries in only a few minutes, based on the normalized, vendor-neutral data model in our platform, with a very flexible new query language, GraphQL.

GraphQL was developed by Facebook and turned into an open source project in 2015. It offers enormous flexibility in defining what information is returned, independent of the data model, making it much more efficient for almost every use case than typical interface APIs. GraphQL query statements are natural to embed in programming or scripting languages, like Python, to further compare or analyze the extracted data, or format the results.

Now See the Demos

But, the best way to get a handle on how NQE works is to see a quick video we built that explains how it can be used inside our Forward Enterprise platform, how a sample query is built and how the information can be leveraged. Check out the short demo below:

A lengthier and more technically advanced use case was presented as part of Tech Field Day. Our lead NQE engineer, Andreas Voellmy, shows how we can compare BGP routes in downstream and upstream routers to confirm they were all exported correctly as advertised. This situation actually caused a severe outage at one of our service provider customers, so they wanted to be able to continually check for this scenario. To be able to programmatically verify this across an entire SP network, with many vendors, on a daily basis is a huge time saver and eliminates future errors for them now. Check out Andreas’ demo that replicates their use case here:

The feedback we’ve gotten since we introduced NQE has been universally positive, and not only from the Tech Field Day audience, like this comment from Bob Laliberte, Sr Analyst at ESG:

For years organizations have been trying to extract value from the data available to them in large complex network environments. Unfortunately, manual efforts and inefficient collection and normalization procedures have held them back. Fortunately, Forward Networks has unlocked the ability to quickly, easily and programmatically convert network data into knowledge and actionable information leveraging its Network Query Engine feature.” - Bob Laliberte, ESG

Network IT engineers realize that NQE gives them a really accelerated approach to automate almost any of their network analysis and health status checks. Our platform provides many useful ways to analyze the network end-to-end, but NQE allows customers to query the collected and normalized data in thousands of ways and use cases that we didn’t design for.

A few final quick points to know:

Want to learn more or get a live demo? We’ll show you how NQE can help accelerate your networking tasks and processes in minutes.

On October 31, 2018, Cisco released a security advisory for its ASA and Firepower threat defense software regarding a Denial of Service (DoS) vulnerability. The full security advisory can be found here. The summary (below) notes that the Session Initiation Protocol (SIP) inspection engine could allow a remote attacker to trigger high CPU usage resulting in a DoS condition.

A bug with no fix?

Even more unsettling, the advisory notes that there is no software update available for this vulnerability, nor are mitigation options available. That’s basically technical jargon for, “if you have Cisco firewalls, you could be screwed, and we can’t help you”.

Are you impacted? Are you particularly vulnerable to external traffic from potential attackers? How extensive is your vulnerability? How can you quickly identify all the affected devices and prioritize remediation based on where traffic could be coming from? How quickly can you test a possible fix and verify that it will work?

In this blog post, we’ll show a new way to  answer all these questions and identify all points of vulnerability - in only minutes. We’ll employ Forward Enterprise, an intent-based verification platform that can quickly identify all paths through your enterprise network that conform to certain high-level criteria. It can also verify if proposed changes affect desired policies or address known issues (like outside traffic reaching Cisco firewalls using SIP protocol).

Where can the traffic go?

Let’s take a look at how you can check a network in Forward Enterprise. First, you might want to quickly query your network design to see which sections of the network are affected by Cisco ASA traffic. In our system, and as shown below, we would build a modular query that asks where any traffic using SIP protocol enters an ASA device:

The results of this query show the portion of the network where traffic can flow through a pair of Cisco ASA appliances, along with all edge destinations that can be reached. The unaffected portion of the network is shown in lighter gray. From this result, we know that the immediate problem is restricted to one data center only, and such traffic can’t reach the MPLS backbone or other sites. Reasonably good news at first glance.

Unfortunately, this portion of the network is behind an internet gateway. Our next issue is to determine if external traffic can reach our suspect devices and if so, how to design a fix. A slightly more specific query will ask if traffic from the internet gateway can reach any of our ASA appliances. Notice that we have essentially changed “from anywhere” in our query to “from atl-internet”, which is the name of our gateway.

The result now shows that, indeed, external traffic can reach one of the two ASA edge firewalls, and also reveals that external SIP protocol traffic will be dropped at that point. We know this because no paths are shown southbound from this device, as well as the dashboard showing that all paths result in drops. But knowing that all SIP traffic is dropped at the ASA device does not necessarily solve our problem. This is a DoS attack, which could take down the device and affect legitimate traffic from reaching destination servers.

Determining a fix...

Fortunately, we see an excellent solution from our Forward Enterprise analysis. We can reconfigure the atl-isp-edge01 router to block SIP traffic, since that is the only viable route to our vulnerable device. The firewall edge-fw02 is a back-up, currently unaffected for external traffic. Dropping SIP traffic at edge01 would be a priority to circumvent the DoS attack immediately, but the back-up firewall should be addressed as well for when it came online.

But, it gets better still. We could actually evaluate a potential configuration change in our system and verify that: 1) it prevents SIP traffic reaching the ASA appliances, and 2) no other policies would be violated as a result of this quick change. In fact, we can even ensure that if any future change breaks this policy, we’ll be notified immediately.

Forward Networks provides an ideal platform to quickly query and search large enterprise networks to view possible paths that conform to certain criteria or policies, such as in this scenario, going through any vulnerable Cisco ASA appliance. We provide a way to refine queries around specific policies or scenarios, such as isolating traffic from a particular source, like the external gateway. Or we can identify which applications and subnets could be subsequently affected. Finally, we have a way to quickly determine and prioritize points of remediation and verify how those changes would affect overall network policies.

Want to learn more? Contact us for a quick demo and we can show you how we can quickly determine your level of vulnerability to this new security advisory and a whole lot more! Or, check out some of our latest demo videos on our YouTube channel:

In tech terms, a diff is a listing of changes or differences between documents, files, source code, etc. As a Unix command, it became a common method of distributing patches and source updates, or just comparing versions of text files. Diffs became so easy to do and use, and common to so many use cases, it’s always fun to imagine how you could apply them to more than just text files and documents.

What if you could diff yourself now to five years ago? Probably the changes would be too numerous and impractical to list (and, hopefully, most would be for the better!). Well, we probably don’t have the tools to fully diff a person quite yet. But, what if we could diff your entire network! Sure, diffs can compare two device config files side-by-side. But I’m talking about the entire network! Between any two points in time. As if you had running side-by-side two different versions of your network that you could watch end-to-end, analyzing all behaviors and activity, and could quickly note any differences in one intuitive dashboard. Yes, I’m saying let’s clone that enterprise data center from 6-months ago and run it side-by-side to today’s and see all the behaviors and policy changes in our network. Would that be helpful?

Imagine the possibilities! You think you could address some of the compliance team’s concerns a little quicker? What if rogue IT had installed a few extra devices or access points in the last few months and they stuck out like sore thumbs in the diffs dashboard? What if you started having intermittent network performance issues that you first noticed three weeks ago, and you wanted to roll-back or study all changes and their potential impact on network capabilities over the last, say, six weeks.

And I’m not just talking about diffing the text of the configuration files or packet captures. I’m talking about diffing the behavior of the network. Like if we diffed the behavior of my teenagers today and three years ago: they eat more, spend more money, and clean their room less. The network behavior diffs could be a very long list like: 1) these two subnets that were isolated are now reachable through a firewall, 2) there is now only one active path between a particular source and destination address where before there were redundant paths, 3) traffic that could be delivered from the internet to the web application server is now delivered via HTTPS and SSH, where only HTTPS was available before.

This is exactly what Forward Networks is able to achieve in our latest Forward Enterprise feature we call Behavior Diffs. Behavior Diffs provides network engineers with a powerful tool to compare network behavior and designs between any two points in time. Users can now compare network policies, behaviors and security posture to a prior state before any issues occurred to quickly determine where errors could have been introduced and how to remove them. This takes diagnostics and troubleshooting to a new level since users now have virtually unlimited documentation of prior network changes and their impact on network behavior to guide analysis and problem resolution, or just to prove historical compliance to key policy requirements.

As most followers of Forward Networks know, Forward Networks has developed a next-generation platform for analyzing network behavior and verifying network implementations. It is the first highly scalable, multi-vendor, layer 2-4 verification solution based on a behaviorally-accurate software model of the network. By analyzing the configurations and state information of the network’s devices, rather than real-time packet analysis, Forward Enterprise can identify if policy violations could occur under any scenario or set of conditions, what would trigger them, and how to proactively fix them before they happen.

And that’s exactly what we are doing with Behavior Diffs: comparing snapshots of two network points in time in our software model, running side-by-side, and highlighting the behavior and policy differences. We can resurrect that 6-month old data center snapshot and run it in all of its behavioral glory, long after you’ve been pulling cables and adding new devices. Want some examples? Let’s look at a screen shot of our behavior checks and see some policy changes we should probably know about.

In the above screen capture, we see a list of network behaviors or policy requirements that we are checking for and their passing/failing status in two different snapshots (“Before” and “After”). While we see two policies that are now passing in today’s model, our maintenance update has apparently broken one policy that was passing before. That policy essentially requires that all traffic from the Internet to our app servers only use HTTPS, and some other protocols are apparently now allowed through. In our analysis and remediation platform we can quickly drill down and analyze the source of that behavior to guide the repair.

Across the top of the above screenshot you can get a flavor for what other network attributes we get in our diff analysis. Such as changes in topology, devices additions, routing paths, VLANs, ACLs, and, yes, text of configuration files on all changed devices. We have some more good examples and screen shots on our Behavior Diff web page, and we have a brief demo overview video available here and on our YouTube channel.

Behavior Diffs is now available in our latest 2.18 release of Forward Enterprise. It is such a novel and powerful capability that we are excited to see the many different use cases and workflows that our customers will use it for. How do you think it could make your IT life a bit easier and more productive?

A new feature in Forward Enterprise now allows customers to simplify the analysis of network access issues between the network and security teams. We call this feature ACL-less analysis, or permit-all mode. First some context why multiple customers asked us to develop this feature, and the use case benefits they are seeing.

Forward Enterprise allows customers to quickly drill down into network and security configuration issues to isolate and expose the root cause of policy violations and deviations from intended network behavior. For example, why is this destination unreachable? Why is server access from the WAN impeded? What is blocking traffic between two sites or subnets? Forward Enterprise allows you to compare end-to-end path behavior with desired policies rather than focusing on individual device configurations and box-by-box analysis the old-fashioned way. Overall, this greatly accelerates Mean-Time-To-Repair (MTTR) and increases operational efficiency for IT teams.

When dealing with uncertain root-cause across large networks, many organizations are challenged to bridge the silos between network and security teams. It’s only natural. Visibility to both policies and implementations between two large technical organizations is rarely complete. It’s easy to start with a reasonable amount of finger-pointing. And when dealing with a connectivity or accessibility issues, sometimes it’s the network devices and topology, and sometimes it’s an unintended consequence of a security policy or access control issue.

When Forward Networks started putting our next-generation analytical tools and troubleshooting insights into the hands of large enterprise organizations, we uncovered some of these Layer 8 (political) problems ourselves. Several of our customers that have distinct network and security policy teams subsequently asked us to provide capability in our system to separate root-cause analysis between networking configuration and Access Control List (ACL) rules.

The motivation was at least two-fold: 1) It provides an immediate way of isolating any access or connectivity issues to network devices or security rules, and 2) It clearly indicates which team should be addressing the problem and further refines where remediation should best be applied. This usually decreases the MTTI (Mean Time to Innocence) for the networking team as well as avoiding tedious work and delays trying to definitively prove the lack of existence of some uncertain error.

How does this work in practice? Starting with the Verify view in Forward Enterprise, where a user has defined a set of policies to validate, we see a single failed policy check for the existence of at least one path between two IP addresses in different data centers, through a specific firewall, with traffic delivered between the sites via an MPLS backbone.

Clicking on the “failed” link allows the user to explore the configuration issues associated with this policy failure. This brings up a new view as depicted in Figure 2. The failing policy statement is displayed in the top search bar, which we can refine or broaden to help analyze the situation further.

The result of a Forward Enterprise query statement is always the full set of network paths that meet the requirements of the query or search. In this case, as expected, we see “No results found”, because no such path exists. All traffic is being dropped in this scenario between the two IP addresses and And no paths are highlighted in our topology diagram, only the individual devices included in the query.

At this point we don’t know if this is a network connectivity error, or security policy issue. The new permit-all mode in Forward Enterprise allows users to determine this immediately. By clicking on “permit-all mode”, the platform runs the same analytical query bypassing all the ACL rules, to see if there is network reachability and if traffic would flow in the absence of any security enforcement.

For those not familiar with Forward Enterprise, our platform is based on a behaviorally-accurate software model of your live network. These types of hypothetical analysis are very easy in our system, and never impact the live network where you can’t turn-off security enforcement just for the sake of analysis and testing. Checking the expected behavior of future traffic under any hypothetical change or scenario is one of many ways we aid in the analysis and troubleshooting of network and security issues.

In Figure 3, we see the top search updated with permit all, and now we are seeing that, indeed that are many (128) possible paths between these systems, due to the several pairs of redundant devices at most hops in the network. We are highlighting one path through the network, and focusing on an initial access layer switch that enforces ACLs.

We have highlighted in the hop details how the deny here, which is being applied to all packets, is being ignored, and the policy violation is not a network connectivity configuration issue after all. At this point, we can refer the ticket to the security team or administrator responsible for this particular device for further analysis or remediation. A key policy alert was detected, isolated and handed off to the responsible team in only a few clicks.

Another ACL-less scenario would be an application team wanting to know if the current network configuration supported access to a requested server. The current security policy would likely not support this policy a priori, but a key first step would be to know what network connectivity would allow in the absence of security rules. ACL-less analysis ignores the firewalls and ACL rules and can either confirm or deny network support for the application team request. This scenario is detailed in the YouTube video below.

This new capability, referred to as ACL-less or permit all mode, is having increasing interest across our entire user base that have separate security and network teams. We are interested to learn how it might help your organization and your IT processes in dealing with trouble tickets and how it may help overcome any Layer 8 problems you may have.

For more information, check out our YouTube video or get a live demo of ACL-less mode and the rest of the features in Forward Enterprise.

We were very excited to be selected as a Gartner Cool Vendor in Enterprise Networking for 2018 according to their report (download now) released on May 7. We believe this recognition reflects the innovations we've made around intent-based networking, network operations and IT automation over the last year, as well as the continued traction we are seeing with customers in the market.

Forward Networks is improving our customers’ network agility by accelerating their ability to make network changes, automating the verification of network designs and dramatically shortening analysis and remediation cycles. Some of our customers are taking the opportunity to better align their accelerated DevOps processes with a more agile and efficient NetOps process where application requirements can be tested and verified in the network in a fraction of the time.

Forward Networks has helped pioneer an intent-based networking (IBN) approach. We think what separates us from other emerging vendors in this space, though, is our completely vendor-neutral approach with support for all major networking hardware vendors, including firewalls and load balancers. In systems like ours, accurately modeling the behavior of each device to perform path-based analysis and identify configuration errors is critical, and we can do it for 90% of any multi-vendor network out their today.

Another key factor is our completely agent-less approach, so we can provide a completely non-intrusive, non-disruptive solution that takes minutes to get up a running on your network. This allows us to add value today, right-away, on existing networks, and to not require a fork-lift to new hardware or only be used in greenfield environments.

Forward Essentials a cloud-hosted solution, allows you to map your network, manage and search configuration files and allows customers to gain experience with collecting data from their network devices. Forward Enterprise layers on the full network search/analysis and policy verification features required as part of an intent-based networking approach. Users can sign-up for Forward Essentials here.

[Note: Gartner does not endorse any vendor, product or service depicted in its research publications, and does not advise technology users to select only those vendors with the highest ratings or other designation. Gartner research publications consist of the opinions of Gartner's research organization and should not be construed as statements of fact. Gartner disclaims all warranties, expressed or implied, with respect to this research, including any warranties of merchantability or fitness for a particular purpose.]

Back in October, our co-founder Nikhil Handigol presented at the Open Networking User Group (ONUG) meeting in New York on how Forward Enterprise helps accelerate and de-risk network operations.

ONUG was created in early 2012 by Nick Lippis, of the Lippis Report, and Ernest Lefner (pictured below, right, with representatives from Forward Networks), formerly of Fidelity Investments to address the need for a smaller, more user-focused open networking conference. The ONUG semiannual conferences reflect the work being done in working groups throughout the year to drive standards, interoperability and innovation. The conferences include sessions from IT business leaders, updates from the Working Group Initiative members, hands-on tutorials, interactive labs, real world use cases, proof of concept demonstrations, and a vendor technology showcase.

As Nikhil mentions, he is currently on the Monitoring and Analytics working group. In Nikhil's presentation, he describes the primary functional areas of Forward Enterprise: Search, Verify and Predict. The Search capability is a powerful query engine to search for network attributes, state and configuration details across the entire network. It goes well beyond the ability to search box-by-box, but can search on end-to-end network behavior, such as identifying all the possible paths between a source and a destination, including filtering traffic by a variety of attributes or results. Forward Verify can test all of your network requirements and policies to determine whether the current network design and configurations could potentially result in a policy violation. Forward Predict allows changes to network device configurations to be tested in a safe sandbox environment away from the live network, and to reverify if network policies are either repaired and or if changes introduced new violations.

Organizations can now analyze and verify if their network implementation is currently aligned with their network intent, i.e., the sum of all policies and compliance requirements that are generally articulated and represented at a higher, more abstract level than networking and security protocols and box configurations.

Understanding, modeling and verifying network intent is generally thought to be the first step towards intent-based networking, which Gartner describes as the "next big thing". After watching Nikhil's presentation, learn more about how Forward Networks can help your organization along the path to intent-based networking at https://www.forwardnetworks.com.

Top cross