A customer posed this question to me recently; after pausing and smiling (a little too) broadly, he continued, “Their lips are moving.”

I thought this would be funnier if it weren’t partly true.

The software industry has over-promised and under-delivered for years, making technical executives rightfully skeptical when they hear a new promise. Unfortunately, it’s common for software to lack promised features or to create new headaches when deployed across the enterprise.

Here we go again – another impossible promise!

The executive I was speaking with runs the network of a Fortune 250 global financial services company; he’s experienced his share of pie-in-the-sky sales pitches. Understandably, he was skeptical when he met a software executive promising a network digital twin that provides analysis and insight into the behavior of his network, supports all major hardware vendors, and can do this without posing any security risk.

In 2017 at a conference in New York, he met our co-founder and CEO, David Erickson. He remembers thinking David’s a great guy, but there’s no way his platform can do everything he’s saying, and especially not at the scale needed to support tens of thousands of devices.

As fate would have it, he bumped into David again in Las Vegas at another tech event where after a bit of discussion – he agreed to test the platform in his lab environment.

Wait, is this actually working?

Once the platform was up and running, he was genuinely astounded; in his own words, “Wow, this really, really amazing, it actually does everything you say it will.”

Many other teams were interested in the platform’s capabilities, but like many global enterprises, the organization and responsibilities are highly segmented. Working across functions to adopt new technology is a slow process. So while there was interest and promise, the platform stayed in the lab.

Can a digital twin help with audits?

During a discussion to prepare for an upcoming audit, the team expressed concerns about their current tools’ ability to provide the desired details and specificity around traffic and device behavior. Trust is everything for a financial services company; opacity or inaccuracy can create doubt in an instant.

The Forward Networks platform in their lab claimed it could instantly provide the information they needed, taking much of the pain out of audits while ensuring they continued to develop trust with customers.

The POC delivers immediate insight

They decided to put the platform to a bigger test within a contained area of the network. To kick off the POC, they used a seed list of known devices for collection. The collection indicated about half of those devices were not in the network. As this was a small area of the network that the Ops team felt they knew very intimately, they were very confident the devices did indeed exist and that there was an error in the collection. However, when they attempted to verify their existence, they were nowhere to be found.

This experience gave the team a clear indication of how much they didn’t know about the network. For example, if they were missing 50% of the expected devices in a well-known area of their environment, what could they discover across the entire network? Especially considering the company had recently undergone a significant merger.

The implications were significant. For example, how many of those devices were still included in expensive maintenance contracts? What else are they paying for that’s no longer in use?

In addition to exposing them to the scope of what they don’t know about the network, the snapshots collected in the platform provide an always-on audit. The team can now tell what a device was doing on a specific day and what devices it could have reached. Because they can gather this data as simply as conducting a Google search, audit responses are no longer nearly as painful.

Supporting future automation efforts

Because the platform is API accessible, they are constantly coming up with new ways to extract data from the platform and improve efficiency. They are looking at automating developer queries, for example.

If you want to see what Forward Networks can do, view our webinar on-demand, where we asked participants to challenge our co-founder and CTO Brandon Heller to prove our platform can live up to its promise, or request a personalized demo.

Forward Networks was just named a Great Place to Work in the Bay Area by Fortune. We’re excited to be on this list in an area known for setting the bar high when it comes to treating employees well. Perks are nice, but perks alone don’t get 100% of employees to say they work at a great company — that comes down to people and culture. And 100% of my colleagues said that Forward Networks is a Great Place to Work, beating the national average by 43%.

During my first conversation with a recruiter, I knew in my heart that there was something special about Forward Networks. Throughout the rest of the interview process – my hunch was confirmed, everyone I spoke to was smart, dedicated, and authentic. I knew it was the kind of environment where I could be myself, keep learning, face challenges, and thrive.

I love our platform, and I’m so happy to be working with a technology I believe in – but for me, the best part of Forward Networks is the people I get to work with. Everyone is committed to doing what’s best for our customers.

About two months into my tenure, we had our first hackathon. I’ve always experienced hackathons as a (well-earned) week for engineers to go play with their toys without regard to practical application. That’s not how my amazing co-workers approached it.

Every team focused on resolving a challenge our customers had experienced. Founders worked on teams with junior engineers – side by side as equals. Best of all – we incorporated several of the teams' suggestions into shipped product within a quarter. This is because everyone checked their ego and truly collaborated to support our customers. It’s also because we have some of the smartest people I’ve ever worked with on staff.

I’ve always appreciated working with smart people; I mean, who doesn’t? But sometimes it can be intimidating to ask questions. That’s never been the case here. People are not only willing to share knowledge, but to ask for your expertise as well. We all sit down to lunch together once a week – from our founders and executive leaders to the newest kid on the block.

I asked some of my co-workers why they think Forward Networks is a great place to work, and while the answers were unique, the themes of trust, empowerment, and people rose to the top. Here are some of the responses:

“I enjoy the level of autonomy I have in doing my job. I also appreciate that I have the full support of management anytime I need it.”

– Jack Shen, Customer Success

“Forward Networks fully supports its people. When I decided to pursue a master's degree that required me to move overseas, I had the full support of my team and leaders to pursue my dream and continue to contribute to the company.”

– Aditya Chakraborty, Design

“The people at Forward Networks exhibit a high level of integrity. They are dedicated, smart, hard-working, accountable, and responsive. I can trust them implicitly. At the same time, our product is amazing. There’s no other networking software offering like this in the industry, and we are just getting started.”

– Andi Voellmy, Principal Engineering Manager

“The Forward Networks platform is software I wish I’d had access to earlier in my career. We’re breaking new ground around network digital twins, and I get to be on the forefront of this development all the while working with great people that I trust and appreciate.”

– Tyson Henrie, Customer Success

“Forward Networks understands how to hire and empower people that exhibit a desire for continuous learning and growth. We have lots of people in the company that went to top schools, and we have people with non-traditional backgrounds. We all work together with mutual respect and trust which makes this a great place to work."

– Scott Arky, IT Manager

I feel so fortunate to be at this company with these people. Sure, we have a game room, happy hours, lunches, and great benefits, but none of that matters if the company culture is unappealing. We have a secret sauce that can’t easily be replicated; we have talent, trust, empowerment, and support, combined with the excitement of solving “unsolvable” problems. And … we’re hiring. Check out the careers page if you want to be as happy at work as we are!

Last June, Forward Networks announced several enhancements to the platform designed to help SecOps teams prove compliance, automate CVE (common vulnerabilities and exposures) responses, and remediate threats quickly.

Today, we’re happy to share that we’ve continued to build out our security use cases by adding new functionality to our security posture security matrix (previously known as zone-to-zone security matrix) and delivering Layer 7 application connectivity analysis. The enhancements will help security teams quickly verify compliance with mathematical certainty or instantly identify unwanted connectivity or isolation at L2, L4, and L7.

New options for defining security zones

In its initial release, the security posture matrix feature used firewall rules to determine if zones had full, partial, or zero connectivity (and if the isolation was intentional or due to misconfiguration). We used this methodology in our first release because it's commonly relied on and understood by enterprise IT shops. However, with our expansion into the cloud and continued focus on providing value to our customers with minimal change to their routines, we’ve added new ways to define zones using the L2 through L4 segmentation methodology they’ve employed in their network, e.g. VRFs, on-premises and cloud subnets, and cloud security groups. This enhancement provides engineering teams the flexibility to view the matrix in the same manner as they’ve segmented their network.

In the Security Posture matrix, admins can immediately see which zones have full connectivity, partial connectivity, or zero connectivity (full isolation). Unlike traditional security tools, Forward Enterprise analyzes L2 through L4 traffic patterns, which makes it simple for administrators to determine if isolation is due to security policies or if access is dropping due to a misconfigured router, thus giving a full picture of what is happening, and why it is happening in a single-pane-of-glass.

Layer 7 Security Analysis

As security becomes more advanced, vendors such as Palo Alto Networks and Silver Peak have added the ability to regulate connectivity at L7 using attributes such as user IDs, user group IDs, and application IDs. This gives administrators more flexibility and granular control for protecting the network. To ensure that this flexibility comes with insight, Forward Enterprise has added path search capabilities at L7. Now, using the same procedure as L2 and L4 path tracing, administrators can construct more intelligent queries that detail connectivity and security posture at the application and user ID level.

By providing connectivity traceability at L7, we are enriching the troubleshooting capabilities for administrators, so they spend less time trying to define the problem and more time on proactive strategic initiatives. Within seconds, a path trace can determine if a connectivity issue is caused by application configuration or device configuration, putting the administrator that much closer to solving the issue.

As always, we are committed to making hard things easy for operations engineers. We are excited to offer these new capabilities within the platform and will continue to find new ways to glean insight into network behavior and present them in a normalized (vendor agnostic), intuitive, and actionable manner.

Is it just me or is the announcement of a significant CVE becoming a holiday tradition? Discovered on December 9, 2021 by Minecraft players, the Apache Log4Shell vulnerability is uniquely insidious because it infects servers which are traditionally well insulated from attacks, perceived as unreachable by intruders, and not at risk for CVEs. Log4Shell is an entirely different can of worms that proves this assumption wrong.


Using simple text-based chats, Log4Shell essentially gives bad actors the keys to your kingdom by enabling them to download anything web accessible and gain ACE (arbitrary code execution) privileges. At that point, Java reads the log entry as a command and executes it, empowering bad actors to download anything that is network accessible from the infected host.


You’ve probably updated your software and even investigated the vendors you think may have been vulnerable. That means that your network is safe today, but how do you know what was previously at risk? Without historical snapshots and diffing capabilities, you don’t. And that means you may actually still be exposed.

Identify Log4Shell Exposure In Seconds 

READ THE FORWARD USE CASE


Forward Networks customers are not guessing – they are using Forward Enterprise to verify if all hosts, including the ones potentially breached, can communicate with the Internet. Consequently, those hosts that are Internet accessible are the ones that need to be immediately looked at and remediated. Using the blast radius feature, Forward customers can determine in seconds where in the infrastructure compromised end-hosts can and could have reached. Additionally, the network snapshots collected over time provide the necessary data to identify all devices that may have been previously infected or communicated with an infected host.


Forward Networks does not use Log4j in our shipping software (including past versions). If you are a Forward Networks customer and have additional questions, please contact your Customer Support Architect or email support@forwardnetworks.com.

I recently published a piece in Dark Reading covering the network security challenges of M&A activity.  As we ease the restrictions put in place to combat COVID-19, we’re expecting to see business activity including M&A pick up speed, it’s important that the implications of integrating networks are fully understood to ensure that the expected business benefits are achieved as soon as possible. 

Economists from JPMorgan Chase, Goldman Sachs, Morgan Stanley, and more are predicting that the U.S. is about to enter an economic boom, with estimates ranging from 4.5% to 8% expected economic growth. With the economy recovering, Deloitte found that many companies and enterprises expect their M&A activity to return to pre–COVID-19 levels within the next 12 months – and are starting to eagerly eye the market. But today’s M&A’s are more complicated than ever, with the involved organizations needing to account for vital cybersecurity, privacy, and data management practices during this process. 

In fact, recent analyst research uncovered that the biggest hurdle to effectively managing the integration phase of a deal in today’s environment is technology integration. 20% of businesses noted effective integration was the most important factor in achieving a successful M&A – and 28% identified execution/integration gaps as the primary reason their M&A transactions didn’t generate expected value. As I mentioned in the Dark Reading article, a company being acquired is also a target for bad actors, as they look for openings and vulnerabilities in smaller companies that can later give them access to the larger enterprise’s network – Deloitte found that the top concern in executing M&A deals for U.S. executives and private-equity investor firms is cybersecurity (51%).

With technology integration being one of the most important and most difficult factors for a successful M&A – how can companies set themselves up for success?  

The secret is to have a full understanding of the IT infrastructure. Unless you know how everything is connected to everything else, you really can’t make any good architecture decisions to change things. And the starting point is always the network. But this is a herculean challenge in and of itself. Every network is uniquely crafted by the company’s distinct needs and the personal approaches of the network engineers involved. Each network with its specific devices, firewalls, and configurations is going to operate and function differently – nothing can be assumed.

To drastically accelerate and de-risk M&A integration, IT needs to have a detailed understanding of all of the network topology and behavior. But it’s very hard to discover, most network maps and inventories are incomplete or very out of date, as manual processes for these issues are near impossible. Trying to write down a device list, map out the data paths, note all the configurations, figure out the operational processes, and enforce the network-wide security postures would take a full network team months or years depending on the complexity. For businesses that find themselves in this predicament, it is vital that they invest in solutions that can analyze their digital infrastructure to discover existing assets and to map the network.

Depending on the particular pain points, network analysis solutions range from network monitoring and visualization, to intent-based capabilities like network verification and prediction. Network and application dependency mapping tools can inform teams how the various applications and devices act with and rely on one another. Even something as simple as a help desk ticketing system can provide useful data for these ends. 

With a live network map, the companies can then evaluate the infrastructure for cybersecurity compliance and for future integration. Tools like port scanning, network configuration checks, and path verification allow IT to see if the network is operating consistently and is compliant with company policies. IT will especially want to focus on solutions that root out existing liabilities, such as vulnerability assessments, penetration testing, and compliance assessments. For instance, a network digital twin allows enterprises to overlay security policies on other networks – allowing for identification of network compliance issues, flagging outdated configurations, locating forgotten equipment, proactively unveiling security violations, and alerting operators of unpatched vulnerabilities. 

It’s ideal if the chosen solutions can also normalize the network data (present the data in a vendor-agnostic manner), making it much easier for IT to quickly read and understand the various infrastructure devices and configurations. This is particularly helpful for network operations staff addressing help desk tickets – who are dealing with tickets and issues across both networks at the same time after having merged. With a normalized dataset, IT can then efficiently merge both companies’ data together to jointly analyze the infrastructure – allowing for a much faster, more simple and comprehensive examination of the networks. This is impossible to do without a comprehensive view of existing data, so many enterprises look to data management tools and platforms to help locate and consolidate their critical data. 

Connecting and integrating the network infrastructure is the moment of truth for the M&A – businesses need to ensure that everything will continue to operate properly before internal operations can actually be merged. Having a normalized and accurate network map gives the IT team a scope of the two company’s networks – allowing for the identification of conflict areas that need to be worked out before merging networks together to ensure that there is no risk to the production and client services. With the right software, the process can be automated, so it’s faster and more accurate, and intent checks can also make sure that traffic is doing what it should or pinpoint the problem for immediate resolution.

Using this information, IT can identify critical network and application paths that need to be preserved in isolation and potential points where the two companies’ infrastructures can be connected. This has several key security and financial purposes. It allows for a check of whether the network architectures are compliant with one another, and it also lets the companies see where there is excess infrastructure that can be removed. Network path verification tools can also allow IT to preemptively see any potential integration holes by visualizing what the new data paths will be, so the team can address any lack thereof ahead of time with stop-gap solutions. 

When encountering different regulatory hurdles, it’s usually best to make the higher bar the standard across both organizations – simplifying the security and compliance policies. Services like next-generation endpoint protection, next-generation firewalls, and other solutions that protect data and applications from attack — are important for securing the IT environment after a merger. 

The risk involved in merging the digital infrastructures of major enterprises is simple to summarize: if you don’t know what it is and how it works, you can’t ensure it will continue to work if changes are made – like integrating it with another network. Even worse, it can aggravate the already existing security flaws or holes that are wrapped into your security paradigm. By integrating new devices and data paths to parts already able to be compromised, IT is increasing vulnerability and risk.

In today’s world of digital transformation, it’s more important than ever that enterprises engaging in M&As both empower and protect themselves by properly approaching network integration and adopting services where needed to support network analysis.

In the past couple of weeks, I’ve had the opportunity to attend two technology events IN PERSON!!! Seeing people “mask-to-mask” has been fun and educational.   

Forward Networks recently exhibited at Black Hat in Las Vegas and AFCEA TechNet Augusta. Obviously, security was the topic at Black Hat, but it was also top of mind for TechNet attendees, and attendees at both events stressed the need for better network behavioral insight. A common theme amongst these totally different demographics speaks volumes about the need to improve how NetOps and SecOps share network insights to protect its health and integrity. (For those who are unfamiliar, the halls of Black Hat are filled with hackers while TechNet Augusta hosted U.S. Army technical experts).  

Obtaining current, detailed information presented in an easy to understand manner is critical for network health. Because SecOps and NetOps teams need the same network information to remediate and prevent incidents, there should be a seamless way to interact. Unfortunately, that’s not possible using most currently available tools. Engineers are stuck making calls, sending emails, opening tickets, and waiting for information that should be at their fingertips, thus creating unnecessary speedbumps. In June, we added security features to our platform that were specifically intended to help SecOps and InfoSec teams by creating “easy buttons” that eliminate these barriers.   

Prior to getting out and talking to the people “in the trenches,” we felt pretty good about the platform enhancements, but we also knew that the attendees at both TechNet and Black Hat would give us the unfiltered truth.  

The security features we announced in June (single-click blast radius detection, Zone-to-Zone security matrix, and an up-to-date Network CVE matrix) generated interest because they help SecOps folks work better and faster. Nobody wants to spend an unnecessary second of their work life combing through vender alerts, tracing paths, or inspecting code to find out the cause of an issue.   

While the positive reception was encouraging, what I found incredibly interesting was the level of interest in how network modeling can enhance security posture by detecting and preventing situations that traditional tools will miss because they aren’t designed with the nuances of SDN in mind.  

 What did we hear at Black Hat and TechNet Augusta?  

Well aside from schooling us on how to protect the world from Space Invaders while playing our classic Atari console, the resounding theme was when it comes to understanding and enforcing organizational security posture, the network is critical. Security engineers want to query the network in ways that traditional security tools don’t allow. SDN is changing the way threats are enacted and detected, and SecOps needs better info. 

For example, the Forward Enterprise platform can identify network-based vulnerabilities due to traffic being virtually routed around enforcement points. Since the days of mandatory physical connectivity to the firewall are in the past, it’s easy to mistakenly configure devices in a manner that allows traffic to bypass enforcement points. Manipulated packets passing through NAT may not be recognized by firewall rules, ergo traffic you think is being blocked could be permitted creating vulnerabilities or, traffic that should be permitted could be dropped, negatively impacting the user experience.  

Most of the well-known products in this space cannot detect these network-created issues because they don’t have a mathematical model of the network. Packets that are mutated in transit are unlikely to trigger the right policy response because they are unrecognizable.  

The technical practitioners I spoke with were excited to learn that not only can Forward Networks detect these types of issues, but using custom intent checks, the platform can alert engineering staff if an out-of-policy configuration change is implemented. Knowing that the platform can instantly provide correct information on policy adherence and detect out-of-policy configurations before they cause an issue was of significant interest to everyone I talked to.   

Do you believe in zero trust? 

If you work in networking, you can’t do anything without getting some sort of message that you need to improve your zero trust architecture. Lots of companies offer to sell you the solution to all of your zero trust woes.   

Because it’s been a topic of discussion internally – we decided that this was the perfect opportunity to put the hype to the test and see what people really think. So, my Seeking Truth in Networking Podcast co-host (and Forward Networks Co-Founder) Brandon and I decided to mic-up and talk to people for Episode 11: Zero Trust at Black Hat 2021: Networking meets Security. The conversations were sometimes funny and always enlightening. So, we turned it into our latest podcast. At the end of the day, yes there’s a healthy dose of skepticism – as there should be – but there are also real lessons to be learned and interesting ways people are applying these principles. 

Listen to the podcast to hear more, and tell us what you think! 

Learn more about how Forward Enterprise can help improve and protect your security posture. 

Using the visualization, verification, search, predict, and diffs function within the Forward Networks platform can help engineers ensure their zero trust architecture is designed and functioning as intended.  To learn how, read the zero trust use case.

Between us — there’s no such thing as zero trust — it’s a catchy term used to describe a very complicated approach to security. But just because marketing loves the term doesn’t mean we should ignore the concept.

The idea of zero trust is the assumption that users should be granted the least access possible to be productive, and that security should be verified at every level with consistent protection measures. No device or person can be automatically trusted and everything must be verified before providing access to systems, and policy adherence must be continually validated.

Achieving this requires full network visibility, after all, how can you protect what you cannot see? To implement a zero trust architecture, network and security operations teams must be able to fully visualize all possible data paths and network traffic behaviors to truly understand potential vulnerabilities. Only then can they implement and enforce policies that eliminate risky pathways and segment the network effectively.

In addition to visibility, validation is critical for ensuring zero trust. Security policies are definitely not a “set it and forget it” situation.  Because the network is constantly being changed by the people that manage it, consistent and frequent validation is necessary to ensure that policies are performing as intended.

While this may seem like stating the obvious, it’s anything but easy.  Most networks have evolved over decades, it’s common for our customers to discover hundreds of devices they didn’t know they had. One of the biggest frustrations we hear from security teams is the amount of config drift in their network – which prevents the security policies from functioning as intended.  If you struggle with these issues (as most enterprises do), a zero trust architecture is beyond reach.

Using the visualization, verification, search, predict, and diffs function within the Forward Networks platform can help engineers ensure their zero trust architecture is designed and functioning as intended.  To learn how, read the zero trust use case.

With the constant rise of modern cyber threats, many businesses are aiming for zero-trust infrastructure to keep themselves and their customers safe. But a zero-trust environment, where only authorized people can access information and resources, is often more difficult to implement than anticipated. If security teams and network engineers cannot visualize the network and its possible traffic paths and behaviors, they can’t possibly secure the environment.

Forward Enterprise is designed to collect detailed config and state information on the entire network and then help engineers visualize, verify, search, predict and understand diffs following change windows. This information is invaluable to companies seeking to implement zero trust as it provides detailed connectivity information in a way that is easy to consume and act upon. We’ve recently added three new features to Forward Enterprise, that curate critical security information making it easy to understand device connectivity and potential vulnerabilities.

Regardless of how large or complicated a network is, Forward Enterprise empowers IT to improve network operations and avoid outages. This is thanks to its unique mathematical model that creates a digital twin of the network, allowing network operators to map all possible traffic flows, verify intent, predict network behavior, and more.

Our platform also helps security operations professionals with new visualizations of East-West traffic flows, endpoint-to-endpoint connectivity analysis matrices, and timely non-compliance alerts. These new features for Forward Enterprise make security teams’ lives easier by simplifying and streamlining traditionally labor-intensive network processes.

Blast Radius Identification

Today it is not a question of “if” a device will be compromised – but “when.” During an attack, it is critical that security operations professionals immediately identify the full impact of compromised devices so that they can contain the threat. With Forward’s blast radius, security teams can now identify the full exposure and reach of a compromised host with a single mouse click, making isolation and remediation a much simpler and faster process.

Zone-to-Zone Connectivity Posture

Having full insight into how and where devices and applications communicate over the network is fundamental to security. And yet this is one of the most difficult security tasks to perform, with most teams working from out-of-date spreadsheets and tribal knowledge to try and figure things out manually. Unsurprisingly, this is incredibly inefficient and error-prone.

But with Forward Enterprise correlating routing information and security policies, security teams can now easily see how their security posture is enacted on the network. With a graphical matrix that clearly delineates which zones have full connectivity, partial connectivity or no connectivity, security operations professionals can have full confidence of their zone-to-zone connectivity posture.

Network OS Vulnerability Identification

Trying to stay ahead of the unending stream of network device OS vulnerability alerts can be a full-time job – but it does not have to be. Forward Enterprise now uses the latest information from the NIST National Vulnerability Database, along with specific device and configuration data collected from your network, to automatically recognize and flag potential network OS vulnerabilities. Security teams can save time and stress with proactive vulnerabilities updates presented in an easily actionable format.

To see these security features in action, please request a demo.

On June 28, we announced new features within Forward Enterprise that help security engineers spend less time on reactive tasks so they can be more proactive. Why would a networking company expand into the security space?  Good question.  Let me share some of the reasoning that led to expanding deeper into this space, and why I am excited about it.

Reason 1: The overwhelming and urgent need. 

Last year, the SolarWinds hack shocked the world with both the vector and its breadth of reach across the world, reminding us all of the importance of security, especially within the network.  Since then we’ve continued to see additional examples such as the recent Colonial Pipeline ransomware attack.  These are both preventable and containable.

Reason 2: Demand from our customers.  

Deployments that were originally triggered by a need for network operator-oriented visibility and verification have also seen adoption and used by their peer security engineers to solve a range of daily work tasks.  These security engineers have been highly enthusiastic about the time savings they gain by getting instant answers to network questions with Forward Networks, without needing to talk to a long chain of humans and spending hours to days gathering such information in their old way of working.  Based on this success, they have been asking us for an expanded security capability set, with an ultimate goal of a single unified view and platform for both the network and security teams to collaborate around.

Reason 3: Unique capabilities from unique technology.  

What do we do?  Put simply, we use math to organize network information, in the form of a digital twin, and make that network information accessible to people and machines.  This approach requires analyzing every possible way a packet could flow through your network.  And yes, that is effectively a comprehensive pen test that runs on our customers’ global networks  10s of times per day!  That data enables network verification like that is nothing like the testing or mapping you’re used to.

Reason 4: Hack Week.  

In April, our engineering team had a week to work on anything.  What did they choose to do?  Security.  Working closely with customers and having an impact is why they are here.  Many of the projects created “easy buttons” for common (and highly complex) security tasks, and when shown to security teams, their feedback was clear: “I want this, yesterday.”

Those are all solid reasons, but I want to add my own take, from doing SecOps at a Stanford Lab, to setting up security infrastructure when founding this company, and now answering to a board about security.

A large fraction of security incidents can be both prevented, or at least tightly contained – but only if a strong network security and segmentation policy has been implemented.  An ever-growing list of vendors are scrambling to provide different components of a Zero Trust solution for your business, but even if you buy one (or more) of these solutions, how do you know if you’ve implemented them correctly?  In the financial world, we have auditors to confirm that we have correctly implemented the appropriate financial practices. The same mechanism is critical for network security, and this is what Forward Networks provides in the form of network and security visibility and verification.

I’m proud to announce our latest release, 21.5, which includes these new marquee security-focused features:

All of these new capabilities can be used on both your live network, as well as any historical snapshot you’ve taken in the past (for forensics), and all can be easily integrated via API into your automation framework of choice.

This is just the beginning of our security journey, and we’d like to bring our unique capabilities as a partner on your Zero Trust security journey.  If you’d like to learn more, please request a demo.

Today’s networks are too complex for manual network management and updates.  With most enterprises composed of tens of thousands of devices spanning multiple geographical locations, on-premises hardware, Virtual environment, and multiple clouds – it’s virtually impossible to push updates manually.   Also – the sheer volume of vendors and coding languages can be overwhelming for a network operations engineer.  In most cases learning a new language or new platform takes eight weeks to achieve basic proficiency; its not realistic to expect human skills to scale at the pace of network innovation (aka network complexity)

Fig 1. Itential Automation Example

Which is why we decided to integrate the Forward Networks platform with the industry-leading network assurance platform, Itential.  Their low-code automation platform makes it easy for network operations teams to deploy and manage multi-domain infrastructures.  Itential’s cloud-native software as a service offering provides a low-code interface that seamlessly connects to any IT system, cloud, or network technology for end-to-end closed-loop network automation and orchestration. Forward Enterprise enables network operators to deploy automated changes with the assurance that they are in compliance with network policies and won’t have any unintended side effects.

Fig 2. Closing the Loop: Automation + Verification

Forward Enterprise helps network operations engineers avoid outages through its unique mathematical model. The platform creates a digital twin of the network (across on-premises devices, private and public cloud) enabling network operators to map all possible traffic flows, instantly troubleshoot, verify intent, predict network behavior, and reduce MTTR (mean time to resolution). Itential simplifies and accelerates the deployment and management of multi-domain network infrastructure. Both platforms support major network equipment vendors and AWS, Azure, and Google Cloud platforms.

Fig 3. Automate Service Provisioning with Forward Networks and Itential

The Closed Loop Automation process enabled by the integration of Forward Networks Platform and Itential Automation Platform (IAP) acts as a safeguard to prevent any issues from becoming pervasive following a change window.  Using the pre-built automations, templates, form builder, automation builder within Automation Studio makes it easy for network operations engineers to build an automation catalog that enables changes at scale.  By using the API integration with Forward Networks, they can verify routing, add intent checks, verify new service connectivity, check for side effects and send notifications and verifications via Slack, Microsoft Teams, Cisco WebEX, and email.  Integration with change management systems including ServiceNow and Jira ensure everyone is working from a single source of truth and expedites collaboration. In the event of an issue, the diff check functionality within the Forward Networks platform makes it easy to pinpoint which changes are causing any unplanned behavior.

For more detail on how the integration works, please view our ONUG Spring 2021 session.

Top cross