By Fabrizio Maccioni, Director of Technical Marketing, Forward Networks
Closed loop verification may be the answer to the threats and vulnerabilities that plague network automation. Fabrizio Maccioni, director of technical marketing at Forward Networks, takes a closer look at how your network automation journey risks could be tackled better with closed loop verification.
Not too long ago, IT professionals physically connected to network devices for upgrades and changes. Imagine trying to physically go to every device on your network, plug in and manually push an update. It’s obviously an impractical and unaffordable proposition that would require a veritable army of IT professionals and weeks, especially for organizations with data centers spread around the globe. Undoubtedly devices would be missed, and other mistakes would be made, increasing the risk of outages or vulnerabilities...
I don’t know which is more exciting: the fact that there’s no rain forecast for the next two weeks or that we’re hosting Cloud Field Day 16 at the Forward Networks headquarters in Santa Clara, CA. It’s a nice dose of synchronicity that we get a break in the rain to dry out and clean up and we get to host several of the top minds in cloud computing.
One of the toughest challenges our customers face is securing their traffic in a multi-cloud environment. Ensuring traffic passes through choke points in the on-prem network is hard enough; once it enters the cloud, traffic becomes much more difficult to monitor.
Our co-founder, Peyman Kazemian, and senior cloud field engineer, Craig Johnson, will demonstrate how Forward Networks' digital twin can verify security policies in multi-cloud networks. We’re excited to show the delegates and attendees how our platform offers single-pane-of-glass visualization and verification across the entire network.
Using the example of a company merger, Craig will demonstrate how we discover all possible traffic paths a packet can take and verify that security policies are enforced on-prem and in the cloud.
Craig and Peyman are up first at 8:00 a.m. Pacific, Wednesday, January 25, 2023. You can view presentations live via the Tech Field Day LinkedIn page. If you can’t attend live, the recordings will be available on demand via YouTube.
Spring is in the air and that means that ONUG Spring is right around the corner! At Forward Networks, it’s feeling a little like Christmas in April because we’re so excited to meet in-person, and we hope you feel the same. Our booth is polished, our presenters are on fire, and our capabilities for solving multi-cloud problems are unparalleled.
In addition to an in-person and virtual booth staffed by hands-on technical experts, we have two exciting presentations planned.
On Wednesday, April 27 at 11:20 a.m., our director of product, Natale Ruello, will share how our customers use the Forward Enterprise platform to verify security policies in their hybrid multi-cloud environments. If you’d like a preview of the challenges he’s going to address, check out his ONUG blog post: Is your multi-cloud estate secure?
On Thursday, April 28 at 2:25 p.m., Josh Matheus, Managing Director at Goldman Sachs, will detail the pain points that motivated the need for a single source of network truth, describe the process of selecting and implementing a digital twin, and outline the results that his network team has achieved since deployment.
If you haven’t registered for the event yet – please use our discount code to save 20% on your registration by using the code: Forward22. We hope to see you there or at another event this year.
If you can’t attend in person, don’t forget to check out our virtual ONUG booth where you can ask questions and see the technology in action.
I recently published a piece in Dark Reading covering the network security challenges of M&A activity. As we ease the restrictions put in place to combat COVID-19, we’re expecting to see business activity including M&A pick up speed, it’s important that the implications of integrating networks are fully understood to ensure that the expected business benefits are achieved as soon as possible.
Economists from JPMorgan Chase, Goldman Sachs, Morgan Stanley, and more are predicting that the U.S. is about to enter an economic boom, with estimates ranging from 4.5% to 8% expected economic growth. With the economy recovering, Deloitte found that many companies and enterprises expect their M&A activity to return to pre–COVID-19 levels within the next 12 months – and are starting to eagerly eye the market. But today’s M&A’s are more complicated than ever, with the involved organizations needing to account for vital cybersecurity, privacy, and data management practices during this process.
In fact, recent analyst research uncovered that the biggest hurdle to effectively managing the integration phase of a deal in today’s environment is technology integration. 20% of businesses noted effective integration was the most important factor in achieving a successful M&A – and 28% identified execution/integration gaps as the primary reason their M&A transactions didn’t generate expected value. As I mentioned in the Dark Reading article, a company being acquired is also a target for bad actors, as they look for openings and vulnerabilities in smaller companies that can later give them access to the larger enterprise’s network – Deloitte found that the top concern in executing M&A deals for U.S. executives and private-equity investor firms is cybersecurity (51%).
The secret is to have a full understanding of the IT infrastructure. Unless you know how everything is connected to everything else, you really can’t make any good architecture decisions to change things. And the starting point is always the network. But this is a herculean challenge in and of itself. Every network is uniquely crafted by the company’s distinct needs and the personal approaches of the network engineers involved. Each network with its specific devices, firewalls, and configurations is going to operate and function differently – nothing can be assumed.
To drastically accelerate and de-risk M&A integration, IT needs to have a detailed understanding of all of the network topology and behavior. But it’s very hard to discover, most network maps and inventories are incomplete or very out of date, as manual processes for these issues are near impossible. Trying to write down a device list, map out the data paths, note all the configurations, figure out the operational processes, and enforce the network-wide security postures would take a full network team months or years depending on the complexity. For businesses that find themselves in this predicament, it is vital that they invest in solutions that can analyze their digital infrastructure to discover existing assets and to map the network.
Depending on the particular pain points, network analysis solutions range from network monitoring and visualization, to intent-based capabilities like network verification and prediction. Network and application dependency mapping tools can inform teams how the various applications and devices act with and rely on one another. Even something as simple as a help desk ticketing system can provide useful data for these ends.
With a live network map, the companies can then evaluate the infrastructure for cybersecurity compliance and for future integration. Tools like port scanning, network configuration checks, and path verification allow IT to see if the network is operating consistently and is compliant with company policies. IT will especially want to focus on solutions that root out existing liabilities, such as vulnerability assessments, penetration testing, and compliance assessments. For instance, a network digital twin allows enterprises to overlay security policies on other networks – allowing for identification of network compliance issues, flagging outdated configurations, locating forgotten equipment, proactively unveiling security violations, and alerting operators of unpatched vulnerabilities.
It’s ideal if the chosen solutions can also normalize the network data (present the data in a vendor-agnostic manner), making it much easier for IT to quickly read and understand the various infrastructure devices and configurations. This is particularly helpful for network operations staff addressing help desk tickets – who are dealing with tickets and issues across both networks at the same time after having merged. With a normalized dataset, IT can then efficiently merge both companies’ data together to jointly analyze the infrastructure – allowing for a much faster, more simple and comprehensive examination of the networks. This is impossible to do without a comprehensive view of existing data, so many enterprises look to data management tools and platforms to help locate and consolidate their critical data.
Connecting and integrating the network infrastructure is the moment of truth for the M&A – businesses need to ensure that everything will continue to operate properly before internal operations can actually be merged. Having a normalized and accurate network map gives the IT team a scope of the two company’s networks – allowing for the identification of conflict areas that need to be worked out before merging networks together to ensure that there is no risk to the production and client services. With the right software, the process can be automated, so it’s faster and more accurate, and intent checks can also make sure that traffic is doing what it should or pinpoint the problem for immediate resolution.
Using this information, IT can identify critical network and application paths that need to be preserved in isolation and potential points where the two companies’ infrastructures can be connected. This has several key security and financial purposes. It allows for a check of whether the network architectures are compliant with one another, and it also lets the companies see where there is excess infrastructure that can be removed. Network path verification tools can also allow IT to preemptively see any potential integration holes by visualizing what the new data paths will be, so the team can address any lack thereof ahead of time with stop-gap solutions.
When encountering different regulatory hurdles, it’s usually best to make the higher bar the standard across both organizations – simplifying the security and compliance policies. Services like next-generation endpoint protection, next-generation firewalls, and other solutions that protect data and applications from attack — are important for securing the IT environment after a merger.
The risk involved in merging the digital infrastructures of major enterprises is simple to summarize: if you don’t know what it is and how it works, you can’t ensure it will continue to work if changes are made – like integrating it with another network. Even worse, it can aggravate the already existing security flaws or holes that are wrapped into your security paradigm. By integrating new devices and data paths to parts already able to be compromised, IT is increasing vulnerability and risk.
In today’s world of digital transformation, it’s more important than ever that enterprises engaging in M&As both empower and protect themselves by properly approaching network integration and adopting services where needed to support network analysis.
In the past couple of weeks, I’ve had the opportunity to attend two technology events IN PERSON!!! Seeing people “mask-to-mask” has been fun and educational.
Forward Networks recently exhibited at Black Hat in Las Vegas and AFCEA TechNet Augusta. Obviously, security was the topic at Black Hat, but it was also top of mind for TechNet attendees, and attendees at both events stressed the need for better network behavioral insight. A common theme amongst these totally different demographics speaks volumes about the need to improve how NetOps and SecOps share network insights to protect its health and integrity. (For those who are unfamiliar, the halls of Black Hat are filled with hackers while TechNet Augusta hosted U.S. Army technical experts).
Obtaining current, detailed information presented in an easy to understand manner is critical for network health. Because SecOps and NetOps teams need the same network information to remediate and prevent incidents, there should be a seamless way to interact. Unfortunately, that’s not possible using most currently available tools. Engineers are stuck making calls, sending emails, opening tickets, and waiting for information that should be at their fingertips, thus creating unnecessary speedbumps. In June, we added security features to our platform that were specifically intended to help SecOps and InfoSec teams by creating “easy buttons” that eliminate these barriers.
Prior to getting out and talking to the people “in the trenches,” we felt pretty good about the platform enhancements, but we also knew that the attendees at both TechNet and Black Hat would give us the unfiltered truth.
The security features we announced in June (single-click blast radius detection, Zone-to-Zone security matrix, and an up-to-date Network CVE matrix) generated interest because they help SecOps folks work better and faster. Nobody wants to spend an unnecessary second of their work life combing through vender alerts, tracing paths, or inspecting code to find out the cause of an issue.
While the positive reception was encouraging, what I found incredibly interesting was the level of interest in how network modeling can enhance security posture by detecting and preventing situations that traditional tools will miss because they aren’t designed with the nuances of SDN in mind.
Well aside from schooling us on how to protect the world from Space Invaders while playing our classic Atari console, the resounding theme was when it comes to understanding and enforcing organizational security posture, the network is critical. Security engineers want to query the network in ways that traditional security tools don’t allow. SDN is changing the way threats are enacted and detected, and SecOps needs better info.
For example, the Forward Enterprise platform can identify network-based vulnerabilities due to traffic being virtually routed around enforcement points. Since the days of mandatory physical connectivity to the firewall are in the past, it’s easy to mistakenly configure devices in a manner that allows traffic to bypass enforcement points. Manipulated packets passing through NAT may not be recognized by firewall rules, ergo traffic you think is being blocked could be permitted creating vulnerabilities or, traffic that should be permitted could be dropped, negatively impacting the user experience.
Most of the well-known products in this space cannot detect these network-created issues because they don’t have a mathematical model of the network. Packets that are mutated in transit are unlikely to trigger the right policy response because they are unrecognizable.
The technical practitioners I spoke with were excited to learn that not only can Forward Networks detect these types of issues, but using custom intent checks, the platform can alert engineering staff if an out-of-policy configuration change is implemented. Knowing that the platform can instantly provide correct information on policy adherence and detect out-of-policy configurations before they cause an issue was of significant interest to everyone I talked to.
If you work in networking, you can’t do anything without getting some sort of message that you need to improve your zero trust architecture. Lots of companies offer to sell you the solution to all of your zero trust woes.
Because it’s been a topic of discussion internally – we decided that this was the perfect opportunity to put the hype to the test and see what people really think. So, my Seeking Truth in Networking Podcast co-host (and Forward Networks Co-Founder) Brandon and I decided to mic-up and talk to people for Episode 11: Zero Trust at Black Hat 2021: Networking meets Security. The conversations were sometimes funny and always enlightening. So, we turned it into our latest podcast. At the end of the day, yes there’s a healthy dose of skepticism – as there should be – but there are also real lessons to be learned and interesting ways people are applying these principles.
Listen to the podcast to hear more, and tell us what you think!
Using the visualization, verification, search, predict, and diffs function within the Forward Networks platform can help engineers ensure their zero trust architecture is designed and functioning as intended. To learn how, read the zero trust use case.
Between us — there’s no such thing as zero trust — it’s a catchy term used to describe a very complicated approach to security. But just because marketing loves the term doesn’t mean we should ignore the concept.
The idea of zero trust is the assumption that users should be granted the least access possible to be productive, and that security should be verified at every level with consistent protection measures. No device or person can be automatically trusted and everything must be verified before providing access to systems, and policy adherence must be continually validated.
Achieving this requires full network visibility, after all, how can you protect what you cannot see? To implement a zero trust architecture, network and security operations teams must be able to fully visualize all possible data paths and network traffic behaviors to truly understand potential vulnerabilities. Only then can they implement and enforce policies that eliminate risky pathways and segment the network effectively.
In addition to visibility, validation is critical for ensuring zero trust. Security policies are definitely not a “set it and forget it” situation. Because the network is constantly being changed by the people that manage it, consistent and frequent validation is necessary to ensure that policies are performing as intended.
While this may seem like stating the obvious, it’s anything but easy. Most networks have evolved over decades, it’s common for our customers to discover hundreds of devices they didn’t know they had. One of the biggest frustrations we hear from security teams is the amount of config drift in their network – which prevents the security policies from functioning as intended. If you struggle with these issues (as most enterprises do), a zero trust architecture is beyond reach.
Using the visualization, verification, search, predict, and diffs function within the Forward Networks platform can help engineers ensure their zero trust architecture is designed and functioning as intended. To learn how, read the zero trust use case.
With the constant rise of modern cyber threats, many businesses are aiming for zero-trust infrastructure to keep themselves and their customers safe. But a zero-trust environment, where only authorized people can access information and resources, is often more difficult to implement than anticipated. If security teams and network engineers cannot visualize the network and its possible traffic paths and behaviors, they can’t possibly secure the environment.
Forward Enterprise is designed to collect detailed config and state information on the entire network and then help engineers visualize, verify, search, predict and understand diffs following change windows. This information is invaluable to companies seeking to implement zero trust as it provides detailed connectivity information in a way that is easy to consume and act upon. We’ve recently added three new features to Forward Enterprise, that curate critical security information making it easy to understand device connectivity and potential vulnerabilities.
Regardless of how large or complicated a network is, Forward Enterprise empowers IT to improve network operations and avoid outages. This is thanks to its unique mathematical model that creates a digital twin of the network, allowing network operators to map all possible traffic flows, verify intent, predict network behavior, and more.
Our platform also helps security operations professionals with new visualizations of East-West traffic flows, endpoint-to-endpoint connectivity analysis matrices, and timely non-compliance alerts. These new features for Forward Enterprise make security teams’ lives easier by simplifying and streamlining traditionally labor-intensive network processes.
Today it is not a question of “if” a device will be compromised – but “when.” During an attack, it is critical that security operations professionals immediately identify the full impact of compromised devices so that they can contain the threat. With Forward’s blast radius, security teams can now identify the full exposure and reach of a compromised host with a single mouse click, making isolation and remediation a much simpler and faster process.
Having full insight into how and where devices and applications communicate over the network is fundamental to security. And yet this is one of the most difficult security tasks to perform, with most teams working from out-of-date spreadsheets and tribal knowledge to try and figure things out manually. Unsurprisingly, this is incredibly inefficient and error-prone.
But with Forward Enterprise correlating routing information and security policies, security teams can now easily see how their security posture is enacted on the network. With a graphical matrix that clearly delineates which zones have full connectivity, partial connectivity or no connectivity, security operations professionals can have full confidence of their zone-to-zone connectivity posture.
Network OS Vulnerability Identification
Trying to stay ahead of the unending stream of network device OS vulnerability alerts can be a full-time job – but it does not have to be. Forward Enterprise now uses the latest information from the NIST National Vulnerability Database, along with specific device and configuration data collected from your network, to automatically recognize and flag potential network OS vulnerabilities. Security teams can save time and stress with proactive vulnerabilities updates presented in an easily actionable format.
To see these security features in action, please request a demo.
On June 28, we announced new features within Forward Enterprise that help security engineers spend less time on reactive tasks so they can be more proactive. Why would a networking company expand into the security space? Good question. Let me share some of the reasoning that led to expanding deeper into this space, and why I am excited about it.
Reason 1: The overwhelming and urgent need.
Last year, the SolarWinds hack shocked the world with both the vector and its breadth of reach across the world, reminding us all of the importance of security, especially within the network. Since then we’ve continued to see additional examples such as the recent Colonial Pipeline ransomware attack. These are both preventable and containable.
Reason 2: Demand from our customers.
Deployments that were originally triggered by a need for network operator-oriented visibility and verification have also seen adoption and used by their peer security engineers to solve a range of daily work tasks. These security engineers have been highly enthusiastic about the time savings they gain by getting instant answers to network questions with Forward Networks, without needing to talk to a long chain of humans and spending hours to days gathering such information in their old way of working. Based on this success, they have been asking us for an expanded security capability set, with an ultimate goal of a single unified view and platform for both the network and security teams to collaborate around.
Reason 3: Unique capabilities from unique technology.
What do we do? Put simply, we use math to organize network information, in the form of a digital twin, and make that network information accessible to people and machines. This approach requires analyzing every possible way a packet could flow through your network. And yes, that is effectively a comprehensive pen test that runs on our customers’ global networks 10s of times per day! That data enables network verification like that is nothing like the testing or mapping you’re used to.
Reason 4: Hack Week.
In April, our engineering team had a week to work on anything. What did they choose to do? Security. Working closely with customers and having an impact is why they are here. Many of the projects created “easy buttons” for common (and highly complex) security tasks, and when shown to security teams, their feedback was clear: “I want this, yesterday.”
Those are all solid reasons, but I want to add my own take, from doing SecOps at a Stanford Lab, to setting up security infrastructure when founding this company, and now answering to a board about security.
A large fraction of security incidents can be both prevented, or at least tightly contained – but only if a strong network security and segmentation policy has been implemented. An ever-growing list of vendors are scrambling to provide different components of a Zero Trust solution for your business, but even if you buy one (or more) of these solutions, how do you know if you’ve implemented them correctly? In the financial world, we have auditors to confirm that we have correctly implemented the appropriate financial practices. The same mechanism is critical for network security, and this is what Forward Networks provides in the form of network and security visibility and verification.
I’m proud to announce our latest release, 21.5, which includes these new marquee security-focused features:
All of these new capabilities can be used on both your live network, as well as any historical snapshot you’ve taken in the past (for forensics), and all can be easily integrated via API into your automation framework of choice.
This is just the beginning of our security journey, and we’d like to bring our unique capabilities as a partner on your Zero Trust security journey. If you’d like to learn more, please request a demo.
Today’s networks are too complex for manual network management and updates. With most enterprises composed of tens of thousands of devices spanning multiple geographical locations, on-premises hardware, Virtual environment, and multiple clouds – it’s virtually impossible to push updates manually. Also – the sheer volume of vendors and coding languages can be overwhelming for a network operations engineer. In most cases learning a new language or new platform takes eight weeks to achieve basic proficiency; its not realistic to expect human skills to scale at the pace of network innovation (aka network complexity)
Which is why we decided to integrate the Forward Networks platform with the industry-leading network assurance platform, Itential. Their low-code automation platform makes it easy for network operations teams to deploy and manage multi-domain infrastructures. Itential’s cloud-native software as a service offering provides a low-code interface that seamlessly connects to any IT system, cloud, or network technology for end-to-end closed-loop network automation and orchestration. Forward Enterprise enables network operators to deploy automated changes with the assurance that they are in compliance with network policies and won’t have any unintended side effects.
Forward Enterprise helps network operations engineers avoid outages through its unique mathematical model. The platform creates a digital twin of the network (across on-premises devices, private and public cloud) enabling network operators to map all possible traffic flows, instantly troubleshoot, verify intent, predict network behavior, and reduce MTTR (mean time to resolution). Itential simplifies and accelerates the deployment and management of multi-domain network infrastructure. Both platforms support major network equipment vendors and AWS, Azure, and Google Cloud platforms.
The Closed Loop Automation process enabled by the integration of Forward Networks Platform and Itential Automation Platform (IAP) acts as a safeguard to prevent any issues from becoming pervasive following a change window. Using the pre-built automations, templates, form builder, automation builder within Automation Studio makes it easy for network operations engineers to build an automation catalog that enables changes at scale. By using the API integration with Forward Networks, they can verify routing, add intent checks, verify new service connectivity, check for side effects and send notifications and verifications via Slack, Microsoft Teams, Cisco WebEX, and email. Integration with change management systems including ServiceNow and Jira ensure everyone is working from a single source of truth and expedites collaboration. In the event of an issue, the diff check functionality within the Forward Networks platform makes it easy to pinpoint which changes are causing any unplanned behavior.
For more detail on how the integration works, please view our ONUG Spring 2021 session.
Network operations teams rely on highly specialized tools developed by individual vendors designed to address particular problems. The result? Most enterprises have 10+ Network Operations applications in place and they don’t talk to each other—which means that network operations engineers spend an exhaustive and unnecessary amount of time toggling between applications and sifting through information as they work to resolve tickets. Multiple tools providing state information introduces inconsistencies in the data accuracy and level of detail.
Because information is not portable between applications or is vendor-specific, inaccessible because it’s siloed due to security boundaries across the network, or current, the teams charged with network and security operations are at a disadvantage. When people working to solve a problem have incorrect, incomplete, or out-of-date information they cannot efficiently solve problems.
Forward Networks was created to make the hard parts of network operations easier. For us, that means giving instant access to the information you need to troubleshoot and resolve network issues.
The Forward Networks platform is based on a mathematical model that creates a digital twin of the network. This software-based twin provides a comprehensive visualization of all possible network paths, a searchable index of configurations presented in a vendor-neutral manner easily understandable for even tier-one support specialists, the ability to verify network behavior, and predict how NAT or ACL changes will impact the network. Network state information is updated at regular intervals determined by the operations team.
To ease the burden on network operations teams, we’ve developed an integration between Forward Networks and ServiceNow that provides a single source of truth for the network and enables more efficient use of both platforms. The integration between the applications allows engineers to automatically share relevant details about network state, configuration, and behavior with everyone working on resolving this issue. This information automatically updates within both platforms creating a detailed and current single source of truth. The integration between the two applications takes only seconds to enable and configure.
A typical incident response involves several teams, the network operations engineer who got the call, maybe the apps team or security team, more senior engineers if the case needs to be escalated. The difficulty of resolving issues is compounded when everyone is working from their own assumptions and data. One of the most effective ways to reduce mean time to resolution is by creating an accurate single source of truth and ensuring everyone involved has access to it.
Because Forward Networks regularly verifies that the network is behaving as intended, it can (at the discretion of the network operation team) proactively open, update ServiceNow incidents based on these verification checks. Whether incidents are created automatically or manually, a link to the relevant data becomes part of the incident and is updated as the system collects network state information, this ensures everyone is working from the same information. For existing ServiceNow incidents, the Forward Networks integration allows network engineers to capture relevant information and add it to the incident, again saving the resolution team time they would have spent researching the issue.
This integration also allows networks operations to verify that the changes they’ve made have resolved the issue by running a query. The platform will show if the issue is resolved or allow the engineer solving the issue to see how their change impacted the network and what else may be causing the issue, this way tickets can be followed through to resolution. Incident history can be viewed from within Forward Networks or ServiceNow allowing the engineering team to see all actions and status from their platform of choice.
The real benefit of this integration is immediate access to information that reduces the mean time to resolution from hours to minutes for most problems.
Have 5 minutes? Watch the Forward Networks and ServiceNow integration in action on our Forward Fix – engineering content by engineers, for engineers.