Networks today are different from what they were ten years ago, and one could argue that depending on the organization you work for, these networks are different from those just a few years ago. The rise of hybrid networks has made troubleshooting these networks that much more complex. Before, it could have been a hub and spoke design from your end users to the resources they need to access in one of the data centers. Applications that needed to access data center services or other applications either went over a few racks to the services or perhaps just had to go to another data center.
Today, not only do you have to worry about your on-premises infrastructure, which could be comprised of dozens of vendors, several versions of code, and multiple ways to show output, but you can also have a software-defined data center solution and a multi-cloud presence that relies on the underlying infrastructure. This makes troubleshooting extremely difficult, as teams need proficiency across several vendors, and individuals must keep up to date on the nuances in code versions and know how to extract the necessary information from the platform in order to troubleshoot.
Most organizations don’t have a current network diagram because it’s constantly changing, and any created map is out of date almost before it’s published.
Back in the day, when I used to troubleshoot these complex networks to figure out what was going on, we had to involve several teams (e.g., the infrastructure team for the software-defined data center, the network team, the firewall team, and the cloud team). On a troubleshooting bridge, you will inevitably hear, “My side looks good,” at least once from every team on the call. Obviously, this does not help resolve the issue. Because everyone was running their own tools, they were working from individual data sets that didn’t tell the entire story–they believed their side was good, but perhaps they were missing crucial information.
The next problem that could arise is the assigned person from one of the groups not knowing the part of the environment being looked at or not having the proper knowledge of the technology in the path of the troubleshooting session. This, unfortunately, will affect the Mean Time to Identify (MTTI), drastically affecting the Mean Time to Resolve (MTTR), which can be costly to the organization, depending on the industry.
Troubleshooting is one aspect, but any day-to-day activity can make your teams less efficient because they are manually trying to prove that all the firewall devices adhere to their golden configuration, as the organization is being audited. Not only is this tedious, but without the proper data collection and storage, it’s impossible to prove a device was compliant at a date in the past.
All hope is not lost; these complex networks can be tamed! On June 22nd at 11:00 AM PST, join me and Steve Allie, our VP of Technical Services, to discuss how a digital twin can increase efficiency in complex hybrid networks. Click here to register for this webinar.
Do cloud environments really have to be so foggy? Absolutely not. Yet, many enterprises have come to accept that not having full visibility into their cloud estate is just “how it is.”
That’s a risky position, as deploying or migrating third-party cloud platforms without a complete view of network traffic patterns can easily lead to security gaps and make troubleshooting a daunting task.
Most enterprises today use multiple cloud platforms like Amazon Web Services (AWS), Google Cloud Platform (GCP), and Microsoft Azure as part of their hybrid cloud estate. Visualizing their environment for troubleshooting requires multiple applications and often several experts within the team. As cloud use expands and providers release new services, the visibility problem is worsening quickly — and exponentially.
Sure, network and security teams have tools to validate connectivity and security for on-premises networking. But they’re not useful for the cloud. It’s like asking your teams to use a drill to hammer a nail. Plus, each cloud provider has its own nomenclature, methodology, and toolset. What network or security pro has time to learn and master all of that?
Thankfully, they don’t even have to try (unless they really want to). Forward Networks can help your teams make sense of your organization’s cloud estate and ensure the same policies you have in place on-prem are being enforced in the cloud. We’ve extended the visualization, search, and verification capabilities of Forward Enterprise to support AWS, Azure, and GCP. The Forward Enterprise platform now enables engineers to visualize the entire cloud estate alongside the on-prem environment in a single, normalized (vendor agnostic) view.
Want to learn more about the Cloud features of Forward Enterprise? Visit www.forwardnetworks/cloud.
Try a free 14 day trial of Forward Cloud through AWS Marketplace.
On June 28, we announced new features within Forward Enterprise that help security engineers spend less time on reactive tasks so they can be more proactive. Why would a networking company expand into the security space? Good question. Let me share some of the reasoning that led to expanding deeper into this space, and why I am excited about it.
Reason 1: The overwhelming and urgent need.
Last year, the SolarWinds hack shocked the world with both the vector and its breadth of reach across the world, reminding us all of the importance of security, especially within the network. Since then we’ve continued to see additional examples such as the recent Colonial Pipeline ransomware attack. These are both preventable and containable.
Reason 2: Demand from our customers.
Deployments that were originally triggered by a need for network operator-oriented visibility and verification have also seen adoption and used by their peer security engineers to solve a range of daily work tasks. These security engineers have been highly enthusiastic about the time savings they gain by getting instant answers to network questions with Forward Networks, without needing to talk to a long chain of humans and spending hours to days gathering such information in their old way of working. Based on this success, they have been asking us for an expanded security capability set, with an ultimate goal of a single unified view and platform for both the network and security teams to collaborate around.
Reason 3: Unique capabilities from unique technology.
What do we do? Put simply, we use math to organize network information, in the form of a digital twin, and make that network information accessible to people and machines. This approach requires analyzing every possible way a packet could flow through your network. And yes, that is effectively a comprehensive pen test that runs on our customers’ global networks 10s of times per day! That data enables network verification like that is nothing like the testing or mapping you’re used to.
Reason 4: Hack Week.
In April, our engineering team had a week to work on anything. What did they choose to do? Security. Working closely with customers and having an impact is why they are here. Many of the projects created “easy buttons” for common (and highly complex) security tasks, and when shown to security teams, their feedback was clear: “I want this, yesterday.”
Those are all solid reasons, but I want to add my own take, from doing SecOps at a Stanford Lab, to setting up security infrastructure when founding this company, and now answering to a board about security.
A large fraction of security incidents can be both prevented, or at least tightly contained – but only if a strong network security and segmentation policy has been implemented. An ever-growing list of vendors are scrambling to provide different components of a Zero Trust solution for your business, but even if you buy one (or more) of these solutions, how do you know if you’ve implemented them correctly? In the financial world, we have auditors to confirm that we have correctly implemented the appropriate financial practices. The same mechanism is critical for network security, and this is what Forward Networks provides in the form of network and security visibility and verification.
I’m proud to announce our latest release, 21.5, which includes these new marquee security-focused features:
All of these new capabilities can be used on both your live network, as well as any historical snapshot you’ve taken in the past (for forensics), and all can be easily integrated via API into your automation framework of choice.
This is just the beginning of our security journey, and we’d like to bring our unique capabilities as a partner on your Zero Trust security journey. If you’d like to learn more, please request a demo.
Today’s networks are too complex for manual network management and updates. With most enterprises composed of tens of thousands of devices spanning multiple geographical locations, on-premises hardware, Virtual environment, and multiple clouds – it’s virtually impossible to push updates manually. Also – the sheer volume of vendors and coding languages can be overwhelming for a network operations engineer. In most cases learning a new language or new platform takes eight weeks to achieve basic proficiency; its not realistic to expect human skills to scale at the pace of network innovation (aka network complexity)
Which is why we decided to integrate the Forward Networks platform with the industry-leading network assurance platform, Itential. Their low-code automation platform makes it easy for network operations teams to deploy and manage multi-domain infrastructures. Itential’s cloud-native software as a service offering provides a low-code interface that seamlessly connects to any IT system, cloud, or network technology for end-to-end closed-loop network automation and orchestration. Forward Enterprise enables network operators to deploy automated changes with the assurance that they are in compliance with network policies and won’t have any unintended side effects.
Forward Enterprise helps network operations engineers avoid outages through its unique mathematical model. The platform creates a digital twin of the network (across on-premises devices, private and public cloud) enabling network operators to map all possible traffic flows, instantly troubleshoot, verify intent, predict network behavior, and reduce MTTR (mean time to resolution). Itential simplifies and accelerates the deployment and management of multi-domain network infrastructure. Both platforms support major network equipment vendors and AWS, Azure, and Google Cloud platforms.
The Closed Loop Automation process enabled by the integration of Forward Networks Platform and Itential Automation Platform (IAP) acts as a safeguard to prevent any issues from becoming pervasive following a change window. Using the pre-built automations, templates, form builder, automation builder within Automation Studio makes it easy for network operations engineers to build an automation catalog that enables changes at scale. By using the API integration with Forward Networks, they can verify routing, add intent checks, verify new service connectivity, check for side effects and send notifications and verifications via Slack, Microsoft Teams, Cisco WebEX, and email. Integration with change management systems including ServiceNow and Jira ensure everyone is working from a single source of truth and expedites collaboration. In the event of an issue, the diff check functionality within the Forward Networks platform makes it easy to pinpoint which changes are causing any unplanned behavior.
For more detail on how the integration works, please view our ONUG Spring 2021 session.
Network operations teams rely on highly specialized tools developed by individual vendors designed to address particular problems. The result? Most enterprises have 10+ Network Operations applications in place and they don’t talk to each other—which means that network operations engineers spend an exhaustive and unnecessary amount of time toggling between applications and sifting through information as they work to resolve tickets. Multiple tools providing state information introduces inconsistencies in the data accuracy and level of detail.
Because information is not portable between applications or is vendor-specific, inaccessible because it’s siloed due to security boundaries across the network, or current, the teams charged with network and security operations are at a disadvantage. When people working to solve a problem have incorrect, incomplete, or out-of-date information they cannot efficiently solve problems.
Forward Networks was created to make the hard parts of network operations easier. For us, that means giving instant access to the information you need to troubleshoot and resolve network issues.
The Forward Networks platform is based on a mathematical model that creates a digital twin of the network. This software-based twin provides a comprehensive visualization of all possible network paths, a searchable index of configurations presented in a vendor-neutral manner easily understandable for even tier-one support specialists, the ability to verify network behavior, and predict how NAT or ACL changes will impact the network. Network state information is updated at regular intervals determined by the operations team.
To ease the burden on network operations teams, we’ve developed an integration between Forward Networks and ServiceNow that provides a single source of truth for the network and enables more efficient use of both platforms. The integration between the applications allows engineers to automatically share relevant details about network state, configuration, and behavior with everyone working on resolving this issue. This information automatically updates within both platforms creating a detailed and current single source of truth. The integration between the two applications takes only seconds to enable and configure.
A typical incident response involves several teams, the network operations engineer who got the call, maybe the apps team or security team, more senior engineers if the case needs to be escalated. The difficulty of resolving issues is compounded when everyone is working from their own assumptions and data. One of the most effective ways to reduce mean time to resolution is by creating an accurate single source of truth and ensuring everyone involved has access to it.
Because Forward Networks regularly verifies that the network is behaving as intended, it can (at the discretion of the network operation team) proactively open, update ServiceNow incidents based on these verification checks. Whether incidents are created automatically or manually, a link to the relevant data becomes part of the incident and is updated as the system collects network state information, this ensures everyone is working from the same information. For existing ServiceNow incidents, the Forward Networks integration allows network engineers to capture relevant information and add it to the incident, again saving the resolution team time they would have spent researching the issue.
This integration also allows networks operations to verify that the changes they’ve made have resolved the issue by running a query. The platform will show if the issue is resolved or allow the engineer solving the issue to see how their change impacted the network and what else may be causing the issue, this way tickets can be followed through to resolution. Incident history can be viewed from within Forward Networks or ServiceNow allowing the engineering team to see all actions and status from their platform of choice.
The real benefit of this integration is immediate access to information that reduces the mean time to resolution from hours to minutes for most problems.
Have 5 minutes? Watch the Forward Networks and ServiceNow integration in action on our Forward Fix – engineering content by engineers, for engineers.
Network complexity has reached nearly unmanageable proportions for most organizations. With thousands of devices, millions of lines of code to configure networks, and constant updates, it has become nearly impossible to track network topology details, let alone network policies, behavior, and capabilities end-to-end. The result is a network infrastructure that is resistant to change and risk, which reduces the ability of the IT team to quickly address changing business needs and application requirements. Can Automated network mapping solutions stem the tide of complexity and tedious resource drain?
For many organizations, the state of the art for network maps and documentation is Visio diagrams or spreadsheets of device names and IP addresses. Even network management tools can not keep pace with the rapidly changing details of dynamic network environments. Organizations have to rely on senior network engineers to track network details, but such expertise is easily lost and learning curves are steep and expensive.
Organizations need to automate the network mapping process, so that information is always up-to-date and accurate, while reducing overhead in documenting network details. Automated network mapping software can form a single-source-of-truth for network details, configurations, topology maps, and connections. The ideal automated network mapping solution can even turn the tens of millions of network details, security policies, connections and forwarding rules into a usable database where such information is readily accessible with simple queries to be used in troubleshooting, network analysis or compliance checks.
The heart of an automated network mapping solution is the centralized process that can access each device and collect and organize the relevant data. With all of the right details, a current network topology diagram can be generated quickly to guide network management tasks and workflows.
Automated network mapping is one of the key use cases and features of the Forward Enterprise platform. Forward Enterprise collects all network information, including forwarding tables and security rules, from each device in order to build an interactive map of the network topology. The information is organized into a database as well, with a simple query language to quickly identify configuration errors, outdated systems, or down links.
Network collections, to update the automated network map, can be scheduled periodically or pulled on-demand, to make sure that IT managers always have access to current information. Information from the automated network map can then guide a wide range of network management workflows and processes. Automated network mapping can also ensure that all team members and IT silos have access to the information they need, no matter where they are on the learning curve of managing a complex enterprise network.
The Forward Networks automated network mapping capability even includes cloud networks. Network maps can show flows throughout a multi-site on-premises data center over a WAN connection and to public cloud providers such as Amazon AWS and Microsoft Azure. Being able to visualize a contiguous network map across multiple vendors, sites and service providers is a powerful debugging and analysis tool that can quickly improve IT operations.
As networks become more complex and require more frequent updates, organizations need to automate more of the management tasks. Automated network mapping should be a primary focus to ensure that an accurate, always-up-to-date view of the network topology and key management details are available to accelerate IT processes.