arrow down
Arrow down
Arrow down
Arrow down

Network migration is a critical undertaking for any organization looking to optimize their network performance, adopt new technologies, or achieve cost savings. However, this process poses numerous challenges that can lead to disruptions and unwarranted risks if not properly managed.  

One of the primary challenges of network migration is verifying that the network behaves and provides the same service and connectivity after the migration as it did before. Traditional methods of manual verification are time-consuming, error-prone, and inefficient. NetOps teams test critical flows to ensure they were not disrupted, but without knowledge of every possible path a packet could traverse, it’s impossible to ensure that all connectivity remains unchanged. The tools provided by vendors to assist in migration cannot assess multi-vendor network behavior and identify deviations from expected norms.  

This is where Forward Networks comes to the rescue. The network digital twin offers a holistic solution to prove network equivalency after network migration to ensure a seamless transition.  

Forward Networks' digital twin is a game-changer when it comes to verifying network connectivity and security posture before and after a migration. To learn more about how the platform proves network equivalency, read the use case

From Gestalt IT

Mergers and acquisitions (M&A) are common occurrences in business. After the ink dries on a deal, IT network and security teams embark on the challenging task of welding two different parts into a single whole.

Understanding how both parties’ networks are built and run is the first order of business to joining them and gaining value from the merger. Forward Networks’ core ability to build a digital twin of an environment and layer additional features on top of it provides a way to smooth the path to unity...[KEEP READING on Gestalt IT]

The Globee Awards for Disruptors recognizes and celebrates organizations and individuals who have significantly contributed to disruptive innovation across various industries. These awards acknowledge the trailblazers who have challenged the status quo, introduced groundbreaking ideas, and transformed traditional practices through their disruptive approaches.  

Forward Networks was honored because: 

Because the tools network and security operations use to validate connectivity and security for on-premises networking are entirely different from those used for the cloud, it’s nearly impossible for teams to verify that the security policy is being enforced on-prem and throughout the multi-cloud environment.  

Deploying traditional security controls is ineffective in the cloud since defensible perimeters are erased, component virtualization and decentralization obscures visibility, and automated configuration tools are required at scale. 

Using read-only permissions, Forward Enterprise collects config and state data from all on-premises devices, such as routers, switches, and firewalls. The SaaS platform uses publicly available APIs to gather similar read-only information from public cloud accounts to create a digital network twin encompassing physical, virtual, and cloud estates. This information is presented in an integrated (and vendor-agnostic) way, enabling engineers to verify compliance throughout the estate. Anytime a non-compliant change is detected within the cloud estate, the appropriate teams will receive specific, actionable information about which instantiation is non-compliant and why, enabling rapid resolution.  

Unique Cloud Security Features within Forward Enterprise: 

Single source of truth.

Networking, security, and cloud professionals can work from a consistent, always up-to-date set of facts when troubleshooting or verifying network behaviors, drastically reducing MTTR. 

Verification that cloud security posture complies with corporate policy.  

Users gain unprecedented access to behavioral data to hasten troubleshooting, prevent incidents, and deliver timely alerts any time a cloud configuration is outside of policy. Timely alerts enable teams to quickly remediate issues and limit risk. 

Secure, automated application provisioning in the cloud.  

Organizations can ensure that the connectivity configurations of new applications adhere to corporate governance policies. Eliminating manual policy checks streamlines the process, so applications can be launched with greater confidence and speed, and companies can recognize revenue on new offerings more quickly.  

Hop by hop visibility.  

Forward computes all possible traffic flows and provides detailed insight into how on-premises devices and cloud elements transform and direct traffic.  

Search capabilities across the entire estate. 

Forward performs complete end-to-end path analyses across the network for both on-premises and cloud infrastructure. Users can locate devices and access detailed information on their location, configuration, and state in milliseconds. 

Learn more about Forward Enterprise Cloud Security by reading the use case or requesting a demo.

Forward Enterprise Makes the Cloud More Agile, Predictable, and Secure

SANTA CLARA, Calif., Feb. 23, 2022 /PRNewswire/ -- Forward Networks, the only company offering visibility and intent capabilities across the entire network estate, including on-premises, hybrid-cloud, private cloud, public cloud, and multi-cloud instances, today announced enhancements to the Forward Enterprise platform. Forward Enterprise now provides unprecedented visibility into network configuration and behavior in an actionable, vendor-agnostic format, enabling all organizations to conduct business in the cloud with certainty. In addition, the new cloud capabilities give IT teams a 360-degree view of both physical and virtual environments, as well as a single pane of glass for end-to-end in-depth connectivity analysis and policy and security verification.

Forward Enterprise creates a digital twin of an enterprise environment across on-premises devices, as well as hybrid multi-cloud environments. IT teams can instantly troubleshoot, verify intent, and predict network behavior by computing all possible traffic paths. The new platform enhancements also ensure security policies are enforced and prevent costly multi-cloud routing mistakes.

"For enterprises running large and complex networks, the cloud promised agility, economics, and security, but it has delivered complexity, expense, and risk," said David Erickson, Co-Founder and CEO, Forward Networks. "Our new platform enhancements were developed after listening to our customers detail their pain points and will help enterprises take the next right step in their cloud journey. They now have the same visibility and transparency into multi-cloud network traffic as on-prem environments and can be confident that they have the necessary information to make networks more reliable and secure."

Unlike the proprietary tools cloud providers offer subscribers, Forward Enterprise provides visibility, insight, and troubleshooting capabilities across multiple clouds. Using this insight, professionals can often remediate potential problems before they materialize, saving time and money. Forward Enterprise is the only platform on the market capable of building a software model of all major networking vendors and services at scale, including for hybrid multi-cloud environments. It also offers complete integration with the top cloud platforms, including Microsoft Azure, Amazon Web Services (AWS), and Google Cloud Platform (GCP). In addition, the platform computes all possible traffic paths for unparalleled insight into network behavior, including how some changes can impact network behavior and compliance verification.

The new capabilities are generally available today, and pricing is based on pay-as-you-grow cloud consumption that does not require a large upfront investment.

About Forward Networks
Forward Networks is revolutionizing the way large networks are managed. Forward's advanced software delivers a "digital twin" of the network, enabling network operators to verify intent, predict network behavior, and simplify network management. The platform supports devices from all major networking vendors and cloud operators, including AWS, Azure, and Google Cloud Platform.

Forward Networks was founded in 2013 by four Stanford Ph.D. graduates and is headquartered in Santa Clara, California. Investors include Goldman Sachs, Andreessen Horowitz, Threshold Ventures, and A. Capital.

The average network is a collection of configuration settings that exist in their own little island. They interact with each other and create situations where that interaction causes systemic issues in other places. Half of the job of a network engineer is figuring out those interactions and anticipating how they will impact other parts of the steady-state machine that we build to operate our applications. It’s hard enough to learn where all the switches are. Asking for anything more complicated is taxing for any engineer.

With the rise of networks that need to be more reliable for things like cloud applications and important use cases for financial or medical, it’s not enough to guess about the network state any longer. We can’t just hope that a configuration was done and that it was made in such a way as to lessen the impact on other systems. We can’t wish that things were configured correctly. We have to go one step further and actually verify that everything is done correctly. Adding that verification step into our routine is a source of contention, though. It’s a lot of extra work. It requires extra steps to get the information and make sure it’s accurate. It’s not what the standard network was built to provide. There needs to be a better tool out there to give us the info we need.

Continue reading...

Read more about Forward


In my previous ONUG blog post Query Your Network like a Database, I talked about how companies are embracing Network Automation in order to become more agile. I described how Network Automation can be very powerful but frighteningly dangerous without a proper safety guard. I explained what the Forward Networks Network Query Engine is and how it can help in building a rock solid network verification solution.

But now I’ll explain how customers can build a complete network automation and verification solution with Ansible and Forward Networks.

Ansible (by Red Hat) is a simple, powerful and agentless tool used by many customers to automate the deployment and configurations of applications, servers and network devices.

Forward Networks’ flagship platform, Forward Enterprise, documents, searches, verifies, and predicts the behavior of your network by creating an always-accurate software copy of your entire network infrastructure for both on-prem and cloud.

With available REST APIs, it easily integrates into existing network management workflow and tools.

Continue reading...

Read more about Forward


The great panacea for network IT the last several years has been more and more automation. Automation through orchestration. Simplifying and accelerating network administration tasks at the scale of large enterprise and cloud networks. Automation to keep up with the accelerated deployment of virtual applications, workload mobility and virtual networks. But if everything is happening so fast, and change is constant, can we keep the same degree of accuracy and assurance in our network and security deployments?

Automating complex network configuration processes is a great way to propagate errors at warp speed to all corners of your data center. Orchestration platforms can be great tools in the right hands, but small errors have a way of doing greater damage in profound ways. Like a power chain saw can do more damage with the slightest miscalculation. What's needed is to couple orchestration platforms with rapidly emerging network verification technology. Network verification can now be completely automated, so you aren't introducing additional manual processes to slow down your orchestration. But you can verify that everything is accurate and deployed correctly at light speed.

But what is network verification? If you've been following Forward Networks to get this far, you probably know already. Verification is much closer to an automated audit process than traditional tests that look at live traffic, log files, sniffers or port analyzers. It is a much more thorough analysis of the entire network end-to-end based on identifying theoretical sets of packets that could potentially breach stated policies. The analysis is based on a behaviorally-accurate mathematical model of your large network that can be queried for policy compliance and end-to-end behavior. You define the policy checks you need to have in place, and the platform verifies whether the current network configurations deviate from any of the policies. In minutes or less.

How would this work in practice? We just recorded a great 30-minute webinar and demo that gives a great example of this scenario in action. In the following presentation, we show how Forward Enterprise, our verification and network assurance platform, can be integrated with Cisco Network Services Orchestrator (NSO, formerly Tail-f), a leading automation platform. In this short video, you can see how Forward Networks:

In Part 1 of this blog, I discussed the power of network verification compared to traditional network testing. Verification is the mathematical and logical analysis of your current network configurations and state to detect and highlight violations of your policies and intent. Verification can take you from being "Pretty Sure" your network is configured correctly, to being "Absolutely Sure" your intent is represented in the network. This capability is delivered in Forward Enterprise, our full-featured platform designed for large enterprise and provider networks, including multi-site data centers, private clouds, corporate backbones and telco-class infrastructure.

It is important to note that Forward Enterprise is not a monitoring or performance management tool. In fact, it doesn’t look at live traffic. Forward Networks creates a software model based on a snapshot of the network, and can perform end-to-end analysis of the range of possible behaviors under all scenarios and conditions. It doesn’t test a packet going over the link, it will find the boundary conditions that you haven't thought to test for. That will allow you to head off problems before they occur. And help you avoid tedious weeks of box-by-box analysis and root cause research.

It all starts with collection and search...

Forward Enterprise builds a software model of your network after collecting all configuration and state information from each device. Much like Google crawls the Internet for new content and links between web sites, Forward crawls devices and organizes a snapshot of all network links and information. We even understand subtle behavior differences between specific networking or firewall vendors to ensure accurate analysis of traffic behavior in the live network. From the collection, Forward builds a complete inventory and topology diagram.

Most of our customers find this initial inventory and topology display immensely useful because it can identify devices you may have forgotten about, or are obviously not performing any productive function. For example, a device may be physically connected in the network, but misconfigured to not support any real traffic flows. Since all possible routes into and from each device are analyzed and displayed, it becomes immediately apparent where links are up, down, or have no potential traffic flows. But it gets much better when you can create sophisticated queries into the network model.

From search to verification

Forward Search is one of the three key functional pillars of Forward Enterprise, along with Verify and Predict. But each of the three capabilities allow you to develop extremely interesting behavioral queries about the intent and performance of the network. A simple search query could be structured such as "show all the inbound internet traffic paths reaching a rack of servers, or a particularly virtual switch, that don't use destination port 443". This might show vulnerabilities on non-SSL ports that your network might be allowing through. If that's possible, it's easy to trace flows through each device in the path that are misconfigured and how to remediate. Virtually any network attribute, protocol or device state can be queried to quickly isolate inconsistencies or violations of your network intent.

When you define your network intent as a series of network policy requirements, each requirement becomes essentially a search query and a check is performed. Again, any deviations from the pre-defined network intent are quickly identified and isolated. Forward Enterprise comes with several pre-defined policy checks, as shown below, including checking for forwarding loops, IP address uniqueness, consistency across all links for VLANs, MTU, speed, duplex-type, etc.

Forward also allows you to define your own policy requirements for your own network intent very easily. User-defined checks provide the ultimate flexibility to incorporate specifics of your network design and application requirements. In the example scenario below, we see the failure of the user-defined check for only SSL traffic being allowed to reach a set of web servers.

Whenever one of your intents fail, it’s not only easy to quickly drill down to the explicit scenario that violated the policy, but to analyze the individual device(s) that are misconfigured and to see the specific device configurations and states that generated the policy violations. As you make network changes and update potential errors, you can also immediately see on the dashboard if any new violations have been introduced and what overall impact any changes will have.

Forward Networks has introduced a powerful new weapon to be able to mathematically model and analyze the network in aggregate. Against live scenarios, as well as ones that are coming in the future. The ones you don’t know about. The ones you didn’t plan for. The ones you couldn’t test. That's the power of network verification. And understanding your network intent today is the first step towards intent-based networking.

Forward Enterprise can help reveal your network intent today, on any existing network, and to identify where configuration errors could be causing your problems now or in the future. It's non-intrusive, installs in minutes, and doesn't disrupt current operations. For a live demo and to see how it could model and analyze your network environment, sign up here.

Learn the modern way that companies stay off the front page

Experience a demo of the Forward Platform

The more networks have evolved and the more complex data center architectures have become, more and more organizations are realizing they've got time bombs latent in their network, just waiting for the right set of circumstances to take down critical portions of their infrastructure. In the past, a configuration error might cause a blip in the network that went unnoticed.  With today’s networks so intimately tied to business, each blip can cost many millions of dollars and become front-page news, as seen in the accompanying headlines.

A surprisingly simple way out of this dilemma is network verification. With this new search, analysis and certification approach, it’s possible to analyze any network today in minutes to quickly find and eradicate these potential risks.

Our customers show us configuration errors that are as seemingly simple as a maximum transmission unit (MTU) size mismatches that went unnoticed until a new application revision moved to jumbo frames, or as complex as a failover error that triggered only when specific paths with slightly different configurations went down.  Not only can these problems cause downtime and lost business, but our customers even see unidentified inefficiencies from configuration errors go on for months and years, degrading performance, service quality and driving up costs. A famous example of the latter was a major bank that added new spine switches to their network but did not configure them as part of the ECMP groups from the leaves for data traffic, so for months, their smokin’ fast new routers were acting as expensive space heaters.

Why do these problems persist despite the costs? Chalk it up to frequent changes, network complexity, poor documentation, inconsistencies across vendors, overloaded admins and the rush to keep up with business. But, the main culprit has to be that we've been taking the wrong approach to find, isolate and head off faults in the first place!

The process for network updates and change windows to align new policies and services with network behavior usually involves a great deal of testing. Test the connection from subnet-A to subnet-B. Test the new firewall configuration. Test ACLs with different traffic to specific applications. However, some problems arise when a real-world scenario doesn’t align with our test case: did you test a connection with a ping (ICMP packet), when the connection may behave differently for normal TCP traffic? Some problems arise when we miss a test case: did you test reachability but not across every alternate path? Some problems arise because there’s no easy way to test the complex reality of a complete network:  did you test configurations box-by-box, but not consider every possible interaction of protocols, on all paths, under all packet sizes?

“Pretty Sure” may be the status quo, but it will never be good enough. “Pretty sure” has cost enterprises millions of dollars in downtime, and kept many network admins at the office over a long weekend. Instead, we want “Absolutely Sure”.

“Absolutely Sure” means taking a leap from testing just what we can think of, now, to confirming that every behavior in the network is intended.  There’s even a name for new technology that moves us towards network nirvana: ‘Verification’.

A verification system doesn't merely test a finite number of specific scenarios. It runs a mathematical and logical analysis of the behavior of the network under all possible conditions, all device configurations, all forwarding states, and all end-to-end traffic paths - holistically. It doesn't rely on explicit packets or a single path, but will model all packet types under all possible paths and expose latent configuration problems, unexpected routes and open vulnerabilities. In essence, network verification can assure that your network is indeed a reflection of your business and policy intent (or not!).

To be more concrete, think of network verification like a UL certification for your network.  A UL certification tests that an electronic product won’t catch fire, won’t emit electromagnetic waves, and doesn’t contain dangerous chemicals.  Similarly, network verification tests that a network won’t see routing-loop fires, won’t leak packets, and doesn’t contain harmful configuration errors.

With a real verification platform, not only can network admins accelerate their workflows, but you've got automated reports that can verify compliance and target audit requirements. If a verification system can understand network behavior, it can make that available to the network admins and user to speed up the typical questions and tasks that live at the front of each trouble ticket, while making hours-long diagnoses a search away. If UL certification effectively assures that electronic devices won't cause major damage, how much more trust could you have in your network allowing you to sleep at night? What about the rest of your organization? Or your customers? What if you had a paper trail to deflect liability in case something did go wrong? Could that benefit your business or your career?

And perhaps the best part: Network Verification is available today. It doesn't have to be a disruptive technology to your environment. It can run on any existing network.

There should be no agents to install. No upgrades to the infrastructure. It's non-intrusive because a verification can be done away from your live network, with changes prototyped and tested in a virtual sand-box, eliminating any risk. Installation of a verification platform can take minutes, so you can start deriving benefits from day one, as soon as your topology and device configurations are collected.

(Note: Brandon Heller did a review of verification in other fields of technology in an earlier blog post, and why it's quickly becoming a critical requirement of all datacenter designs and processes.)

Want to know more? It turns out that network verification is becoming an interesting first step towards the new vision of Intent-Based Networking (it even says so here). Gartner Group also says, “Keep an eye out for Forward Networks…” in a blog about Intent-Based Networking. In part 2 of this blog post (coming soon), I will go into more detail about how we can deliver on network verification in our own Intent-Based Networking system, Forward Enterprise, and walk through some typical use cases.

Can't wait? For a live demo on how it all works and to see how it could model and analyze your network environment, sign up here.

[Special thanks to Brandon Heller and Matthias Schroeder who contributed to the development of this blog post.]

Top cross