Network verification and assurance helps operators identify any errors in their network design that could result in behavior that deviates from stated network requirements, security policies, or compliance checks. Verification platforms provide a new analysis method to understand the capabilities of the network end-to-end, incorporate automation, and can quickly compare that behavior to the intent of the network architects and operators.
Network verification gives operators a thorough, exhaustive analysis of the design of the network looking at only configuration files and state information (forwarding tables, ACL rules, etc.), not live traffic or network logs. Using mathematical modeling, it’s possible to calculate all the viable paths through a network at once, comparing them to current policy requirements.
By automating this verification process, with the intelligent analytical capabilities of these newly emerging platforms, operators can automate IT workflows and processes that have not been possible before.
Automated verification can guide and accelerate troubleshooting and remediation to help isolate root cause issues more rapidly. However, by automating the verification of network design and proposed updates, verification platforms can accelerate change windows and increase network agility while reducing the risk of introducing errors into the network.
For organizations that have already successfully deployed an automation platform to update their network infrastructure, an automated verification solution can further accelerate the entire workflow.
Network verification can now be integrated into automation platforms, such as Ansible playbooks. This specifically automates the steps of verifying and comparing the behavior of the network before and after the change, confirming that network updates have been pushed correctly, and that they didn’t have any unanticipated effects on other applications or security requirements.
Administrators can run queries to verify how packets move through the network, apply certain conditions or protocols, and find what factors cause policy violations. A verification platform provides not only a new analytical perspective to remove risk from network changes, but can act as a single source of truth for all network details and information across all network device types, vendors, and cloud platforms.
Ensuring Automation Success
About 40% of all automation projects fail, according to a 2020 survey by industry analyst AIMultiple. One of the most common reasons for this is because automation accelerates the rate of change of the network across many more devices. It can introduce much greater risk into the network, even as it reduces human oversight.
Network verification can address this issue without losing the benefits of process automation by simply analyzing the network state pre- and post-automation to ensure deployments are error-free.
“We can accurately determine all the possible network paths end-to-end, based on the configuration and forwarding behavior of individual devices”, says Gary Kinghorn, director of business development at Forward Networks.
Forward’s network verification uses mathematical models in order to generate an accurate digital twin, or mirror copy, of a working network in software, which it uses to analyze network behavior and designs under any scenario and in the absence of limited traffic and testing scenarios.
“You can actually now query your network or ask it, ‘Hey, does my network support this kind of application flow for these protocols from this subnet to this set of servers or sites?’”, Kinghorn said. “And we will tell you definitively yes or no, and even more, we could show you all the possible paths that conform to that scenario to get rapid, deep insight into what your network is currently doing.”
Finding Needles in Haystacks
Knowing exactly what’s causing a particular network issue can be like finding a needle in a haystack. Accelerating or automating that process with an intelligent guided search is key to improving troubleshooting tasks. The intelligent assistance offered by a verification platform can bring even a new-hire or junior administrator up to the level of the most seasoned network architects and engineers.
“We’ve got one customer, for example, that has five octillion, which is five times 10 to the 27th power, viable paths through their network,” Kinghorn said. “That’s 10 billion times the number of grains of sand on Earth. To quickly identify which of those paths breaches a security policy requirement or compliance need in a few minutes is an extremely valuable capability. It gives them more confidence that their policies are always in place, even as they make hundreds of changes to the network each week.”
Automated processes can save on time and money for IT and business resources. However, the point is moot if those processes introduce errors that result in a security breach or breaking regulatory laws. Verification ahead of time, and even re-checking post-deployment, can ensure that operators know that an automation process has been successful.
“[Verification] works hand in hand with other SDN and automation platforms to be able to verify that everything went as intended, and that no errors are introduced as a result of automated updates,” Kinghorn said. “Every time you make a network update, every time something in our network changes, we’re automating the review of the network design in the light of all of these requirements. Going forward, it’s going to be a tool that most organizations will need in their automation arsenal.”