THE NETWORKING GURU’S GUIDE TO VERIFICATION

Identify errors and eliminate outages, while maintaining a single source of truth for network design, behavior and security information.

Today, networks have become so large and complex, along with constant changes to accommodate new services and business requirements, that networking teams can no longer document or manage all the details end-to-end.

With potentially tens of thousands of devices and billions of lines of code, until now there has been no way to automate the analysis of network designs to quickly verify what devices you have, how they’re connected, where traffic goes, whether it’s really working, or what needs to change.

Network verification is a rapidly emerging technology that provides deep insight to network behavior end-to-end, as well as automating many network troubleshooting and remediation tasks. Organizations are leveraging verification to help avoid outages, facilitate compliance processes and accelerate change windows.

Full-feature verification solutions require an underlying mathematical or software model of network behavior to analyze and reason about policy objectives and network designs in a fundamentally new way. A mathematical model, as opposed to monitoring or testing live traffic, can perform an exhaustive and definitive analysis of network designs to head off problems before they arise in the live network and to verify that all intended policies and application requirements are in place.

2

OVERVIEWEXAMPLE FORTUNE 500ENTERPRISE NETWORK

12,786 devices3,281,961,320 lines of text100’s of changes/week514 model/firmware combinations

Avia pervia“ M A K E E A S Y W H AT I S H A R D ”

F O R WA R D N E T W O R K S M O T T O

3

TABLE OF CONTENTSWhat is Network Verification? .......................................

Key Use Cases and Process Improvements .................

Verification in Action ....................................................

Why a Mathematical Model is Required......................

What the Industry is Saying.........................................

Conclusion / About Forward Networks........................

4

8

12

21

25

29

4

LOREM IPSUM DOLOR

4

WHAT IS NETWORK VERIFICATION?

5

Formal verification has long been applied to industries like software and semiconductor design, or complex product manufacturing. Until now, the complexity of large enterprise networks has limited the ability to apply such an exhaustive, end-to-end analysis of network implementations, with the intent of comparing them to stated policy objectives and requirements.

Verification now allows IT teams to automate the analysis of existing network paths end-to-end, based on the collected information from every network device and an exhaustive mathematical analysis of the network for all possible traffic at each hop. We can then compare the potential behavior of the network to our application and security requirements. As a continuous, automated process, we can then proactively catch any network updates or conditions that would violate these stated requirements.

Some examples of end-to-end behavior that we can now easily verify in complex enterprise networks:

• Are there are least 3 redundant paths from a particular access layer router to another site through an MPLS backbone?

• Are there any single points of failure along an entire network path?

• Have we ensured logical traffic isolation between two tenants or applications for certain TCP protocols?

• Is traffic coming in from the external Internet properly restricted to only specific destinations and services? Or is there opportunity for leakage to other applications?

• Are only specific services in our cloud available from various internal sites, systems and users? If so, which ones?

• Are there at least two redundant paths available for network services that are about to be deployed?

6

Verification is a distinctly different methodology than traditional testing protocols. Verification is reasoning based on an analysis of the network design, configurations and current network state. It does not look at live traffic flows or test scenarios to determine network activity. It will identify design errors that could violate intended network and security policies.

Verification can thus do something traditional testing can rarely do: “prove a negative”, by confirming that something can’t happen, such as two networks being unreachable through any path. From purely a security perspective this can be a real game changer.

Verification can also identify dozens of configuration errors like MTU mismatches, forwarding loops, or IP address duplication anywhere in the network, which may not show up in any specific test, and without reviewing devices one by one.

MONITORING TESTING VERIFICATION

Limited to live traffic and current scenarios

Limited scenarios or traffic conditions

Exhaustive analysis; all conceivable traffic

Live network monitoring doesn’t allow for prototyping changes or “what-if” scenarios

Test network doesn’t match production

Behaviorally-accurate digital twin of network

Overwhelming amount of low level data is difficult to analyze for complex issues

Usually focused on a specific new behavior or requirement, and if it works

Verifies hundreds or thousands of policy requirements at one time for every change

Reactive approach to network outages and problems

Errors lead to reactive troubleshooting

Proactive approach to error identification and elimination

7

The Forward Networks verification platform relies on a behaviorally-accurate software model of the network. We create a large database of network device information and forwarding behavior at periodic snapshots in time. On top of this network database, we have built an analytical engine that compares the determined network paths and behavior to stated high-level policy objectives or network intent. Any deviations from the network intent that can’t be verified in the network design are automatically flagged for deeper analysis in the dashboard.

Fundamentally, Forward Networks lets you see your network in a whole new way. For the first time, network teams can really stay on top of what is in their network, where traffic is going, whether it’s working, and what needs to be changed. Eliminate errors and service outages no matter how fast your network is changing!

Customer Network Device Configuration and State Collection

Network Behavior Analysis

BehaviorDatabase

COLLECTOR CORE DASHBOARD

8

KEY USE CASES &PROCESS IMPROVEMENTS

9

TROUBLESHOOTING& COMPLIANCEWhen a trouble ticket or a compliance request comes in, it can be a long and tedious task to isolate the root cause of the problem or verify that all audit requirements are in place. A verification platform can analyze any anomalous behavior or intended requirement to quickly find the needle in the haystack amid potentially billions of lines of configuration code and network details. It’s now possible to accelerate network repairs and check off compliance requests in record time!

Forward Networks provides an interactive user interface to query the network for behavior patterns and drill down on the root cause of issues efficiently and accurately. You have at your fingertips the information to isolate problems, prototype changes and quickly visualize and assess their impact to intended policies.

TROUBLESHOOTING DEMONetworking Field Day

Modern networks with virtual overlays, hybrid cloud environments and greater scale have dramatically increased the complexity and cost of understanding and maintaining end-to-end policies.

10

VERIFYING NETWORKDESIGNS & UPDATESEvery time you make a change to your network, you are increasing risk. Small changes can have unanticipated impact on other applications, services and devices. The tedious effort to verify any network update can have adverse impact on IT’s ability to respond to business needs and deploy new capabilities.

Forward Networks simplifies the verification process by automating the exhaustive analysis of changes to the network, comparing them to intended policies and requirements. The platform can be integrated with network automation tools to verify configuration updates, accelerate change windows and decrease the risk of rolling back changes that adversely impact the network.

11

NETWORK DOCUMENTATION& VISUALIZATIONNetwork engineers and operators often face the problem of maintaining a usable and up-to-date form of network documentation. Typically Visio diagrams, inventory spreadsheets, topology maps, and configuration files. The complexity of networks, the number of OS versions and the pace of network change make it extremely difficult to maintain current, accurate documentation that operators can rely on. As a consequence, they often have to deal with more than one and not always accurate “single source of truth” about the network.

Forward Networks provides the single source of truth for all network details, maintaining them as snapshots in time. Network designs and their behavior are always up to date and can be compared between points in time.

The platform is an ideal tool for compliance requests or giving every junior IT person the analytical skills and tribal knowledge of the most senior network architects.

12

VERIFICATION IN ACTION

13

SEARCH

A POWERFUL SEARCH ENGINE FOR YOUR NETWORK

Fast, easy-to-use search over all possible network behaviors

VERIFY

IS IT DOING WHAT IT SHOULD?

Continuously validate connectivity, security and configuration sanity

BEHAVIOR DIFFS

WHAT HAS CHANGED?

Validate all the changes occurred between two points in time

NETWORK QUERY

QUERY YOUR NETWORK LIKEA DATABASE

Quickly write customized network checks to scan your network configurations for issues

PREDICT

HOW WILL THIS CHANGE AFFECT MY NETWORK?

Determine how changes in ACL rules and NAT policies will affect network behavior

14

The Forward Networks platform brings together a range of IT processes that rely on network verification in one user interface and dashboard. Users can quickly navigate their troubleshooting, verification and audit processes. The functional tasks and primary views of Forward Enterprise are:

SEARCHVERIFYPREDICTBEHAVIOR DIFFSNETWORK DATABASE QUERYAPI INTEGRATION

15

SEARCHForward Search closely mirrors a troubleshooting and root cause analysis process. Users can create policy queries and immediately receive end-to-end path results that show how the network responds to the given scenario. Path searches frequently start with specifying any src/dst IP/port tuple.

By interactively refining queries and drilling down on specific devices in a path, users can identify errors in a fraction of the time. And just like a “Google for your network”, it’s quick to search for MAC or IP addresses, VLANs or virtually any network identifier or attribute.

SEARCH DEMONetworking Field Day

Remington @localpref_netSeeing is believing -@fwdnetworks’s visibility seems pretty close to a holy grail.

16

VERIFYOn the Verify screen, users can list all of their network and security policy requirements and the Forward platform will assess which are failing in every network snapshot. Verify rules specific to your applications, topology and devices are easy to create and reflect end-to-end behavior that no other platform can exhaustively analyze or confirm.

The pass/fail links open quickly to show various or partial paths to easily remediate any potential issue.

17

PREDICT THE IMPACT OF PROPOSED CHANGESMake changes to ACL rules and NAT policies directly in the Forward software model to predict and verify changes to the rest of your intent checks. Compare side-by-side the effects of changes before pushing them live.

Forward Predict can help save time in avoiding costly roll-backs of changes or accelerate many testing and code review tasks as part of a change window. Prototyping potential fixes during the troubleshooting and remediation process can keep the network more agile and IT teams more responsive.

The Green Girl@runningreengirlThe Green Girl is impressed that with @FwdNetworks you can not only validate connectivity by running a hypothetical ‘no firewall rules’ scenario but you can also run through a simulation to see the ‘what if’ of making a firewall change with current state configs. #NFD22

Carl Fugate @carlfugateYou can now test Firewall and ACL rule changes in a sandboxed environment on @FwdNetworks. No more need to test firewall rule changes in production. Game changing. #NFD22

18

BEHAVIOR DIFFSA powerful way of isolating issues is to compare all aspects of the network between two points in time. Find out exactly when a particular update or configuration change may have started creating anomalous behavior. Or bring up a behaviorally-accurate model of the network from 6-months ago to show the compliance team which policies were in place.

Users can quickly compare changes in configurations across all devices, as well as changes in IP routes, VLANs, ACLs, NAT policies and compliance checks.

BEHAVIOR DIFFS DEMONetworking Field Day

19

NETWORK DATABASE QUERYForward Networks includes a wide range of low-level health checks in the platform, but we know that users can always think of hundreds of other interesting checks with access to our network data model. Now you can query your network like a database!

Our simple query language, based on GraphQL, is straightforward and intuitive. Our data model is consistent with the OpenConfig standard, and network admins don’t have to be coders to write their own data analysis or presentation logic. Mission-critical checks that used to take months to write can now be crafted in a few minutes!

NETWORK QUERY ENGINE DEMO

Networking Field Day

Jeremy Schulman Software Engineer, Automation Specialist @FwdNetworks #NDF21 tackling one of the hardest problems in checking the operational state of the network with NQE… it the next-level of network operational automation. You must check this out!

20

EMBED VERIFICATION CHECKS IN EXTERNAL PLATFORMSForward Networks makes it easy to embed verification checks into other network applications and platforms. Our REST-compliant API provides access to the path analysis engine to bring end-to-end network path checks for integration with other systems. Network Query Engine (NQE) checks are ideal for directly accessing the underlying network data model specifically.

Forward has already developed integrations with network automation platforms like Ansible (by Red Hat), ticketing management systems like Service Now, and communication and messaging platforms like Slack. It means you can get the information you need to the right people and workflows to accelerate your network processes.

FORWARD INTEGRATIONS DEMO

Networking Field Day

Teren BrysonFreelance writerNetworking GeekClosed-loop automation + verification with @FwdNetworks - This is a massively overlooked part of any automation strategy

REST API

FORWARD NETWORKS CORE

Device Configuration and State Collection

Behavior Network Analysis

Behavior Database

21

WHY A MATHEMATICALMODEL?

22

The mathematical model of the network is the core of the Forward Networks platform. This unique analytical engine provides automated insights to the end-to-end behavior of the network and compares it to the designer’s intent and overall requirements.

All of the user screens and workflow applications are built on top of the mathematical model engine. The mathematical model leverages the platform database of normalized heterogeneous network information, the inherent scalability of the platform and the accuracy of modeling individual device behavior across layers 2-4.

But how does the mathematical model accurately reflect all potential network traffic and policies? We’ll see on the ensuing pages.

MATHEMATICAL MODEL DEMO

Networking Field Day

23

To reason about network behavior as defined above, a system needs a working model of the complete network, incorporating how each device responds to every possible packet. It is referred to as a mathematical or behavioral model of the network because each network device is modeled as a transformation function on a set of potential packets. The transformations are essentially algebraic or logical operations that, when analyzed end-to-end, can verify the complete network design against required policies or behavior.

The secret in a full verification solution is to mathematically model every possible packet header, literally trillions or more, virtually simultaneously, and analyzing the results through many more orders of magnitude possible paths. The mathematical model finds the set of all potential headers and paths that violate any of the intended policies.

Each network device (switch, router, firewall, load balancer) is then modeled as a transformation function on incoming generic packet headers. Full network paths are the result of a series of packet transformations at multiple devices.

24

Our mathematical model of device transformations is a series of algebraic and logic operations on sets of packets represented by binary header strings (example shown on this page). We are then able to accurately analyze and determine the behavior of all possible packets that could traverse all network paths.

Without a mathematical model and underlying algebraic operations, including the accurate modeling of each device based on configuration data, such an exhaustive analysis could not possibly be accomplished.

25

WHAT THE INDUSTRYIS SAYING

26

Fantastic Software to simulate your network and identify and resolve more problems.

System & Network AdministratorServices Industry

Seeing is believing. Forward Networks’ visibility seems pretty close to a holy grail.

Remington LooseNetwork Architect & Blogger

Very impressed with what @FwdNetworks is doing and the visibility and consistency they are enabling.

Kevin MyersNetwork Architect and co-founder IP ArchiTechs

Forward Networks has rapidly developed to make the network visible, easy to understand, improve automation, and reduce outages to the network, applications and business process. This tool has an impressive wow factor to all engineers who review it. It can help reduce risks and ensure outcomes for SRE teams, DevOps and CI/CD functions.

Head of Engineering Quality$30B Communications Business

27

Forward Networks has really impressed us. It’s a very ambitious solution they’re providing and the quality of both their engineering and support have proven to be really top notch. I’m a tools engineer myself, so I understand how hard it is to do what they’ve done with this product. At our scale many tools just get crushed. Theirs held up really well under a vigorous POC and just keeps getting better.

Software Engineer(Network Tools)in the Communications Industry

28

As a customer of Forward Networks I can tell you that I wouldn’t want to ever be without their software. Even the simplest task of finding a mac address or IP address on your network is done instantaneously on Forward Enterprise. The amount of time this has saved my team is worth every penny of the investment.

Network Architect & EngineerConsumer Financial Services company

See what more customers are saying atGartner Peer Insights

29

CONCLUSION / ABOUT FORWARD NETWORKS

30

SUPPORTED DEVICES

Forward Networks has pioneered the ability to quickly identify end-to-end network behavior and compare it with intended network, security and application requirements. In seconds, network teams can isolate potential errors, mis-configurations and compliance issues!

Imagine having an all-seeing network brain at your side, 24/7, to oversee all your network updates and verify implementations, while reducing the risk of outages and roll-backs.

Compare network behavior from prior weeks and months to see how policy compliance and network designs have evolved over time. Build custom policy checks to focus visibility on known trouble spots. Get proactive in handling network issues rather than reacting after the fact.

RESOURCESRequest a demoROI Case StudyGartner Peer Review Insights

Forward Networks WebsiteProduct Demo Videos

Fundamentally, Forward Networks lets you see your network in a whole new way. For the first time, network teams can really stay on top of what is in their network, where traffic is going, whether it’s working, and what needs to be changed. Eliminate errors and service outages no matter how fast your network is changing!

www.forwardnetworks.com

© 2020, Forward Networks, Inc.