Verify Your Network

Thirty-five years ago, my dad, Dr. Serafino Amoroso, approached the stage where Edsger Dijkstra had just completed a talk. When Dijkstra turned his head, my dad swiped the clear foil resting on the projector glass. Today, that slide on which the great Dutch computer scientist had been sketching a proof (see picture above), is displayed proudly in my office. (It’s cool to grow up in Jersey, where we can’t keep our hands off other people’s stuff.)

When the time came shortly thereafter to select my own PhD focus, it was pure serendipity that the CS Department at Stevens was working on formal methods, some of which was based on Dijkstra’s work. Thus began my lifelong interest in the topic of formal verification, especially in the context of information security. Today, I wish better tools existed, and I’m always on the lookout for something interesting in this area.

So, it was such a delight to spend time with the team from Forward Networks to learn about their verification platform. Their tool analyzes and verifies network designs to detect errors in design, policy, and configuration. It was created to compare the intent of designers with the actual system created, which is ultimately the purpose of any good verification system. Let me summarize what I learned:

“Our goal is to help network teams rapidly identify and expose problems or inconsistencies in their network,” explained Brandon Heller, who serves as CTO. “We encourage this proactive verification-oriented approach because it enables network teams to ensure policy and change compliance without having to wait for problems to occur. In the end, this is a faster and more effective approach.”

The Forward software works by collecting device configuration and state-related data from around the network. This includes the devices you would expect to find in such a collection effort – routers, firewalls, load balancers, switches, and so on. The Forward platform then models the network structurally, visually, and behaviorally, which enables analysis, validation, and reporting.

“Our customers get started with a search engine for the network, which provides instant access to text and path results,” explained Heller. “This is followed by a continuous verification step, which supports on-going prediction of how changes might affect network behavior.” Heller shared examples related to predicting the positive or negative impact of administrators making NAT or ACL changes to the network.

Heller added: “Our platform also includes a Network Query Engine, which enables an operator to define customized analysis to scan the entire network for issues. The result provides evidence that the network is cleanly configured and behaving according to the intent of the designer, or reveals where expectations and reality differ. Observed differences might then prompt changes or appropriate risk mitigation actions.”

Enterprise teams can deploy the Forward platform on-premise as an ESX or KVM virtual machine, or can deploy in SaaS mode with lightweight local software on Ubuntu Linux, Apple OS X, or Windows 7 or later. Users can access the platform interface using a standard Chrome or Firefox browser. Quite a few device types are supported as one would expect – much too numerous to list here.

From an analyst perspective, with my admitted bias toward platform tools that support verification work, I can say that is a must-have for any network team concerned that misconfigurations and policy issues could lead to enterprise security problems. It’s hard to imagine any team for which this is not true, so you can draw your own conclusions. Suffice it to say – this is a useful tool.

Business marketing and sales success for Forward will be no easy lay-up, however, if only because few security teams have prioritized network verification in their funded portfolio. This is a shame, especially when one is reminded that the earliest security efforts (remember the Orange Book?) viewed verification as essential to reduce risk. I’d sure like to see the security community move back in that direction.

I hope you’ll take the time to contact the team from Forward Networks for a demo. They are smart (Heller and others on the team hold PhDs in CS from Stanford), so you can be certain that you’ll learn something prescient during the discussion. As always, I hope you’ll share your learning after meeting with the team – and please stay safe and healthy during these unusual times.