Network Behavior Analysis

Transcription

1 N E T W O R K O P E R AT I O N S. S I M P L I F I E D. FORWARD ENTERPRISE HIGHLIGHTS Forward Networks is the leader in Intent-based Networking and network assurance to automate the analysis and verification of network policies and configurations. With the only solution that operates across all major networking vendors and services at provider-class scale, Forward Networks provides greater network agility and proactively removes risk from the network. KEY BENEFITS FORWARD NETWORKS DELIVERS: Lower costs for managing large networks Reduction in human error, misconfigurations, and policy violations that lead to network outages Thorough security policy verification Accelerated IT processes for remediation and change windows Improved network and security policy compliance ACHIEVE PROACTIVE NETWORK ASSURANCE Forward Networks has created a revolutionary platform, Forward Enterprise, for analyzing network designs and predicting future behavior to proactively eliminate configuration errors and policy violations. The platform can compare the intent of the network designers to actual behavior and expose any inconsistencies in minutes. Network IT teams can now troubleshoot faster and eliminate problems prior to a security breach or network outage. Forward Networks is the first accurate software model of large multi-vendor networks to quickly emulate and analyze all possible behavior. Our logical analysis of possible future network activity is an enormous leap from traditional low-level testing tools, like ping and traceroute, or sifting through log files only after a policy violation has occurred. Forward Enterprise shifts the focus from a reactive approach to a proactive approach of verifying network designs and behavior ahead of deployments. We allow you to go from testing basic network functionality to verifying compliance under all possible traffic scenarios. Get away from tedious, manual device-specific processes, to automated, end-to-end verification in minutes, as every update is considered and made. Because Forward Enterprise automates the intelligent analysis of network designs and configurations, we provide an immediate and verifiable benefit by accelerating key IT processes and reducing man-hours of highly skilled engineers in troubleshooting and testing the network. Other key benefits include the ability to certify that proposed changes are compliant with existing policies quickly before going live, increasing the overall responsiveness of the IT team to change requests and network updates. Forward Enterprise Data Sheet 1

2 FORWARD ENTERPRISE ARCHITECTURE Forward Enterprise collects device configuration data and state information from every network device, including switches, routers, load balancers and firewalls. Forward Enterprise can then emulate the behavior of the entire network, end-to-end, and reports on potential vulnerabilities, policy violations or risk exposure. Using a series of proprietary algorithms, Forward Enterprise computes a model of all current and potential activity to proactively highlight issues before they arise in live network traffic. Every Forward Networks installation starts with data collection. Configuration and states are collected securely from all network devices via SSH. The device data is then processed to create a behaviorally accurate model a copy of the entire network, in software. Atop the network copy, the Forward Platform traces, indexes, and stores all possible ways that the network can process packets. This behavioral data is then made available to applications. Device Configuration and State Collection Network Behavior Analysis Behavior Database Forward Collector Performs the collection of the device configuration and state (MAC, ACL, FIB tables, etc.) The collection is done over an SSH connection. Forward Core The core is the Forward Platform computational engine that creates an accurate model of the network. It s where all the existing network behavior is indexed and made searchable. Forward Dashboard An intuitive HTML5-based dashboard provides instant access to the Forward Applications. All data in the Dashboard is made available via REST. KEY FEATURES AND CAPABILITIES Forward Search Forward Enterprise creates a large database of network configurations, state and behavior information from a series of individual snapshots in time. Like any database, the Forward Platform can be queried with the behavior and policy results being displayed in an intuitive and interactive network map. A network search or query takes the form of traffic scenarios, including details such as IP parameters, ports, protocols, reachability, deliverability, access controls, and more. The result of a search query is always a set of network paths that would allow that specific traffic pattern. Or, if the traffic scenario is never possible, no paths are returned. Search queries can be refined by applying filters, such as paths through or avoiding specific devices, to a specific port, or using a particular protocol. Any search result allows drilling down into specific device configurations and behavior to quickly isolate and analyze errors and determine remediation steps. Queries or Searches in Forward Enterprise are expressed as network policies. Results show all viable or possible paths that support the policy. Each path and hop along the path can be explored to better understand the impact of potential changes on current policy implementations. Forward Enterprise Data Sheet 2

3 Forward Verify Many search queries may actually be network or security policy requirements that we need to continually check for. For example, it s possible to verify that a subnet is unreachable from traffic on another subnet after every network update. Or to reconfirm simple compliance checks such as no forwarding loops or no Maximum Transmission Unit (MTU) mismatches between devices. All of these policy requirements are aggregated into the Verify screen, and continually checked after every network snapshot or update. The screenshot shows the Verify screen with a number of policy checks, as well as their status in the current network. Forward Enterprise can verify both the requirement for a specific traffic pattern to be supported, or the requirement that a particular path does not exist (an isolation check). For example, Forward Enterprise can verify there is no possible scenario that traffic from one subnet could reach another subnet or destination. With traditional network tests, it is almost impossible to prove a negative such as this. With Forward Enterprise, this type of verification using our mathematical and logical analysis of network designs provides game-changing confidence to IT and compliance teams. Forward Enterprise quickly highlights which policy rules are violated in the current network design or in a proposed change candidate. Forward Predict Forward Predict enables network teams to model the correctness and behavior of network changes before they are deployed to production. Configuration changes to a network are typically tested in a lab environment, which never match the scale and end-to-end behavior of a production network. Forward Predict enables the user to edit network configuration files on any or all devices in a sandbox, creating a new version of the network model containing proposed changes. A new verification process can quickly verify the effects of the change on existing compliance and security policies. Forward Predict capabilities are expanding over time, and currently include ACL, NAT, and firewall rule changes. Forward Enterprise API Forward Enterprise forms a large database of all device configuration files from potentially thousands of network devices, coupled with running state information and a behaviorally-accurate software model of the network. The platform makes this data available to other applications through an external API. Forward Networks customers have taken advantage of this interface to integrate the platform to custom network management systems, network dashboards and external orchestration applications. Forward Enterprise Data Sheet 3

4 Virtual Network Support VMware NSX One of the leading obstacles to managing virtual networks has been the inability to correlate activity between the overlay network and the physical network that supports it. Separate management consoles and platforms, and frequently separate teams, were required that typically did not share information and could not quickly identify root cause issues, or correlate identified problems in virtual network behavior with a physical device issue. Forward Enterprise overcomes this issue by applying common network assurance and verification methodology across physical and virtual network planes, but integrating policy and path-based views of both into a single network view for the first time. Virtual network designers also benefit from being able to apply the latest technology for network verification to virtual network policies and designs. A view of an AWS Virtual Private Cloud in Forward Enterprise allows end-to-end path visibility and analysis for hybrid cloud infrastructure. Public and Hybrid Cloud Support Amazon AWS The path-oriented focus that Forward Networks provides is natural to extend to AWS hybrid cloud environments. Having the same visibility and policy verification for the cloud component of your infrastructure greatly accelerates adoption of hybrid and public cloud projects and simplifies network operations. Imagine if instead of a black box subnet view, each virtual network devices could be represented as an extension of your physical infrastructure on an always up-to-date topology diagram. This includes the ability to analyze and verify the end-toend path behaviors flowing from any on-premises devices all the way through to any cloud workload. With support for Amazon Virtual Private Cloud (VPC) in Amazon Web Services (AWS), Forward Networks extends network verification and analysis to the public cloud and hybrid cloud environments. Forward Enterprise provides the ability to define and verify end-to-end policies for security and connectivity through on-premises networks all the way through AWS in a single consistent view and topology map. You even have full visibility to networking behavior extending into multiple VPCs. Forward Enterprise Data Sheet 4

5 Device Inventory Management and Topology Management Forward Networks provides an ideal solution for managing and documenting network topologies, device configurations and inventory over time. The snapshots of network designs are archived for easy search and retrieval, including comparisons of changes between points in time. There s no more wasted effort documenting changes or wondering if you are troubleshooting from the most accurate topology diagram. Forward Enterprise shows diffs between two network snapshots, showing newly created and removed links in the topology. Forward Enterprise automatically tracks network topologies, as well as device configurations and inventory lists over time. Behavior Diffs Forward Enterprise takes and saves snapshots of network configurations, topology and device state at numerous points in time. Not only does this provide an ideal historical record of network behavior and compliance at any point in time, but Forward Enterprise allows comparisons of behavior between any two snapshots for further diagnostics and troubleshooting purposes. Want to compare network configurations back to a previous week before an issue arose? Forward Enterprise can quickly compare snapshots and isolate changes that could cause the incorrect behavior. Deployment Options Forward Enterprise can be deployed fully on-pemises or as a SaaS solution in the cloud. In both cases the latest security best practices are in place to protect customer s sensitive data. on-premises deployment requirements: Forward Enterprise is deployed as a Virtual Machine (VM-OVA format) for KVM and ESXi environments. The deployment requires the following resources: + + Cores: RAM: 64 GB of reserved memory. Performance may improve with more memory availability, but only when individual snapshots are large. + + Disk: 250 GB of disk. The amount of disk consumed will depend on the number of historical snapshots to be stored, as well as the size of each one. SaaS deployment requirements: A machine (virtual or physical) with at least two dedicated cores and 4GB of RAM. Supported Operating Systems:Ubuntu Linux (14.04 and 16.04), Apple OS X (10.12), and Windows 7 (or later versions). + + The machine must be able to access the webpage via HTTPS. + + The user must have admin privileges on the machine. + + The latest versions of Chrome or Firefox are required to access the Forward Enterprise UI. network requirements: SSH must be configured and working on the network devices from which the Forward Collector will collect data The OS instance on which the Forward Collector is installed must have IP and SSH port reachability to the network devices, either directly, or via a jump server. Forward Enterprise Data Sheet 5

6 SUPPORTED VENDORS AND DEVICES Forward Enterprise supports over 456 device types and more than 1479 OS verisons, including: ++ A10 Networks ++ Cumulus Networks ++ Palo Alto Networks ++ Arista Networks ++ F5 Networks ++ Pica8 ++ CheckPoint ++ Fortinet ++ VMware ++ Cisco Systems ++ HPE ++ Citrix ++ Juniper Networks Please contact us at for more details about supported devices and vendors. ABOUT FORWARD NETWORKS Forward Networks mission is to de-risk and accelerate network operations, by increasing efficiency, reducing outages and verifying network intent. Built on a series of breakthrough algorithms, the Forward Platform provides enhanced network visibility, policy verification and change modeling for legacy, SDN or hybrid environments. Forward Networks is headquartered in Palo Alto, California, and funded by top-tier investors, including Andreessen Horowitz, DFJ, A.Capital, SV Angel, and several luminaries in the networking and systems space. C O N TA C T U S facebook.com/forwardnetworks/ Forward Enterprise Data Sheet 6