The Impact of Intent-based Verification on NetOps and Change Windows Introduction

Large enterprise networks are more complex than ever to manage and maintain. The increasing scale and virtualization of networks, along with more sophisticated and detailed network policies, are placing more strain on IT organizations than ever before. Projects to increase automation of networking tasks to allow for more scale and agility have rarely met desired objectives. Increased agility in application development and deployment cycles, with greater automation through DevOps, has increased requirements for rapid change in network policies, and more agile operations without the same degree of automation.

Forward Networks accelerates the deployment of network updates and policy changes by automating validation of proposed updates, and accelerating key change processes, including review and testing. Furthermore, by eliminating potential errors that could arise during change windows, Forward Networks reduces the risk of potential outages, while shrinking the time to get policy updates deployed and increasing network agility. Our customers increase their network reliability and roll out network updates with greater confidence and regularity as they seek to align network operations (NetOps) with their DevOps processes.

Change Window Processes and Network Agility

If we look at a typical network change process, network configurations need to be updated to reflect new application or policy requirements, or to implement a change in network behavior. At a detailed level, network policies are really the descriptions of what traffic should flow along which paths, including all the associated security and quality of service policies that each application requires. The term intent represents higher-level policies and general network requirements, and is often aligned with or expressed as a reflection of business requirements.

As business and application requirements change, we have to translate new policies into specific network configuration changes in one or more devices. In Figure 1, we describe the workflow of rolling out a network update. From the current operational state of the network, we have to respond to a new intent or policy requirement with proposed configuration changes. The development of the change candidate by network engineers is reviewed by various teams and architects, including security. These design reviews can be tedious and manual, and may highlight additional changes or corrections to minimize the impact on existing infrastructure.

2

Once the candidate change has been approved, it moves into the network lab for testing. The level and duration of testing is typically determined by the scope and impact of the change. But this step can usually only provide cursory testing because the lab network is not running at the scale of the production network and typically does not have applications running, nor can the proposed change be evaluated under all scenarios and conditions that will actually arise over time. In order to improve network agility, actual testing has to be short and efficient, but this increases risk and potential for issues post-deployment.

After the proposed update has completed the test scenarios, it is pushed to a configuration repository and scheduled for deployment. Network automation tools may assist in rolling out new updates and services, but today many of the change window processes, particularly review and testing are still manual and tedious.

Figure 1 – Overview of a network change process, including candidate change development, testing and deployment.

Accelerating Change Windows and NetOps with Forward Networks

How can we accelerate the above workflow to increase network agility and reliability, and better align network teams with DevOps processes? Forward Networks has developed the industry-leading solution for analyzing network behavior and verifying configurations in a software model of the network. This allows for rapid evaluation and verification of proposed changes outside the live network, and can automate many of the lengthy review and testing processes.

3

Intent-based Verification

Forward Networks delivers an important new policy change process to the industry, intent-based verification. Network verification provides assurance that proposed changes or an overall network design accurately implements all of the defined network policies and intent under any set of conditions. Rather than looking at live traffic and reporting on current activity, verification proactively analyzes the network configuration files to build a behaviorally accurate software model, and then identifies scenarios under which the current implementation could fail to meet policy objectives.

This verification of the proposed design can be automated and run in only a few minutes to augment or replace much of the review and testing in our earlier process flow. In Figure 2, we see how various features of the Forward Enterprise solution, our flagship product, can automate and improve our earlier workflow.

Figure 2 – Leveraging Forward Networks in a network change process workflow can accelerate deployment time with greater confidence that risk and potential configuration errors have been eliminated.

For example, the initial change of policy or intent can be defined in Forward Enterprise as a policy rule or check in the Forward Verify component. We might define that inbound traffic from the internet can only reach specific web application servers. That policy rule would be verified against future network implementations and any configurations that would violate that rule would be immediately flagged. The new intent rule would be added to the overall rule repository and verified along with all other rules as part of the pre- and post-change verification.

4

Network Analysis with Forward Search and API queries

Forward Enterprise is a large database of network configurations, state and behavior information from a series of individual snapshots in time. The software model of networking behavior simulates traffic behavior accurately and predicts which vulnerabilities or scenarios will cause policy violations. Like any database, the Forward Platform can be queried, with the behavior and policy results being displayed in an intuitive and interactive network map (see “API access” block in Figure 2 and Figure 3 below).

Figure 3 – Queries or Searches in Forward Enterprise are expressed as network behaviors or policies. Results show all viable or possible paths that support the policy. Each path and hop along the path can be explored to better understand impact of potential changes or current policy implementations.

Forward Enterprise includes API interfaces to query this network information and behavioral results from external applications. Forward Networks customers are using these interfaces to allow non-networking teams to query the current policies supported by the network, such as an application team that needs to know if the current policies will support their upcoming application requirements. The ability to interact with and quickly verify these policy details offloads the network team from many support requests. Forward Networks thus saves time as an automated help desk for any informational policy query. This automated remote query capability extends to security

5

teams, compliance teams and other network users as Forward Networks becomes the single source of truth for all things networking across the organization.

Predicting Change Impact

Similarly, candidate changes can be quickly peer reviewed automatically in Forward Enterprise (see “Acceptance Test” block in Figure 2). The change is made in the software model of the network and future behavior is predicted, including impacts to existing applications, policies and intent. Changes to an Access Control List (ACL), for example, in any network device will be verified against any existing policy rules and requirements and ensure that the candidate change has no unintended side effects. It is anticipated that around the end of 2018, Forward Enterprise will include the ability to predict convergence of routing tables across network devices from changes in BGP configurations, and eventually other routing protocols, to provide unparalleled insight to future network behavior and along which paths traffic will be routed.

Figure 4 – Forward Enterprise quickly highlights which policy rules are violated in the current network design or in a proposed change candidate. This information, the result of a Forward Verify query, is available through a REST API for visibility in other applications or by external teams. New queries, potentially driven by new application requirements or policies, can also be easily built using the Forward Search interface to verify if a particularly policy is supported or what would need to be changed to support it.

With some confidence from the initial change review, the change candidate moves into more formal lab testing. Any limited actual device testing can be augmented with more detailed Forward Predict and Forward Search analysis. Both feature sets provide interactive analysis of the network behavior under all conditions and advise where latent

6

risk to existing policies may need to be addressed. After an initial policy query, it becomes clear how network traffic paths will be affected by the new change and provide insight across a broader range of conditions than lab conditions can generate. With this automated and more detailed review, networking teams can proceed towards deployment with greater confidence and less manually-intensive test scenarios.

Analyzing Behavioral Diffs between Snapshots

Once the candidate change has been validated against existing policies it is ready for deployment. It is advised that a snapshot of the live network (all network configurations and state information) be taken, and then compared with a new snapshot taken just after the change is rolled out (see “Forward Verify Pre/Post Comparison” box in Figure 2). Any unexpected impacts can be quickly compared between the two snapshots in Forward Enterprise, to quickly isolate the root cause of the impact, and to confirm if rolling back to the prior network state is sufficient, or if the impact is a new unrelated issue. This can alleviate a great deal of finger pointing and accelerate any problem resolution if post-change anomalies do occur.

Figure 5 – Building a search query to verify a policy is easy and intuitive in Forward Enterprise. It’s similarly easy to drill down into the network topology to analyze individual paths and devices to focus analysis and search results accordingly.

In a similar fashion, behavioral differences can be quickly compared between any two historical snapshots in the Forward Platform. If policy behavior has unexpectedly changed, Forward Enterprise can quickly compare the behaviors at two points of time

7

and isolate the specific configuration changes that are impacting policies. Typical customers take a snapshot at least every day, or more frequently since each snapshot takes only a few minutes to collect, and are able to note where network states began to impact policies quickly.

Note that without Forward Enterprise, it has generally been unfeasible to document and retain such frequent snapshots of network state and behavior to do this type of analysis. Accurate comparisons and analysis of network behavior in the past was not possible, and any actual manual analysis would be based on whatever documentation of that prior time could be recovered (usually very little).

Summary

In recent years, there has been a great deal of focus on network automation in order to increase IT agility and to better align network operations (NetOps) with accelerated DevOps processes. That focus has been mainly on accelerating network deployments and automating virtual network configurations to support new application requirements.

Forward Networks has now delivered a new platform that focuses on the automation of network design verification, network analysis and change processes. Network verification, a new methodology to analyze network designs and configuration changes, can both provide greater confidence by reducing network risk and preventing outages, as well as accelerating once-manual design, review and testing processes that slowed network agility and resulted in lengthy change windows. Forward Networks verification is one key component of IT networking moving towards intent-based networking, where automation can be applied to all phases of the network lifecycle, including analysis, testing and deployment, to greatly accelerate network response times to changing conditions, security threats and business requirements.

The resulting process improvements from Forward Enterprise deliver a tangible ROI for network change windows and associated workflows, starting with assisting in developing a required change by pointing directly to network behavior issues, to accelerating review and testing procedures, and verifying change candidates and predicting network policy impacts prior to and after deployment.

For more information: http://forwardnetworks.com

Forward Networks 555 California Ave., Suite 200 Palo Alto, CA 94306

© 2018 Forward Networks, Inc. All Rights Reserved. Specifications subject to change without notice.