Hybrid-Cloud Visibility with Veriflow: Resilience, Availability and Protection in the Cloud

Skilled network engineers know that to keep things secure, they need to know every inch of their networks. A single router misconfiguration or misassigned address block can lead to network-wide oscillations and major outages. If there is a hole in your network, a missing ACL, or a spurious route advertisement, it is only a matter of time before it is found and exploited. The daily news is rife with stories of major breaches and outages that come, fundamentally, from the network operator’s lack of visibility into their network.

So imagine I told you I was going to grab your network and hide part of it from you. I take your data and your infrastructure, and put them somewhere you can’t see them. And even worse, other people come in and make changes, without you knowing when or even that it was happening. And worst of all, it’s still your neck on the line. You are still responsible for protecting your users and data, while also meeting the ever-increasing array of compliance specifications, legal regulations, and business policies. And yet you don’t even know where your data is stored, or the configurations that underlie its access.

This sounds like an outrageous scenario. Yet more and more businesses are being exposed to this very real, very compromising situation every day. The issue here is the cloud. Modern clouds provide a very valuable infrastructure for offloading both computing and networking. But the problem is that the cloud infrastructure is hidden. The physical infrastructure is not revealed, policies and practices are undocumented, and there is no coordination of changes with customer networks. Also, cloud infrastructure is incredibly complex, with an ever-increasing array of networking functions; it is highly dynamic and extremely large in scale, with an application-centric focus, and has proprietary (and continually-changing) APIs and management practices. With the recent cloud breaches of Dow Jones (2 M records), Verizon (14 M customer records), and DoD (60 K highly classified files), this danger is becoming clear. How can network operators trust something so complex and error-prone when they cannot even see it?

Veriflow Has a Solution

The solution is Veriflow CloudPredict. CloudPredict is a revolutionary technology that does something no other platform can — see into the internals of clouds. CloudPredict “X-Rays” your cloud setup, providing a complete and fully-accurate view of the behavior of your cloud. Under the hood, CloudPredict leverages Veriflow technology to construct a rigorous mathematical model of your cloud network’s behavior, and leverages this model to precisely pinpoint vulnerabilities and faults. CloudPredict covers the full suite of cloud operations, from networking functions (NAT, firewalling, ACLs, and so on) to analysis of virtual machine and perimeter vulnerabilities. CloudPredict supports public, private, and hybrid cloud environments, performing joint analysis and identifying faults across network boundaries.

How CloudPredict Works

Creating CloudPredict was a formidable technical challenge. How can we see what cannot be seen? While clouds do not reveal their underlying structure directly, they do give us some clues. Typical cloud environments have APIs that are leveraged to perform critical deployment-related functions. By directed use of these APIs, they reveal precise information to us about the underlying cloud infrastructure. Veriflow leverages these APIs to perform an online, reverse-engineering of the cloud.

Veriflow uses a concept similar to Determination in mathematics, wherein a set of equations can collectively determine a single unique assignment of values to variables. Likewise, CloudPredict’s patented approach dynamically constructs and runs the set of queries necessary to exactly determine the underlying structure of the cloud, including its precise logical topology, placement of endpoints and virtual machines, and precise forwarding behavior of all underlying network components and perimeters. CloudPredict then internally solves these equations, translating the result into an analyzable model. This analyzable model of the cloud is then passed to the Veriflow core. Unlike approaches that perform point measurements, or only analyze rules at individual points in the network, CloudPredict’s analysis is both correct and precise, guaranteeing detection and pinpoint localization of any faults and vulnerabilities in the network.

On top of this base, CloudPredict is the first platform to bring intent-based networking to the cloud, by providing an extensive library of intents that is checked against your cloud. CloudPredict not only supports traditional compliance checks (including PCI, SOX, and so on), it goes beyond these specifications by checking compliance at a much deeper level, down to the individual forwarding rules in the network. Unlike other products, CloudPredict does not perform individual point checks, but rather performs a complete system-wide validation covering the entire broad spectrum of all possible data-plane vulnerabilities and faults across your entire cloud. CloudPredict is integrated into the Veriflow product, and hence supports all of Veriflow’s existing features, including network mapping, intent-based search, as well as Veriflow’s full intent library.

CloudPredict also is the first product that uses Formal Methods to analyze clouds. Formal Methods is a branch of mathematics concerned with the rigorous modeling of systems. It is widely used in other engineering disciplines, from nuclear power plant design, to aircraft engine manufacturing, to design of pharmaceutical drugs. Formal Methods are used when you can’t afford to be wrong. Veriflow was the first company to apply Formal Methods to traditional networks and we are excited to be the first to apply this rigorous technology to clouds. With CloudPredict, you can rest assured that your cloud network setup is correct beyond question, undergoing continuous and rigorous verification at every step, and preventing dangerous faults and vulnerabilities from entering sensitive cloud infrastructures.