Proactively manage networks before, during and after change

Changes in network configuration are inevitable to serve business requirements and growth, to perform hardware-software maintenance, and to address security and performance issues. To reduce the risk of unintended effects wrought by network changes, organizations dealing with sensitive data go through rigorous change auditing processes where the proposed changes are evaluated by a team of network engineers. This rigorous change-vetting process is needed to ensure service continuity and to prevent outages and breaches.

In some cases, simulated network environments are built to test proposed config changes. However, simulated networks fall short of meeting the needs of network admins, as simulations cannot provide a comprehensive view of the effects of proposed changes in the real network. This is where Veriflow can help network admins significantly, enabling them to make changes in the network with high confidence.

 

Three Steps of Network Changes

Making any change in the network is typically a three-step process:

  • Planning the change
  • Executing the change
  • Monitoring the network to ensure the effects of the change

Veriflow’s Continuous Network Verification platform provides complete network assurance at every step, with the following key capabilities:

Veriflow builds a comprehensive model of the network using data plane and configuration information collected directly from devices. Veriflow’s flexible search language and intent library allow users to search for various attributes of the network and traffic flows, and verify whether the network conforms to best practices and business intent. That is, Veriflow helps verify the overall objective, such as resilience and security, that the network should achieve. These useful features allow Veriflow to help network admins observe and understand the network behavior even before actual traffic hits the network.

Therefore, this technology assists network admins to manage their networks in all stages of the network life cycle. As shown in the figure above, Veriflow assists admins to verify the effects of certain network changes before they are made. Then, during execution of the changes, Veriflow keeps checking network behavior against a set of intents and reports any violations. Moreover, after all the changes are in place, Veriflow allows admins to review incremental behavior changes to better understand the characteristics of the network.

Let’s look at some of Veriflow’s key capabilities in detail.

 

Preflight Verification

Veriflow’s Preflight Verification module evaluates the effects of security policy changes before implementing them in the network. This capability allows network admins to proactively test proposed changes. During a Preflight Verification session, the user changes security policy configurations of one or more devices, and asks Veriflow to update the network model to reflect those changes. The result of this operation is an updated network snapshot. Veriflow offers the same flow searching and intent verification capabilities in both preflight mode and live collections from the network. Therefore, the user can make sure that the change has not caused an unintended outage or vulnerability.

For example, if a firewall’s configuration needs to be updated to allow two subnets to reach each other, it is very important to make sure that those updates do not permit unintended traffic to reach some other sensitive subnet served by the same firewall. This is can be achieved through Veriflow’s preflight module and intent library.

If one or more violations are reported by Veriflow, the user can dig into the details of the violation events, see a detailed trace of violating flows in Veriflow’s Path Inspector, pinpoint the root cause, and then make necessary updates in their change plan. And, of course, they can verify the updated change plan through another Preflight Verification session.

This proactive approach to managing network changes greatly simplifies the network upgrade process, and allows network admins to execute upgrade plans with high confidence.

 

Periodic Data Collection and Intent Verification

As the change plan is rolled out into the live network, Veriflow continues to collect data from the network, model the new behavior, and evaluate all the intents against the new model. By doing so Veriflow can report unintended changes in network behavior caused by misconfigurations or by dynamic events such as links going down.

For example, a pair of Hot Standby Router Protocol (HSRP) devices always should have consistent forwarding behavior for all traffic passing through them. Veriflow’s Consistency intent (one of Veriflow’s many types of network verification policies) can be used here to report whenever the behavior of the HSRP pair becomes inconsistent. This is important, because if the master device fails and the standby takes over, any inconsistency in their behavior may result in unforeseen effects experienced by traffic flowing through the currently active device.

In Veriflow, once an intent is added to the network model, it is evaluated against all future snapshots of the network, unless the intent is explicitly removed from the network model. Therefore, these intents ensure continuous verification of network behavior and properties to detect and report unintended behavior or vulnerabilities. For all reported violations, Veriflow reports corresponding network elements, attributes, or flows (whichever is relevant for the intent that failed), and helps the user to pinpoint the root cause. In case of flow level violations, the network graph shows the path the violating traffic is taking.

For further investigation and deeper understanding of what’s really happening, not only at the device level but also within each device, the Path Inspector shows how different internal components of each device are forwarding the traffic. Based on the data plane information collected from the devices, Veriflow constructs models of the rule tables within each device. Each rule table is a decision point for forwarding traffic. The Path Inspector shows these individual rule tables to allow users to identify the configuration or data plane state that is responsible for a certain operation being applied to traffic.

 

Revisit Past Snapshots and Diffs

After all the planned changes have been pushed into the network, the network admin can use Veriflow’s intent history feature and past network snapshots to reevaluate how the network changed its state as the changes were gradually implemented. In addition, Veriflow also allows the user to compute a diff between two models of the network. This network diff reports changes in network topology, device addition and removal, changes in device properties, changes in access control rules and routes, etc. Diffing is a powerful capability for computing the effective set of changes experienced by the network or unplanned changes such as device failures or changes in route advertisements.

 

Conclusion

All the Veriflow features highlighted above make it an extremely useful technology that makes the job of network engineers easier. With Veriflow as a safety net, the network admin can execute network maintenance plans much faster and with high confidence. Veriflow’s Preflight Verification, intent library, search capabilities, path inspector and Diff capability allow the user to create strong protection against unintended network behavior that may result from faults in proposed configuration changes or unforeseen network events. With the use of these powerful Veriflow features, the network admin gets intent violation alerts early, substantially reducing or eliminating the vulnerability window. This greatly simplifies network management, and helps to build a secure and dependable network system.

For more information on how leveraging Continuous Network Verification before, during and after each change can provide business assurance, read our white paper, Network Verification: Key to Providing Business Assurance