Real world lessons in protecting your network
– A comprehensive way to verify network behavior

Networks today are not neat and simple, with clear hierarchies. Users, networks, data, and applications are becoming more distributed; security boundaries are more amorphous; and changes occur more quickly over time. In addition, data today is exchanged and shared with multiple partners and with Internet of Things (IoT)-enabled devices, which are continuing to grow in popularity. IoT creates a greater need for IPv6, which can improve security but also adds complexity, given the large address spaces it requires. Networks today are also multi-vendor, have grown organically over time, and traditionally are poorly documented – all of which only multiplies the network’s complexity.

Earlier in my career, I evaluated new and innovative network and security solutions at the largest outsourcing, recruiting, and contracting firm in North America. Our customer and contractor data included confidential information for employment validation and payroll processing. We had significant discussions about how to ensure that such confidential data was properly secured and that no backdoors were available to allow hackers access, as a breach would have a significant financial impact on the firm’s brand as well as on customers’ trust in the competitive outsourcing, recruiting, and contracting marketplace.

Verifying segmentation is particularly challenging when one has tens of connections for exchanging information with multiple partners and when DevOps is creating an environment where changes within the network are increasing and need to keep pace with changes to applications.

Given these challenges, networking and security professionals have a difficult time ensuring that data is secure and protected and that back-end applications are fully separate from customer-facing applications, publicly provided Wi-Fi, and networks dedicated to IoT.

Intrusion Detection Systems (IDSs) and Intrusion Prevention Systems (IPSs) are popular services used in combination with firewalls to protect today’s networks . But IDSs and IPSs are reactive; they detect and block malicious traffic but offer no guarantees. In many cases, malicious traffic may already have penetrated sensitive networks before alerts are sent or traffic is blocked.

Looking to the future to ensure security
With our increasing dependence on the network, we cannot afford to keep repeating past mistakes; we need to learn and evolve. But our reliance on these flow-based security tools means we’re always reacting to incidents that have already happened. What if we could look to the future? Could we verify network correctness before a single packet hits the wire?

Veriflow offers a kind of technology that’s very different from flow-based security. The platform models networks without observing live traffic and without using agents. Instead, based on collected device configuration and state, it predicts all possible paths for traffic to flow through. This technology is called network verification. It is a kind of intent-based networking, because you can express and verify high-level intent – such as segmentation defined by business-critical network and security policies – before an incident occurs and unintended traffic travels between two separate networks. Even if teams have modified the network or firewall configurations, as long as they are verified, you can sleep well knowing your critical data is properly segmented and secure and that potential security backdoors are closed.

And if a violation is discovered, you can see the root cause right away. Veriflow highlights the access control lists (ACLs) and network forwarding that permit reachability, enabling network and security teams to quickly change network and/or security policies to close any backdoors that are opening a hole in the intended segmentation.

As more organizations are automating network and security changes, Veriflow lets users incorporate automatic verification of segmentation into workflows through its robust set of open RESTful and JSON-based APIs. All modeled network flow and business intent verification are accessible through Veriflow’s APIs.

A practical way to reduce risk
Since Veriflow does not perform network and security changes directly, it adheres to IT security requirements for “separation of duties.” This ensures that the systems performing verification of network and security changes and business intents are verified independently from the systems performing changes within the network infrastructure.

Ultimately, network verification technology reduces risk significantly for businesses. It gives IT teams the visibility and verification to keep pace with changing user and application needs, while continuously ensuring segmentation and business intents are met.

Having spent years building enterprise and service provider networks, I directly felt the pain of verifying segmentation across an entire network, ensuring security policies and ACLs are consistent across an entire network, and verifying security standards within a network (e.g., how do you ensure unauthorized ports are not open across an entire network?).

Veriflow is addressing this issue head-on with a new kind of Intent-Based Networking solution, bringing together data analytics and formal verification algorithms to improve networking and security automation – and I joined Veriflow to be a part of that convergence.