Veriflow in the time of SDN

Software Defined Networking

Software Defined Networking was proposed as the savior of innovation in computer networks, separating the control and data planes in a manner that enables independent innovation. The SDN vision is to enable faster evolution of software-based protocols and algorithms, so as to allow fine-grained and flexible control over traffic. Through the inherent freedom for innovation, it also promises to strengthen vendor-independence in enterprise networks. Early success stories have nurtured hope in the community that SDN would inject much needed agility into the field of networking.

Recent years have seen the growth of SDN into a compelling paradigm for enterprises. The Openflow protocol is now a feature-rich and flexible platform, a cost-effective choice for enterprises looking for fine-grained control. We have also seen the definition of SDN grow to encompass a diverse array of products and architectures, most notable of them being the Software Defined Datacenter. Vendors have been quite zealous in advocating this approach, which promises simplified policy management, significantly reduced costs, higher reconfigurability, and faster turnaround time.

Given such exciting opportunity, one wonders, why haven’t we seen greater adoption of SDN? Why have enterprises taken a cautious, wait-and-see approach? Recent surveys and our own interactions with enterprises reveal the following reasons:

  • Lack of operator confidence from loss of direct control: The high level configuration mechanism introduced by SDN platforms has yet to gain the trust of operators, who are used to a lower-level control plane that affords hands-on configurability.
  • Lack of visibility: Especially in multi-vendor or hybrid deployments, where multiple control paradigms coexist, network administrators find it nearly impossible to reason about correct implementation of policies, due to the lack of visibility to the low-level operational characteristics of the network. In many ways, this runs counter to SDN’s original goal of vendor-independence!
  • Risk amplification due to higher level of abstraction: There is widespread concern in enterprises that the cost of human error is much greater with the high-level SDN abstraction, and rightly so. Even minor misconfigurations of the SDN control plane can have far-reaching consequences, potentially causing entire services to be compromised.

With these concerns in mind, as we designed our new platform at Veriflow, we challenged ourselves with this question:  how could we help enterprises make the difficult, at times ponderous, transition to SDN?

Here’s what we came up with: By constructing a comprehensive and accurate data plane model, Veriflow provides unprecedented visibility to network administrators. Increased visibility is helpful in two respects:  first, it restores operator confidence by facilitating independent verifiability of higher level configurations; and second, it allows administrators to reason about end-to-end correctness in a vendor-agnostic manner. As for policy implementation, our rich policy library allows policies spanning administrative objectives to be fully formally verified. Automatically.

From an engineering standpoint, Veriflow is a natural companion for Software Defined Networks. In its early days as a research product in a lab, the scope for Veriflow was underwritten by SDN. Today, as a fully-featured policy verification package, Veriflow offers unmatched support for diverse Software Defined Networking platforms. Veriflow is capable of operating in two modes — passive verification to detect policy violations with zero network interference, or active verification which proactively prevents policy violations from being ever injected into the data plane. By mathematically verifying policies in real-time, Veriflow makes SDN misconfigurations a thing of the past.  It is customizable to user requirements and allows seamless integration of mathematical verification into operational workflows. The policy library, featuring policies spanning diverse use-cases like traffic quality, threat exposure and breach prevention, has full SDN support.

For a painless transition to SDN, organizations need to be equipped with tools for increased visibility, fast and easy diagnostics, and guaranteed correctness. The Veriflow platform meets all of those objectives, providing a tool that makes the SDN transition smooth, safe, and productive. Veriflow is the first and only product that provides a vendor-independent, network-wide mechanism for formally verifying the correctness of policies in enterprise networks. With extensive protocol support, rich policy libraries, and real-time response capabilities, Veriflow is the one necessary component that enterprises need as they enter the exciting new world of SDN.