Networking isn’t exactly my cup of ristretto. When I’m invited to events such as Cisco Live, I’m usually the quiet guy (unless it comes to storage or cloud) in the room trying to understand what the heck is being discussed. But once in a while, there’s a presentation outside of my comfort zone that will make me go “Wow!“.
At Cisco Live Europe 2019, everybody among the Tech Field Day delegates will agree that Forward Networks had the best presentation in the event. It’s not a small feat to awake my interest in a topic I’m estranged with, especially in “adverse” conditions (cold-stricken, lack of sleep, early morning…).
Forward Networks
Forward Networks was founded in July 2013 and is headquartered in the Silicon Valley. It was founded by four Stanford Ph.D. graduates with “an extensive background in networking architecture who had done pioneering research in SDN” (quoting their website).
From a funding perspective, Forward Networks is currently in Early B Series. The company received a B round funding of 16 million USD in August 2017 by DFJ (including Andreessen Horowitz and A.Capital Ventures). The total funding is 27 million USD according to research done on past PR releases.
The Idea
Forward Networks launched their initial product, Forward, in November 2016 when they went out of stealth. To oversimplify things, Forward Networks scans the infrastructure by reading configurations on devices, which allows it to understand not only the network topology, but also traffic rules and any access control lists / firewall rules.
This helps Forward Networks establish a clear understanding of “how the network functions”, or rather how it was designed / intended to be. That’s a very important thing because there can sometimes be a bias between the intent (how things should work) and the reality (here’s how it’s actually working because of X, Y and Z design decisions).
In this context, existing heterogeneous network infrastructures (made of many products & brands) are uniformized into a vendor agnostic abstraction layer that classifies these devices as standardized objects (switches, routers, load balancers, firewalls etc.).
Once the abstraction has been created, a “mathematical model” is applied via Header Space Analysis – a static method to check network in the context of reachability, traffic isolation, leakage problems and forwarding loops (I didn’t have the time to read it all, but bookmarked this as an interesting reference on HSA). Then, a “data model” of the environment is created by using normalized configuration descriptions, via an openconfig based schema.
Once this level of abstraction is in place, the environment is in a state that is understood by Forward Network and the product features (described below) can be used to take action if and when needed.
The Product
There are currently two editions available: Forward Essentials and Forward Enterprise.
The Essentials edition is free and delivers automated network mapping, device inventory tracking and reporting, network-wide search, and change management tracking. In essence, Forward scans the network estate in a non-intrusive fashion (using read-only access) and establishes a map of the existing environment that is updated on a regular basis. Each “refresh” of the existing environment is captured as a point-in-time snapshot, which can be helpful to identify any changes in case of troubleshooting.
Because it scans the entire infrastructure, it is also able to maintain an inventory of the network infrastructure that is searchable – and that goes to the next feature: configuration files can be searched across the estate.
The paid Enterprise edition brings the feature set to the next level. One could say that the Essentials version helps figuring out better how one’s environment looks like, while the Enterprise version really helps on a day to day basis.
The Enterprise version augments the Essentials version with four features:
- Verification
- Prediction
- Comparison
- Automation
Verification allows to set, check and customize policies across the network. You may for example use certain network zones for traffic segmentation, and want to make sure that no traffic between these zones is allowed. Creating the adequate policy will allow Forward Networks to verify if this policy is enforced, or if there is any change made to the traffic rules that causes the policy to be violated (for example, someone decides to put an ANY:ANY rule in the middle for whatever reason).
Prediction is a sort of “what-if” analysis tool. It simulates how network configuration changes impact the network if they were to be implemented, but allows to do so in a non-intrusive fashion which is extremely useful to model traffic flow as well as any potential connectivity issues.
Prediction also has the possibility to “ignore ACLs”, which is great to identify any firewalls along the way that could block a certain type of traffic. By ignoring ACLs, we can see if our traffic from source to destination would work properly if there were no firewalls along the route. If it turns out that traffic would flow properly, we can then start troubleshooting ACL entries.
Comparison : think of it as a diff across network configurations. All configuration files across devices can be compared at any point in time for changes. The product includes a lot of filters and search options which makes the network team’s life way easier.
Integration : last but not least, Forward Networks is API driven and supports REST and HTTP methods, which is helpful for advanced network engineers who automate their network and write apps.
Why it matters
Network troubleshooting can be a very tiresome and complex activity (especially for non-arcane people). In today’s complex hybrid cloud environments, we’re so often almost one hop away from a disaster happening.
Complex, sedimented firewall rules and a lack of consistency across environments are just what it takes for troubles to happen. I’ve seen that from the other side (the virtualization world) and no matter how things are abstracted, at some point we’ll hit a forgotten Access Control List (ACL) somewhere that is impeding traffic to flow.
The advised reader should know that I am not a networking expert and that I am oversimplifying things for my non-network oriented audience. I recommend to watch the Tech Field Day video that was recorded during the presentation to understand better what Forward Networks is doing.
Max’s Opinion
First a word on the presentation. Forward Networks did an awesome job to captivate the audience. I suppose that the Tech Field Day crew goes to great lengths to brief their presenting companies (their customers) to make such appearances a success for all parties: helping presenting companies deliver their message in the best way and to the broadest audience; engage delegates and make them think (and write) about what they saw; and finally make these appearances a customer success that generates more opportunities for Tech Field Day. If executed properly, this can be a virtuous cycle generating wins/wins. In that case, Forward Networks have demonstrated prowess in mastering the Tech Field Day concepts.
On the product itself, my post should speak on its own. Networking is not my field of discipline, I find it to be some kind of “nasty elvish sorcery” (paraphrasing good old Gollum) that goes far beyond my comprehension. Even if it is “sorcery”, Forward Networks puts some order into it.
Forward Networks brings an understanding of the network as it is today: right now, and not in the 5 or 10 year old Visio file that nobody looks at anymore. Or in the Excel file that references all ACLs worldwide (because Excel is the state of the art data management tool, right?!).
Personally, I enjoyed Forward Networks presentation and found the capabilities it provides to be amazing. I say that not to incense the company, but talking out of my experience in the trenches with support cases bouncing back and forth about “server communication issues”. The question remains about how a company can strive on a single product, but the fact is that doing one thing well is better than doing 2 things and not focusing adequately on any of these.
Disclosure
This post is a part of my TFD Extra at Cisco Live Europe 2019 post series. I am invited to the event by Gestalt IT. Gestalt IT will cover expenses related to the events travel, accommodation and food during the event duration. I will not receive any compensation for participation in this event, and I am also not obliged to blog or produce any kind of content. Any tweets, blog articles or any other form of content I may produce are the exclusive product of my interest in technology and my will to share information with my peers. I will commit to share only my own point of view and analysis of the products and technologies I will be seeing/listening about during this event.