The startup Veriflow has announced four new capabilities to bring intent-based network verification to enterprise data centers.
Without the buzzwords, that means Veriflow lets you confirm whether your data center network is configured to actually do the things you intended it to do.
Veriflow achieves this by gathering state and configuration data such as forwarding tables, ACLs, and rules from routers, switches, firewalls, load balancers and other network devices.
It collects this data at regular intervals, applies a mathematical technique called formal verification, and then builds a software model of the network as it’s actually configured. Using this model, Veriflow can see precisely how each node is connected and all the possible paths traffic can take among those nodes.
Veriflow recently announced four new capabilities or applications that take advantage of this network model:
- Automated Intent Inference
- Cloud Predict
- Dynamic Diff
Here’s what they do.
Automated Intent Inference
This feature uses state information to make educated guesses about the outcomes that a particular set of configurations is intended to produce, and then identify areas where those outcomes aren’t being met.
As a simple example, if the software discovers an “IP permit any any” rule in a firewall, it will infer that this rule violates a security policy or two. It will flag the rule and call it to the attention of an administrator.
One reason Veriflow developed this use case is to help customers get value from the product quickly. Rather than have to wait for administrators to learn the Veriflow platform and figure out how to communicate intent, the software can provide useful, actionable information automatically.
As you might guess from the name, Cloud Predict provides a similar model of public cloud networks as it does your premises. At present, Cloud Predict is only available for Amazon AWS.
The software uses APIs to extract information about the customer’s network within the Amazon VPC (Virtual Private Cloud). Using Cloud Predict, customers can, for example, see if dev/test environments can reach production systems and can examine how traffic moves both within the VPC and between the VPC and the premises network.
Preflight lets you test a network change against the model of the network to assess the impact of the change before pushing it into production. For instance, an organization that wanted to prune its firewall rules could model what happens to security policies and traffic flows when rules are removed.
This feature lets you compare two snapshots of the network model to identify differences between them. For instance, if a new device was added or a link went down, this change would be highlighted in a differential comparison. This feature is useful for troubleshooting, for mean time to innocence, and other situations where admins or operators need to identify differences.
Intent is the new hotness in networking. There are two sides to the intent coin. One side is programmatic: A human being says “I need the network to do X, Y, and Z.” The intent software figures out how to make those things happen, and then goes and configures the necessary devices to achieve the stated outcomes.
The other side is confirmation. A human being says “I think my network is configured to do X, Y, and Z. Is that true?” The intent software looks at the network to verify whether this is the case.
This second are is where Veriflow plays, as does a similar startup Forward Networks.
This modeling approach makes sense to me. Assuming that it works as advertised, it can provide a global view of a complex system and is geared toward generating actionable insight, not just reams of data that it’s up to you to parse.
I also like that it’s built for brownfield networks. That is, it’s designed to work with your network as it is, not as you might like it to be. It embraces gnarly designs, old choices and compromises, and the plaque built up from layers of policy, application design and support, and business decisions.
Ideally, this is a tool you could use to start scraping away some of that plaque to get that clean, minty-fresh network like the ones you see on TV.
That said, it’s still only a model. Just as a map isn’t the territory, this mathematical representation of routing tables and ACLs isn’t your network. It will always be playing catch-up to the real thing. It will have limits and blind spots and out-of-date information.
And it will take training and trial and error to figure out the best way to use this tool, and to understand the right questions to ask and how to ask them to get the most benefit from it.
But that’s how it is with other management and operations products. This isn’t any different.