Network and security administrators may dream of stable, secure and agile networks, but the truth is that over a period of time they become complex and clogged with policies.
A California startup called Veriflow said Tuesday it is ready to sell a solution that mathematically verifies network policies to minimize change-induced network outages and breaches.
CEO Jim Brear said in an interview the software — sold in either on-premise or as a cloud service — borrows the concept of formal verification used by semi-conductor chip makers and in the aerospace industry to prove or disprove the correctness of a system’s functional specifications.
Traditional solutions include change management and automation tools. But, Brear said, “they’re very expensive, very manual, time consuming and they don’t solve the problem.”
“We mathematically verify network policies, whether they are actually realized or not, by predicting all possible data flow behaviour before it happens” and how devices will react to changes, added CTO and co-founder Brighton Godfrey.
“There’s no reason why networks can’t be just as trustworthy as other mission-critical devices and applications.”
He said Veriflow’s virtual appliance software discovers Layer 1-4 devices (routers, switches, load balances, firewalls, virtual firewalls) in the data plane and captures read-only data from ACL/CAM tables that control what happens when a packet goes into the device. The data is then synthesized into a network-wide predictive model using algorithms of all possible data flows.
If the network configuration is changed, either accidentally or through an attacker, Veriflow tells administrators whether the network still conforms to the established policies — upholding network segmentation, for example.
The solution also includes a library of best practices current network and security policies can be compared against.
However, Godfrey acknowledged that the solution doesn’t prevent an organization from implementing a poor policy. Nor, he added, does it do packet inspection.
In an interview Daniel Conde, an analyst with the Enterprise Strategy Group, hesitated at calling Veriflow a security product. Instead he described it as “more of a general purpose way of verifying the state of a network.”
As networks get more complex it’s harder to manually securely configure devices, he agreed. Veriflow “is a novel approach to use mathematical verification,” to confirm packet flow, he said.
“I don’t think machine verification alone is a silver bullet,” he added. He also cautioned that he hasn’t seen Veriflow in action or interviewed a customer.
He also noted there are other products that include network policy verification in their feature sets, such as Cisco Systems’ ACI (Application Centric Infrastructure) and VMware’s NSX network virtualization platform.
Brear said his company now has customers in trials and is ready to sell the solution — either direct or through yet-to-be-announced network of value added resellers — but the product with a full feature set won’t be available until the second half of the year.