• United States

How network verification differs from monitoring, and what it’s good for

Jan 09, 20185 mins
Network MonitoringNetworking

Organizations are using continuous network verification to move from reactive to proactive operations.

In a previous post I discussed network verification, a new area of technology that applies what is known as formal verification – mathematical analysis of a complex system to determine rigorously if it meets the end-to-end goal – to network infrastructure.

But what is network verification good for and how is it different from today’s common practice? Nearly every organization monitors its network, typically by sampling ongoing flows, events or logs. Isn’t that enough to catch problems as the organization deploys changes?

Monitoring samples the past; verification predicts the future

In fact, verification is quite different from monitoring in powerful ways. To understand verification, it is helpful to contrast it with the traffic-monitoring technology that we all know.

  • Monitoring observes low-level events; verification understands the high-level goal. Monitoring solutions do not generally understand the network-wide goal of the business. They gather observations of what has happened, but that is not the same as understanding what should happen. The idea of verification is to ensure an ultimate goal – the intent of the network designer – is being met. One can declare a high-level intent such as “My hospitals should be able to reach all critical services along multiple paths,” store it in a central repository of record and verify the intent continuously as thousands of changes are made to the network across time. This ability to meet an ultimate goal is why verification has become a key part of intent-based networking.
  • Monitoring watches what happened; verification predicts what could happen. Because monitoring watches recent or historical traffic, it is fundamentally reactive, only seeing problems as or after users are experiencing them (or after attackers have exploited vulnerabilities!). Verification solutions do not need to look at a single packet flowing through the network, and do not inject probe traffic into the network. Instead, they analyze network state, such as configurations, forwarding tables, access control lists and more, to figure out how traffic could flow through the network. As a result, operators can verify if the network will behave as intended.
  • Monitoring samples a few packets; verification explores all possible behaviors. Monitoring cannot give complete assurance that intent is met under all circumstances; it can only say, “I don’t see a problem right now, but who knows what will happen when the next packet arrives.” Verification effectively explores what could happen to all possible packets, injected everywhere in the network. Such exploration results in an enormous number of possibilities, and analyzing them requires new algorithmic technology – inspired by the field of formal verification – that has recently been applied to network infrastructure.

Using verification to spot problems proactively

Let’s see how the differences above come together in a useful way for users of verification technology.

Suppose you are tasked with operating a data center that has servers hosting sensitive financial databases as well as links to external partner networks, tunnels to cloud deployments, uplinks to the Internet, and more. Network segmentation, implemented with firewalls and separate virtual networks, is supposed to provide layers of defense between these different parts of the network. But thousands of devices make for a pretty complex environment. Now suppose there is a flaw in the segmentation: some part of the network, such as the external partner, could communicate with the financial databases, which could result in a failed audit or worse, a serious breach.

Despite how serious that vulnerability is, traffic monitoring would quite likely turn up nothing out of the ordinary if none of the partner’s machines were trying to access the financial databases. But if malware somehow gained a foothold in the partner’s network, it could quickly lead to a serious breach of financial data. Even if malicious traffic is monitored, there is no guarantee it will raise an alarm, because the monitoring systems may not understand that the observed traffic violates the intended segmentation.

In a network verification system, the intent is explicitly declared – in this case, that the external partner network should be connected to the demilitarized zone but isolated from the rest of the data center. The network verification system can then explore all possible data flows that could occur and determine if some flows will violate the intent, thus spotting the vulnerability well before the attack.

Now suppose you are called in early Saturday morning to fix this vulnerability by locking down firewall rules. One slip-up could restrict traffic too much, taking the databases offline from cloud-hosted applications. Depending on the application and the access control mistake, such a slip-up might result in an immediate red-alert outage, or it might not show up until Monday morning. Either way, traffic monitoring will see the problem only after it has already affected users. A network verification system could incorporate the proposed change into its network model pre-deployment and predict that the change would violate the connectivity intent, saving you from causing an outage.

Network verification in production networks

Of course, traffic and event monitoring are still valuable. Real-time performance monitoring, even down to the millisecond, is becoming more and more important. But in use cases such as those above, verification can prevent outages and vulnerabilities that would otherwise have gone unnoticed. Verification thus reduces the risk of errors (whether due to human error or software error) during and after change and ultimately improves the organization’s agility.

Today, these benefits have driven companies to mature network verification from its academic roots. Hyperscale cloud providers such as Microsoft Azure and Google are deploying verification technology specialized for internal use, and startups are providing verification solutions broadly suitable for networks. Gartner has highlighted the importance of verification and assurance within the intent-based networking area.

Network verification is fast becoming a key step in the network automation story because it provides rigorous automated validation that the business intent matches reality. What is perhaps most exciting is that because the technology verifies passively (without disrupting active operations), it can help today’s real, messy, multi-vendor brownfield networks transition to more software-driven processes.


Brighten Godfrey is the co-founder and CTO at Veriflow. Brighten has made an impact in the technology world by conducting research in networked systems and algorithms for over a decade and co-inventing the key technology used at Silicon Valley-based Veriflow. As co-founder, he made Veriflow the first networking company to utilize formal verification to eliminate change-induced network outages and vulnerabilities.

Brighten’s work has developed architectures and systems for Internet routing, data center networking, high performance data transport, and network data plane verification. His work has also advanced theoretical analysis of network algorithms. He has co-authored more than 50 scientific publications, and many of those technologies have been deployed by hyperscale cloud computing providers. Not only has he made his mark in the technology world, but Brighten also shares his knowledge with aspiring computer scientists.

When he isn’t in the Silicon Valley, Brighten can be found advising young researchers as Associate Professor of Computer Science at the University of Illinois at Urbana-Champaign. He is also the co-instructor of “Cloud Networking,” a popular Coursera course that allows researchers to learn remotely.

The opinions expressed in this blog are those of Brighten Godfrey and do not necessarily represent those of IDG Communications, Inc., its parent, subsidiary or affiliated companies.