Forward Networks For Defensive Planning

Forward Networks likes to call its product a digital twin which is a fancy term for a model.

In this case, the model is of your network. Forward Networks collects configuration information from as many of your network devices as you will let it. It uses this information to build a model of what your network looks like. The more data the Forward Networks system has, the more accurate that model can be. At least in theory.

The glorified database is the least interesting part though. What is interesting are the kinds of reports you can run on this database. You can ask questions like “Is there TCP reachability from this PC here in corporate HQ to this server in AWS us-west-1 on port 443?” or perhaps “Are routes in AS-nnnn being advertised out through this egress node on the edge of the network?”

You can ask questions of the model instead of interrogating production, which is safer and possibly faster as well. You can also ask more complex questions, because all the data is in one place in a format that Forward Networks understands. Figuring out why you can’t traverse from A to B in a network can be tricky. Is something broken if you can’t? Or is it deliberate policy to stop accidents and miscreants?

Blast radius

One aspect of this modelling ability that I particularly liked seeing was the concept of ‘blast radius’. You could use Forward Networks’ model to figure out where an intruder could get to if they broke into webserver web-us-west-1-332. As a defender, you can try to attack your own network, but only in the model, not for real, so there’s very little danger of you breaking something important.

You could try all kinds of interesting scenarios in the simulation, quickly, and with low risk. And beyond discovering “yes, you can” or “no, you can’t” you can also quickly understand why. Forward Networks can show you the specific lines of configuration on a firewall that are preventing you from successfully taking a given network path. Similarly, if you are able to traverse to somewhere you probably shouldn’t be, you can figure out why, and what you’d need to change to stop it.

Which is the next great thing about models: simulations of a reality that doesn’t actually exist.

Living in a simulation

Forward Networks model lets you run simulations of a potential future to see what might happen. Sure, you might stop an attacker if you change the Winnipeg firewall rules, but you’d also break the financial reporting app that the CFO uses. This is a great thing to find out before you’ve broken production and have to explain to the C-suite why they can’t get their work done by end-of-quarter deadlines.

You don’t just have to live in one simulation, either. You can have a whole bunch of them! A series of parallel universes that don’t really exist, but potentially exist. Try out a few different ideas and see which one you like best!

I can see using Forward Networks’ model as a handy augmentation to tabletop exercises where you play out a “what would we do if the finance database got infected with ransomware?” scenario. You could actually test out your “what if” plans to see if they’re likely to work, and maybe discover that some of your assumptions are quite wrong. Think of it like a corporate D&D session with a really detailed map and figurines to move around as you roll to save vs. malware.

The map is not the territory

One note of caution, however: As statistician E. P. Box said “All models are wrong, but some are useful.” We need to be very careful when using models of reality that we don’t forget that they are just that: models.

This is one reason that Forward Networks is read-only. It doesn’t have the ability to manipulate production directly, and that’s a good thing. The model might be very good, but it can’t contain everything. As some of my fellow delegates pointed out: the model contains only what has been modelled, what is usual. An attacker breaking in via a brand new vulnerability probably won’t be in the model, because it deals with unknown quantities that the model can’t know about.

We also have to be careful that the model might be wrong about what reality really does. Networks are complex and weird. Forward Networks will make it easier to understand, but the emergent complexity of large networks often defies human understanding. Some angry sand we tricked into doing binary maths probably won’t understand it all, either.

But there is still plenty of useful work to be done within the constraints of what Forward Networks model does contain. Provided we remind ourselves that none of this is real, we can embrace what makes this unreality useful and leave the constraints of the physical world behind, even if just for a moment or two. There is lots of scope to do really interesting work in this simulated world.

I was a guest of GestaltIT/TechFieldDay at Cloud Field Day 16

See Also

Related items

Canaries with credit cards

30 January 2023

Watermelons, legal musings, and AI hypemonsters abound, but we can trap them with canary credit cards.

Patterns All The Way Down

16 January 2023

Right-to-repair moves ahead, ChatGPT doesn’t change much, and IBM keeps making money.

Commvault Releases Metallic ThreatWise To Detect Threats To Your Data Early

21 September 2022

Data protection vendor Commvault has released Metallic Threatwise, a SaaS add-onfor Metallic that detects intruders when they first enter the environment.