The company’s formal verification engine, now in general availability, is aimed at “eliminating tedious manual correlation by humans and putting it into smart software,” Erickson says. In other words, Forward wants to automate away the human-error factor that causes network outages or security vulnerabilities.
It’s solving a problem that CEO Erickson and his co-founders — Brandon Heller, Peyman Kazemian, and Nikhil Handigol — encountered as students at Stanford University in a period starting around 2007, when they were doing early research on what became SDN. They were part of the team that was led by professor Nick McKeown and included Martin Casado, now a venture capitalist with Andreessen-Horowitz. (UPDATE: Andreessen-Horowitz’s representative on Forward’s board is Bill Krause, not Casado as reported in a previous version.)
Erickson himself went on to become a big name in early SDN. He wrote Beacon, an open source controller for OpenFlow, then joined Big Switch Networks, one of the earliest SDN startups, as employee No. 3. Beacon would be the seed for creating Big Switch’s own controller, Floodlight.
But back at Stanford, he and his fellow students ran into frustrations with the limited amount of visibility and automation they had in networks. “We felt the pain of that in an environment that didn’t have any significant tools to help you troubleshoot, because it was so bleeding-edge,” he says.
The bigger inspiration came after graduation, around 2013, the year Forward was founded.
“We went around to a lot of networking engineers around the world, and they told us they were feeling a lot of the same pain in their non-SDN networks,” Erickson says.
Forward’s founders had originally considered developing something for SDN-based networks, where the interfaces were clearly defined. They decided instead to tackle the issue for networks in general. The company has now grown to 22 employees and raised $11.5 million, most of it from a venture funding round in 2014 that includes Andreessen-Horowitz (but was raised before Casado joined the VC firm).
One Click Away From Disaster
Part of what makes the network so complex is the diversity of devices in it. Every vendor has its own operating system (“Cisco’s got, like, what — five? — at this point,” Erickson says) and network management system.
The other problem is the scale of networks: “tens of thousands, or hundreds of thousands, of devices not including servers, and any one of those may have half a million rules,” Erickson says. “You’ve got this cognitive load that’s being put onto humans. You’re one change away from a major business-affecting outage.”
Forward believes the answer lies in formal verification, the process by which engineers confirm that a semiconductor’s complex circuitry will actually do what it’s supposed to. Kazemian’s research at Stanford involved applying this concept to a network.
“He had the world’s first paper on how to precisely model every individual network device in your environment, and on top of that, an algorithm that would trace where every packet could go in your network,” Erickson says.
Another startup applying formal verification is Veriflow, which raised $8.2 million in July. Veriflow claims to model every possible data flow in the network, then figure out which flows would cause outages. The company is also emphasizing its technology’s ability to spot breaches.
Other configuration tools could develop similar capabilities, but Forward believes one barrier to entry in this market could be scale. Modeling every device in the network — every switch, every firewall, every load balancer — takes time. Forward spent three years developing a way to automate the addition of new devices into its model, Erickson says.
Search, Verify & Predict
Forward’s software, which is in general availability for deployments on-premises or in the cloud, so far supports three applications: Forward Search, Forward Verify, and Forward Predict.
They do pretty much what the names say. Search is a way to find out where packets are going. Using a Google-like interface, it delivers more thorough information about the network than the usual ping and traceroute tools do, Erickson says. Verify checks whether network policies are always being met.
Predict lets network operators test a change to a network ahead of time. This is a big deal, because lacking that predictive ability, operators tend to install changes during off-hours and rapidly roll back those changes if something goes wrong.
Photo: Forward Networks. That’s
Erickson Behram Mistri in the middle and Handigol to the right.