This startup uses math to show whether your network is safe

How do you know your network is safe from attacks and failures? Veriflow, a startup with backing from the U.S. Defense Department, says it can make sure.

Veriflow applies a practice called formal verification, used in preparing Mars missions and military gear, to figure out ahead of time what could go wrong on a network. Using that information, it helps enterprises apply policies to prevent problems from starting or spreading.

If this sounds more at home in a lab than in a data center, it may be because that's where it came from. Veriflow's CTO, CSO and principal engineer are all longtime academics who worked on the problem together at the University of Illinois, and the National Science Foundation is a funder.

Veriflow says it's time for a new approach. Diagrams and network engineers' knowledge used to be enough to make sure the right packets would go through a network in the right way. Now infrastructure has become too complex, and changes too frequent, to rely on that approach, CTO and co-founder Brighten Godfrey said.

"Enterprise networks have become like building a piece of software," Godfrey said. Every line of code added to an application can have wide-ranging effects on how the software works, and there are too many pieces in the puzzle to predict what those effects will be.

What Veriflow can do with networks is a bit like what continuous integration does with software in a service like GitHub. Both examine the implications of a change, be it a new router configuration or a piece of code proposed as an addition to an application. But Veriflow does this mathematically, at a deep level: It identifies every possible data flow on the network, then helps users set policies to control those data flows.

There's a challenge to doing that: The number of possible ways for a packet to behave on a network is an astronomical number, on the order of the number of atoms in the universe. Veriflow developed software to get around that hurdle.

"We can't literally go through every possibility," Godfrey said. "So the magic is in the algorithms that determine everything that could happen in an efficient way."

Veriflow starts by using a virtual appliance, in the cloud or on the customer's premises, to survey the network and collect information. It examines routers, switches and other devices, both physical and virtual, and looks at things like routing and forwarding tables to determine all possible data flows. In IT shops that use policies to control their networks, the findings can show whether those policies work as intended.

Armed with that data, customers can use Veriflow's policy recommendations, which are based on industry best practices, or use the Veriflow dashboard or APIs (application programming interfaces) to create new policies.

Veriflow doesn't take the place of security tools like firewalls, it just shows whether the way they're implemented is the right way to protect the network against attacks, Godfrey said. Later, if an attack does occur, Veriflow can show a security response team what the network looks like and where the harmful packets could have gone.

Veriflow is already in use in both lab trials and production networks and should be generally available in the second half of this year, the company said.

Enterprise Strategy Group analyst Dan Conde wants to know more about those live implementations to gauge how Veriflow will work outside a lab. Real networks include devices and appliances from many vendors and both traditional hardware and software-defined components, Conde said. "It's a messy world out there."

As with any new product designed to make networks more secure, there's also a place for some caution, he said. Any team that's built a system like Veriflow's must have deep security knowledge, but there are always surprises in the real world.

"Security is one of those things that it just takes time to harden," Conde said.