Skip to main content

Security Validation Overview

Invariant empowers network and security teams to rigorously validate their network configurations against defined security policies. With Invariant you can identify potential security misconfigurations, ensure compliance, and investigate network behavior without impacting the live environment. This overview explores how Invariant facilitates security validation through its rule evaluation models, various enforcement strategies, and its utility in compliance and research.

Evaluation Models

Invariant provides flexible ways to evaluate your network against security rules:

On Upload

The primary method for security validation is through including rules in the uploaded snapshot. These are access policy and critical flow rules defined in YAML files within your snapshot's invariant/policies/ directory. When you upload a snapshot using the invariant run command, Invariant automatically:

  1. Builds a model of your network from the provided configuration files.
  2. Evaluates all installed rules against this model.
  3. Generates detailed reports, such as policy_ok, policy_violations, critical_flows_ok, and critical_flows_violations, which indicate the pass/fail status of each rule and provide example traceroutes for violations or successful critical flows.

This model is ideal for continuous validation and as part of automated CI/CD pipelines.

# Example: Running Invariant to evaluate installed rules
invariant run --target /path/to/your/snapshot/

Interactive/Focused Evaluation

While Invariant's core strength lies in comprehensive snapshot analysis, users often need to test specific scenarios or rule ideas without waiting for a full snapshot upload or impacting the main policy set. This can be achieved by:

  1. Crafting Specific Policy Files: Create temporary or focused policy files in a test snapshot (or a branch in your configuration-as-code repository) to evaluate particular "what-if" scenarios or new rule logic. Running invariant run on this targeted snapshot provides the validation.
  2. Detailed Report Analysis: The reports generated from a full snapshot run (e.g., policy_details, critical_flows_details) contain extensive information, including virtual traceroutes. Analyzing these reports helps understand the impact of individual rules and network paths.
  3. Leveraging Underlying Capabilities: Invariant builds upon the powerful network modeling and querying capabilities of Batfish. While direct Batfish queries are not the primary Invariant user interface, this foundation enables Invariant's deep analysis. For instance, Batfish's searchFilters can exhaustively check how ACLs treat large spaces of flows, a concept Invariant's rule engine uses to validate deny and deny-others rules.

This approach allows for iterative rule development and targeted troubleshooting.

Enforcement Strategies

Invariant supports multiple strategies for enforcing your security policies:

Live Monitoring & Alerting

For continuous assurance, Invariant can monitor your live network:

  1. Regular Syncing: Periodically upload snapshots of your live network configurations to Invariant. This can be automated using scripts or CI/CD tools.
  2. Automated Alerts: Configure Notification Groups in Invariant. If an uploaded snapshot results in rule violations, Invariant automatically sends alerts to the specified email addresses.
  3. Incident Analysis & Remediation Tracking: The Snapshot History provides a time-series view of your network's compliance. In case of an incident, you can analyze past snapshots to understand when a violation was introduced and track the time to remediation.

This strategy helps in quickly detecting and responding to unintended changes or drifts from the desired security posture in the production environment.

Pre-flight Validation

Prevent misconfigurations from ever reaching your production network by validating changes before deployment:

  1. Test Proposed Changes: When planning a network change (e.g., new ACLs, routing modifications), apply these changes to a copy of your current configurations (e.g., in a separate Git branch).
  2. Analyze in Invariant: Upload this "candidate" snapshot to Invariant and run the rule evaluation.
  3. Prevent Deployment on Failure: If Invariant reports violations, the change should not be deployed until the issues are resolved. This proactive approach significantly reduces the risk of outages or security breaches.
  4. CI/CD Integration: Integrate Invariant checks into your CI/CD pipeline (e.g., using Jenkins, as demonstrated in our Preflight Automation Demo). This automates the validation process, ensuring all changes are vetted.
  5. Golden Configuration: Maintain a "golden" snapshot or branch representing the ideal, validated state of your network. Proposed changes can be compared against this baseline to identify any deviations.

Pre-flight validation is a cornerstone of a robust network-as-code practice.

PCI-DSS Compliance Support

Invariant's security validation capabilities can be a valuable asset in achieving and maintaining PCI-DSS (Payment Card Industry Data Security Standard) compliance:

  • Network Segmentation Validation: Use deny and deny-others rules to rigorously verify that the Cardholder Data Environment (CDE) is properly isolated from other network segments, allowing only explicitly authorized traffic.
  • Firewall Rule Verification: Ensure that firewall configurations (represented as ACLs or zone policies in Invariant) permit only necessary ports and protocols into and out of the CDE.
  • Continuous Monitoring: Employ live monitoring to detect any configuration drift that could compromise PCI-DSS compliance, providing timely alerts.
  • Auditable Evidence: Invariant's reports and snapshot history serve as auditable proof of network policy enforcement and compliance checks over time.

By modeling and validating network access controls, Invariant helps organizations demonstrate due diligence and maintain a compliant security posture.

Network Security Research

Beyond routine validation, Invariant serves as a powerful tool for proactive network security research and investigation:

Identifying Exposures

  • Unintended Access Paths: Write deny rules for traffic that should never be allowed (e.g., direct internet access to internal management interfaces) or deny-others rules for sensitive zones to discover any existing, unapproved access paths.
  • Zero Trust Backlog Generation: Use deny-others rules with enforce: false (see Build a Zero Trust deployment backlog) to identify all currently permitted flows into or out of a segment. This report becomes a backlog for creating an explicit Zero Trust policy.
  • High-Risk Protocol Search: Search for any allowed instances of high-risk protocols (e.g., Telnet, unencrypted FTP) to sensitive areas.

Vulnerability Assessment Context

While Invariant doesn't perform vulnerability scanning itself, it provides crucial context. By combining Invariant's reachability data (what can talk to what, and over which ports/protocols) with information from vulnerability scanners (e.g., a list of unpatched services on specific hosts), security teams can:

  • Prioritize patching efforts by focusing on vulnerabilities that are actually exploitable given the current network configuration.
  • Identify compensating controls (like ACLs) that might mitigate the risk of an unpatched vulnerability.

Validating ACL/Firewall Soundness

Invariant's underlying analysis, inherited from Batfish, can help identify issues within ACLs themselves, such as:

  • Shadowed Rules: Lines in an ACL that will never be matched because preceding lines cover all their conditions.
  • Redundant Rules: Unnecessary rules that don't change the overall behavior of the ACL.

Identifying and rectifying these issues improves ACL efficiency and maintainability, reducing the chance of errors.

By providing a detailed, queryable model of the network, Invariant enables security professionals to ask complex "what-if" questions and thoroughly investigate the security posture of their infrastructure.