Arista enhances its multi-domain segmentation to fight east-west threats

This syndicated post originally appeared at Zeus Kerravala – SiliconANGLE.

Arista Networks Inc. today announced an enhancement to Arista MSS — Multi-Domain Segmentation Service — to create a zero-trust enterprise network.

“We tried to overcome one of the biggest challenges of micro-segmentation technologies that are always deployed in islands today,”Alessandro Barbieri, director of product management at the company, told me in a briefing. “There is no truly end-to-end technology with a single orchestration model, a single operating system, across campus branch and data center. And that’s why we call it multi-domain.”

The problem Barbieri outlined is a real one as micro-segmentation has evolved along the lines of network domains. Some great micro-segmentation tools exist for data centers, campus networks, Wi-Fi and the wide-area network, but each must be managed independently. This means segmenting each domain is done independently, which makes it significantly more challenging to create consistent policies, particularly in highly dynamic environments.

Enabling microperimeters

One of the more interesting aspects of Arista’s MSS is that it eliminates the need for endpoint software agents or proprietary network protocols while enabling effective “microperimeters” that restrict lateral movement in campus and data center networks, which reduces the impact of security breaches like ransomware.

The use of software agents isn’t bad, per se, but adds another level of complexity. Each system must be configured, agents can vary by operating system, and not all endpoints, particularly internet of things devices can host an agent. This leaves many blind spots between the domains.

Arista MSS enables the following capabilities:

  • Stateless wire-speed enforcement in the network: Arista’s identity-aware microperimeter enforcement enables lateral segmentation.
  • Redirection to stateful firewalls: By integrating with Palo Alto Networks and Zscaler firewalls and cloud proxies (among others), MSS sends the right traffic to security controls.
  • CloudVision for microperimeter management: Real-time visibility into packets, flows, and endpoint identity provides effective east-west lateral segmentation.

“We want to do our part and use the network for what it’s good at, which is delivering more and more secondary services,” Barbieri said. “And the latest security service we have added to the portfolio is this micro-segmentation technology.”

The integration with firewalls is the right approach for Arista. Too often, micro-segmentation vendors are dismissive of firewalls. While traditional firewalls do not handle east-west traffic well, they are good and protecting north-south traffic flows. East-west is network traffic that occurs within an organization’s internal network, while north-south traffic involves outside networks.

The traditional perimeter has collapsed

Barbieri says that Arista subscribes to the notion that the traditional enterprise perimeter has fundamentally collapsed. “Not only because users are now distributed everywhere,” he said. “But most of the devices connected to the network are also unmanaged. So unknown devices represent the future expansion of your business.”

He told me that, with applications distributed — in your private data center, in a collocated data center or in the public cloud — controlling the network with traditional security has proven ineffective.

Barbieri explained why the network is the right approach to micro-segmentation. “The network connects all the endpoints and is best positioned to deliver better end-to-end micro-segmentation services.”

But you’ll still need those old tools. “You’ll still need perimeter security, you’ll still need VPN, you’ll still need endpoint security technologies,” he said. “But the game here is how to use the network to play a more central role.”

Barbieri says Arista wants to integrate its segmentation with threat detection and access control technologies to close the loop. “So you can admit someone into the network, and you can restrict their ability to move laterally,” he said. “But at the same time, you continuously monitor to adapt your policies and track their behavior.”

Some final thoughts

The network connects all points, and, in many ways, the network is the perimeter. Wherever the network goes, it needs to be protected. So Arista’s approach is sound. Its technology is good, and it has integrations with best-of-breed security vendors.

Over the past several years, Arista has built out its security portfolio. Although I’m not ready to declare the company a vendor that can lead with security, it has a growing set of products and services that can protect its customers by leveraging network data.

Author: Zeus Kerravala

Zeus Kerravala is the founder and principal analyst with ZK Research. Kerravala provides a mix of tactical advice to help his clients in the current business climate and long term strategic advice.