From network security to secure networks
A new age of edge-less, multi-cloud, multi-device collaboration for hybrid work has given rise to a new network that transcends perimeters. As hybrid work models continue to gain precedence through the new network, it has become vital for organizations to address the cascading attack surface. Continuously evolving cyber threats can no longer be mitigated by reactionary bolt-on security measures or perimeter firewalls. Instead, organizations need security to permeate the underlying network infrastructure.
Security measures need to pivot from reactive to a more proactive approach of continuous contextual network monitoring that ensures threats are detected and mitigated before an expansive data breach.
Being secure in the new network, the zero trust way.
A zero trust networking approach to security is paramount for organizations looking to build a robust cybersecurity ecosystem today. Based on the premise of explicit trust, zero trust security ensures complete visibility and control over any enterprise network activity, regardless of which device, application, or user is accessing that resource.
This paradigm shift has prompted best-in-class enterprises to bake security into the core of their network infrastructure. Implementing security at this layer reduces operational costs and complexity and represents the most effective way to track and successfully manage threats coming in from the wider attack surface.
Zero Trust Networking
Arista’s suite of security solutions helps customers accelerate their journey towards zero trust maturity. Based on the CISA Zero Trust Maturity Model, Arista supports all the essential functions CISA recommends for the network: network segmentation, network traffic management, traffic encryption, and network resilience along with controls for visibility and analytics, automation and orchestration, as well as governance.
In fact, the network can be the center of any organization’s CISA zero trust maturity efforts.
The network is pervasive – every communication hits the network at some point enabling observability, threat detection, and access control to be transparently enabled. This provides risk mitigation for the legacy devices, workloads, and data stores that cannot be easily “ZT-fied.” As a result, implementing zero trust on the network can accelerate the overall zero trust program and buy time to address deeper challenges in the other domains – like data or workloads.
The network does not care whether the devices are managed or unmanaged -- instead, it can identify those devices and apply policies for authentication and authorization, irrespective of what they are and where they are currently.
The network is much more homogenous than devices, workloads, users, data, etc. Protocols like TCP/IP are universal unlike the complexity involved with different operating systems or application server software.
Of course, some would argue the network does have blind spots, for instance, remote endpoints or branches that do not backhaul network traffic but route directly to the Internet. These setups may not hit the organization’s traditional network and thus be “invisible” to the organization’s zero trust controls. Any zero trust networking architecture must therefore act as a strong network underlay and support tight workflow integrations with complementary security overlay solutions such as endpoint detection and response or zero trust network access technologies.
Arista Enables Universal Zero Trust Networking
As evidenced by the Universal Cloud Network (UCN) architecture, Arista helps customers build networks that are secure by design. Arista’s zero trust portfolio eliminates the need for several network monitoring and security tools by delivering a unified and integrated architecture that provides real-time visibility of the threat posture across the network and the ability to take action. Arista is uniquely positioned to deliver these capabilities across various networks: from the campus to the data center and the cloud.
Arista's Multi-Domain Segmentation Service (MSS) is a comprehensive microsegmentation solution that provides fine-grained security policies based on microperimeters defined around the identity of endpoints or applications.
MSS offers a consistent architecture across multiple network domains, is both network and endpoint-agnostic, and enables the distributed enforcement of stateless policies at wire speed within the Arista EOS-powered switches or can redirect traffic to a third-party firewall for stateful L4-7 inspection. Arista MSS thus enables lateral segmentation offloading the capability from firewalls that would have to be explicitly deployed for this purpose.
Arista MSS also automates the management of microperimeters by connecting to external sources and dynamically identifying and tagging the endpoints and workloads. To get this information, Arista MSS can connect to various external sources, such as NAC, CMDB, IPAM and server virtualization systems.
Network Traffic Management
The network traffic management function requires the ability first to identify applications and then classify them for optimal user experience. These capabilities are operationalized through quality of service and bandwidth reservations as well as granular monitoring policies. Arista EOS provides robust quality of service features as well as the ability to classify the traffic for appropriate prioritization within the network relative to other applications. The Arista DANZ Monitoring Fabric (DMF) enables IT operators to pervasively monitor all user, device/IOT, and application traffic (north-south and east-west) by gaining complete visibility into physical, virtual, and container environments. Deep hop-by-hop visibility, predictive analytics, and scale-out packet capture — integrated through a single dashboard — provides unprecedented observability to monitor, discover, and troubleshoot network and application performance issues, as well as accelerates discovery of root causes of security breaches and other outages.
Traffic Encryption
Arista network infrastructure natively supports encryption capabilities such as MACsec and TunnelSec. These capabilities, implemented on the switches, enable organizations to encrypt data to and from legacy applications and workloads without changing those systems but instead relying on the network to protect data from unauthorized access, interception, and tampering.
TunnelSec uses industry-standard protocols like IPSec and SSL/TLS to establish secure tunnels across any network, including the public internet and thus enable secure communication and data exchange between remote locations. This is particularly useful for organizations with multiple branch offices or data centers that need to communicate securely with each other over a public network.
MACsec operates at the link layer of the network stack and provides data encryption between campus or data center network devices. MACsec is used to secure communications between devices on the same physical network, such as within a data center.
Network Resilience
Arista EOS and CloudVision bring a modern approach to continuous application delivery and performance. The key to resilience in a zero trust context lies in the ability to dynamically expand or reduce with network demands. For instance, this could mean having the ability to burst and use a utility cloud when the demand is higher or availability is threatened. Similarly, network operations could use capacity from disaster recovery sites or backup data centers. Arista’s Cloud Vision and EOS work hand in hand to dynamically provide onboarding and connectivity to any public utility clouds securely and with optimal performance. In many instances, customers striving for zero trust maturity in this function deploy data centers in active/active configuration using robust EOS features such as EVPN that provide the entire capacity as a single virtual data center while still providing geo-specific fault tolerance. CloudVision, in turn, provides a single pane of glass management for both the traditional data center as well as the hybrid cloud.
Visibility and Analytics
Arista NDR is an AI-enabled platform that analyzes billions of network communications to autonomously discover, profile, and classify every device, user, and application across the new network—perimeter, core, IoT, and cloud networks. Based on this deep understanding of the attack surface, the platform detects threats to and from these entities while providing the context necessary to respond rapidly.
Arista NDR can deliver visibility and analytics enterprise-wide by utilizing existing deployed switches as network security sensors. As a result, organizations can benefit from broad situational awareness without the need to deploy additional network tapping infrastructure or network visibility solutions, but instead by relying on infrastructure that is already deployed. This is especially important in campus and branch locations where such components can be complex to deploy and maintain without dedicated rack space and local IT expertise.
Automation and Orchestration Capability
The Arista CI Pipeline provides an advanced CI environment for managing network and security operations, built upon the visibility delivered by the Arista CloudVision platform. This capability, along with Arista Validated Designs (AVD), greatly simplifies and enhances the automation of network and security operations workflows.
Governance Capability
CloudVision Arista Guardian for Network Identity™(CV AGNI) is a software-as-a-service network access control (NAC) solution that simplifies the onboarding and ongoing governance of network identity across users, their associated devices, and the internet-of-things for both wired and wireless networks. CV AGNI uses existing identity providers such as Microsoft Azure AD or Okta. It acts as the policy decision point (PDP) and policy enforcement point (PEP), both critical for an effective zero trust architecture. CV AGNI performs dynamic authorization via real-time posture assessments based on data from Arista NDR and third-party technologies such as endpoint detection and response solutions. Based on these assessments and policies defined by the organization, unauthorized entities or those violating security policies can be automatically quarantined.
Securing the New Network with a Unified Security Strategy
Networks have evolved in the last 20 to 30 years, but network security still hasn’t. Siloed traditional models persist and organizations are left with gaping holes in their visibility across the campus, branch, and data center networks. Most organizations have several diverse cybersecurity solutions that are patched together to combat known threats. Arista’s solutions are designed to scale and support a variety of networks. Arista’s security approach allows organizations to set up enforcement and access control mechanisms via scalable admission control, encryption, and segmentation approaches; enable analytics that uncover malicious intent as early in the attack lifecycle as possible, and deliver autonomous response and guidance for remedial action via microsegmentation capability. Arista’s security solutions support out-of-the-box automated integrations with the rest of the infrastructure while also delivering the necessary decision-support data to the human analyst.
See More | Know More | Protect More
With a variety of devices - desktops, laptops, IoT, OT, cloud, SaaS, work-from-anywhere, supply chain systems, and contractor devices-- seamlessly connected to an organization’s infrastructure, visibility, detection and response for these “new” networks has become increasingly important. Network detection and response (NDR) technology is designed to tackle today’s pressing security threats.
How does Arista NDR secure the new network?
Why Arista NDR?
Powered by AVA Sensors, Arista NDR provides deep network analysis across the data center, campus, Internet of Things, and cloud workload networks. These sensors are available in a variety of form factors: from Arista switches with built-in NDR capabilities to standalone, virtual and cloud-based offerings. The sensors feed security-relevant layer 2 - layer 7 data into the AVA Nucleus where a combination of AI-driven detection models are used to uncover malicious intent. The AVA Nucleus can run entirely on-premises or in the Arista cloud as a SaaS offering. The platform also automates threat hunting and incident triage using artificial intelligence and presents the user with end-to-end attack analysis rather than a plethora of meaningless alerts. Analysts thus see the entire scope of an attack along with investigation and remediation options on a single screen while avoiding the effort of piecing it together themselves.
 |
Forrester, a leading research and advisory firm, has recognized Arista as a market leader in The Forrester Wave™: Network Analysis and Visibility (NAV) report. Their comprehensive analysis and evaluation resulted in Arista finishing in the top place for the Current Offering category and receiving more of the highest possible scores across the Strategy and Current Offering criteria than any other provider. |
Use Cases
|
Detection |
Response |
Situational Awareness |
Threat Hunting |
|---|---|---|---|
| The platform uses AI to detect & prioritize mal-intent & behavioral threats from both insiders & outside attackers while mapping these to the MITRE ATT&CK framework. | AVA forensically correlates incidents across entities, time, protocols, and attack stages, surfacing Situations with all the decision support data necessary to respond rapidly to any threat. | Arista NDR learns & tracks entities across IT, OT, or IoT environments, whether on-premise, cloud, or SaaS, and managed or unmanaged, including contractors and other third parties. | The platform’s rich data set and query capabilities enable powerful threat hunting workflows. AVA can take a single trigger from a human analyst and autonomously expose the entire kill-chain in a matter of minutes. |
Download the Arista NDR datasheet and whitepaper to learn more.
Arista’s Awake Labs offers comprehensive security strategy, operations, and advisory solutions focused on the customer’s unique breach response needs. This team collectively has more than 200 person-years of security experience, including responding to some of the most significant breaches in the world. Network detection and response, digital forensics, and threat hunting are key components of Arista NDR's ability to provide protection against non-malware and insider threats as well as support for investigative workflows.
Watch a 3-minute Arista NDR demonstration
Designed to be deployed in a few hours, Arista NDR also accelerates an organization’s zero-trust journey. The seamless integration of Arista NDR into other Arista technology as well as a customer’s existing security investments allows security teams to quickly identify high-risk incidents and compromised entities across their organization without requiring agents, manual configuration, or lengthy training periods.
Secure Networks vs. Network Security
|
|
|
|
|---|---|---|
| Many modern threats blend in with business-justified activities. Traditional security tools focus on malware, letting many behavioral threats go undetected. | Traditional security systems do not connect the dots across the entire attack, instead leaving a trail of breadcrumbs that analysts have to piece together. | If the enterprise security team can’t see every threat, detect malicious intent, or get insights to respond effectively, the enterprise can become extremely vulnerable to cyberattacks. |
To discover how network and security can be integrated BOOK A DEMO.
Arista's Awake Labs team can help- RESOLVE AN INCIDENT. Contact them now! Learn more about Arista NDR here.
Read our blog to learn more about network security and Arista NDR platform
Get the Awake Security Resources
Follow NDR!
 |
 |
 |
 |
To overcome the new security challenges and the explosion of clients in today’s perimeter-less enterprise networks, Arista delivers a novel AI-driven network Identity service, Arista Guardian for Network Identity or AGNI to connect the network, users, and devices across remote and geographically dispersed locations. Based on Arista’s flagship CloudVision, the new AGNI platform brings a revolutionary improvement to scale, simplicity, and security across users, their associated endpoints, and IoT devices.
Featured Video: Introducing Arista Guardian For Network Identity
CloudVision AGNI embraces modern design principles, Cloud native microservices architecture, and Machine Learning / Artificial Intelligence (ML/AI) technologies to significantly simplify administrative tasks and reduce complexities. It offers a comprehensive range of features to meet the requirements of modern networks.
CloudVision AGNI provides simple self-service onboarding using single sign-on (SSO) for wireless unique pre-shared keys and dot1x digital certificates, complete certificate life cycle management with cloud-native PKI infrastructure, authorization and segmentation, behavioral profiling, and visibility of all connected devices. AGNI integrates with all the leading Identity Providers including Okta, Google Workspace, Microsoft Azure, OneLogin, and Ping Identity. Devices are discovered, profiled, and classified into groups for single-pane-of-glass visibility and control.
CloudVision AGNI integrates with network infrastructure devices (wired switches and wireless access points) through a highly secure TLS-based RadSec tunnel. The highly secure and encrypted tunnel offers complete protection to the communications that happen in a distributed network environment. This mechanism offers much greater security to AAA workflows when compared with traditional RADIUS environment workflows, which are not encrypted. AGNI integrates with Arista products to enable the exchange of important user and client context, secure group segmentation (MSS-G), and authentication telemetry data. Additionally, AGNI can fetch consumer advanced profiling, posture, and network inventory data to provide comprehensive policy management and insights into network security. The platform’s API-first approach enables seamless integration with third-party solutions, allowing for the exchange of user and client context, authentication telemetry, and endpoint protection status. AGNI offers Arista’s Unique PSK (UPSK) solutions to enable secure authentication mechanisms for BYOD, IoT/IoMT, and gaming devices. AGNI extends its feature set to accommodate a wide range of client devices with its support for Captive Portal and MBA authentications.
AGNI integrates with Arista NDR and other third-party XDR and EDR solutions for post-admission control functionality.
Edge Threat Management
Bringing Cloud-managed Security & Connectivity to the Network Edge
Edge Threat Management is a comprehensive approach to security orchestration. Consisting of the award winning NG Firewall, Micro Edge and ETM Dashboard products, Edge Threat Management provides IT teams with the ability to ensure protection, monitoring and control for all devices, applications, and events on a network. This framework helps administrators enforce a consistent security posture across the entire digital attack surface—putting IT back in control of dispersed networks, hybrid cloud environments, IoT and mobile devices.
Featured Video: Arista Edge Threat Management
A Complete Network Security Solution
Edge Threat Management brings together a full range of different networking, security and optimization components to meet the needs of connected organizations, from core to cloud to network edge.
NG Firewall
Secure, Monitor and Manage Networks with Unified Threat Management Capabilities
Powerful policy management tools bring commercial-class security and access policies down to the level of specific devices or people, delivering a comprehensive, commercial-grade network security platform for organizations of any size in any industry.
Enabling IT administrators full access and visibility to monitor, manage, and control their network while also providing protection from evolving threats, NG Firewall simplifies network security implementation for IT administrators.
Micro Edge
Connect Branch Offices and Optimize the Network
Micro Edge is a lightweight network-edge device designed for branch office connectivity, network performance optimization, and business continuity.
Micro Edge uses optimal predictive path selection technology, which incorporates a sophisticated cloud component to identify applications at the first packet. This advanced technology enables Micro Edge to choose the best path for specific applications or categories of network traffic. When performance matters most, such as for business-critical, but bandwidth-intensive applications, Micro Edge will decide in real-time which link to use based on actual current link performance to ensure that traffic utilizes available connections in the most efficient manner.
Micro Edge simplifies and reduces the costs of branch office networking. Micro Edge is a lightweight edge device designed for the needs and budgets of small offices.
ETM Dashboard
Simplify Deployment and Management with Zero Touch Provisioning and Cloud-based Centralized Management
Every NG Firewall and Micro Edge deployment can connect to ETM Dashboard, making configuring and managing one appliance or thousands of appliances, easy.
ETM Dashboard’s integration with industry leading endpoint security vendors provides administrators with an easy way to see the status of remote firewalls and branch office routers, manage devices on the network, and initiate endpoint protection scans.
ETM Dashboard allows network administrators or MSPs to remotely view appliance status, bandwidth utilization and network traffic summaries, gathering valuable auditing logs about administrative changes, key to regulatory compliance, and manage software updates and business-critical data backups.
As organizations transform their digital infrastructure to accommodate hybrid & multi-cloud efforts, a mobile workforce, and the explosion of various IT, OT & IoT devices, the traditional network perimeter has vanished. Simultaneously, attacker tactics continue to evolve and the impact of breaches like ransomware and insider threats can be devastating. Organizations must adopt a zero trust posture with microperimeter-based defenses around each critical digital asset.
Microsegmentation is essential for zero trust
Zero trust is a people, process, and technology framework with controls that enforce explicit access checks for each digital resource in the environment. This framework is a departure from the traditional model that relied on implicit trust, simply because the access originated from a device on the “inside” of the network. Implementing zero trust therefore requires establishing microperometers around critical assets that need to be protected. This mitigates risk to the organization by impeding lateral movement of attackers and preventing them from accessing the digital crown jewels.
Perimeter firewalls are not designed to cope with the volume and complexity of internal east-west traffic. Microsegmentation solutions have emerged to combat this challenge, establishing access controls based on the identity of the endpoints or applications, rather than on traditional network boundaries like subnets and VRFs. However, these tools have their own challenges. Network-based microsegmentation historically has resulted in inconsistent and fragmented architectures across campus, and data center networks, leading to gaps in security coverage and operational complexity. They also lock enterprises into single-vendor solutions, due to the use of proprietary protocols. On the other hand, endpoint-based offerings are operationally cumbersome to manage and have limited portability across the variety of enterprise endpoints, therefore excluding significant parts of the organization’s attack surface.
Standards-based Microsegmentation with Arista MSS
The Arista Multi-domain Segmentation Services (MSS) deliver four vital capabilities that help organizations overcome deficiencies in existing microsegmentation solutions and place the network firmly at the foundation of an effective zero trust posture.
1. Endpoint identity and microperimeter tags
The first step in planning a microsegmentation strategy consists of binding endpoints, workloads, and even networks to specific microperimeter tags. CloudVision MSS powered by Arista NetDL automates the management of microperimeters by connecting to external sources and dynamically identifying and then tagging the endpoints and workloads. Arista MSS can connect to various external sources like NAC systems, CMDBs, and virtualization infrastructure management solutions such as VMware vSphere.
2. “Zero Trust” policy planning with traffic map
Zero trust architecture principles require that all traffic on the network must be explicitly allowed by security policies. To create zero trust policies, it is vital to have complete visibility into existing traffic flows on the network. This ensures that policies protect the right resources while at the same time not impeding legitimate business-justified flows. Arista MSS maps all the communications within and across different parts of the network and provides a set of recommended policies to only permit trusted communications based on the observed traffic map.
3. Microperimeter enforcement in the network or redirect to Firewall
Arista MSS then distributes the zero trust policies to EOS-powered network switches. In turn, the switches can perform wire-speed distributed enforcement themselves or redirect the traffic to a third-party firewall for stateful L4-7 inspection. Importantly, Arista’s switch-based enforcement overcomes the challenges associated with traditional ACL-based segmentation such as TCAM exhaustion, by leveraging an advanced tagging engine that optimizes hardware utilization and maximizes scalability. Furthermore, because the tags are internal to a switch and are not shared across the network infrastructure, Arista MSS can seamlessly insert into any multi-vendor network. This approach also avoids any proprietary protocols that force organizations into single-vendor networks.
4. Continuous Traffic monitoring and visibility of policy violations
Once the zero trust policies are deployed, MSS can monitor for policy violations and report on the specific flows dropped in the network. This provides vital intelligence to the administrator to update the zero trust policies when valid, yet new, services are denied as well as monitor specific endpoints that are attempting to violate traffic rules.
Literature
- .MSS Solution Brief
- .Arista Networks Multi-Domain Segmentation Service™ (MSS)
- .Campus Design For MSS
- .Zero Trust: Accelerating Your Maturity via the Network
- .DANZ Monitoring Fabric Datasheet
- .Secure Cloud Segmentation with Arista Networks and Zscaler Solution Brief
- .CloudVision White Paper
- .Security Monitoring with DANZ
- .Security for the Cloud Data Center White Paper
- .Building Your Zero Trust Strategy with NIST 800-207 and Arista NDR
- .The 5 Levels of Autonomous Security: What level are you?
- . Top 4 Roadblocks to SOC Productivity
Case Studies
Edge Threat Management
- .Edge Threat Management Datasheet
- .Cybersecurity Incident Response Plan
- .Keeping Your Network Safe
- .Building a Cybersecurity Risk Assessment Plan
- .Employee Training: Cybersecurity 101
- .Arista ETM Healthcare Data Sheet
- .Addressing Record Breaking Cyberattacks in Schools
Video
- .Network Detection and Response Demo – Awake in 3 Minutes
- .Innovate 2021 – Security Roundtable
- .TAG Cyber interviews Rahul Kashyap on the Technical Aspects of the New Network
- .TAG Cyber interviews Rahul Kashyap on the Business Problems & Challenges of the New Network
- .Cloud Visibility Solutions with Arista DANZ
- .Enterprise Wide Contextual Analysis with DMF