arista.com

White Paper

Migration from Silo Security to Secure Holistic Cloud Networking

Enterprises are rapidly transforming their critical network infrastructures to encompass private, public and

hybrid cloud architectures. This complex mesh of diverse network topologies coupled with dense virtualization

and artificial intelligence applications has posed exponential security challenges. Concurrently, an upsurge in

unrelenting cyber attacks and advanced ransomware has made security paramount for enterprises.

To address the risk, scale and mitigation of persistent security issues, Arista has upped its ante to provide

enterprises consistent, holistic network-wide security measures across cloud networks and firewall infrastructures,

replacing antiquated box-by-box approach. The confluence of Arista’s Zone Segmentation Security and Cognitive

WiFi along with its Macro-Segmentation Services (MSSTM), VMware’s micro segmentation offering, and advanced

firewalls from partners deliver on the promise of simple and secure cloud networking.

arista.comarista.com

White Paper

2000 Era Server virtualizationServer virtualization in the datacenter created the need for scaling out the subnets and addresses needed for network access. When these VMs (virtual machines) and workloads could be relocated to any physical server, the network needed to adjust its security services model to accommodate this transition. Arista addressed these needs by co- developing the VXLAN standard. This enabled East-West traffic in the data center to be selectively directed to firewalls for inspection, eliminating the need to check every traffic flow. VMWare’s pioneering micro-segmentation formula used virtualized firewalls within public or private cloud environments to facilitate inspection and segmentation of virtual and bare-metal workflow, extending the security boundary to workloads and virtual machines.

2010 Era Cloud Phase This period witnessed virtual servers being relocated not just within the data center, but into major public cloud providers such as Amazon AWS, Microsoft Azure and Google Cloud. Even as data center networks, with their physical switches, extended into the multi-cloud ecosystem, there was corresponding expectation to extend segmentation services consistent with the approach in data centers. Arista developed a virtual version of its EOS®, vEOS® (virtual extensible operating system), and made it available to customers across the major cloud-provider marketplaces rich in routing, networking and VPN capabilities. The new inter-cloud virtual network could now be deployed in a hub-and-spoke or mesh configuration over the Internet by leveraging the IPSec VPN capabilities of vEOS.

Simultaneously, in the 2015 timeframe, VMware pioneered micro-segmentation by using firewalls within either a public or private cloud environment while Palo Alto, Fortinet and Checkpoint introduced next generation firewalls. Complementing micro-segmentation and advanced firewalls, Arista launched MSS that could be dynamically applied to cloud networks for secure workload mobility and workflow visibility. This high-level partnership drove standards-based secure segmentation functionalities with uniform security control.

2020 Era of Securing PICSArista’s master enforcement of secure holistic cloud networking relies on segmentation to securely and seamlessly orchestrate network-wide preemptive measures spanning the entire spectrum of workloads and their locations in multi-cloud environments. In the past, PINs (places in network) depended on siloed architectures to deploy, develop and operate network-based security. In the 2020 era, as workloads have moved to the cloud, virtualization and containerization are driving the security approach of segmentation. Meantime, the adoption of microservices and serverless computing has created a dire need for secure Places in the Cloud, or PICS. Arista’s consistent network segmentation with Arista Any Cloud offers a compelling approach to enforce pertinent security across applications, users and places in the cloud. In particular, Arista’s common cognitive framework encompasses cognitive threat controls, secure connectivity for increased protection, and granular (micro to macro to zone) segmentation methods for network-wide risk mitigation. This over-arching framework provides enterprises a consistent, open and uniform way of ensuring secure network-wide cloud networking.

At the heart of building a secure cloud network is the right segmentation architecture for on-premises (Campus and datacenter) and public clouds. Arista’s Macro-Segmentation, and extensions to the cloud with Zone Segmentation Security are the underlying foundation of this secure framework. Arista EOS and CloudVision® together deliver the three pillars of Arista security, namely segmentation across PICs, cognitive controls, and encrypted connectivity.

Figure 1 highlights the components involved in building a secure cloud network.

arista.comarista.com

White Paper

Secure Virtual-Physical Cloud SegmentationArista is applying SDN principles to security with segmentation and appropriate isolation. Besides protecting against DoS (Denial of Service) attacks, Arista’s MSS also leverage firewall rules across the entire Campus and datacenter. Security concerns that were met by deploying a hardened perimeter with firewalls are now spilling over that boundary with employees accessing applications from remote locations. Complementing Micro-segmentation from VMware’s NSX, Arista’s MSS provides real-time automation of cloud-network operations with security sans massive re-architecture. MSS works in tandem with server, storage, and network virtualization solutions from Arista’s key next generation firewall partners Palo Alto Networks, Check Point Software and Fortinet. The enhanced deployment of physical workloads, and security services validates the vision of software-driven datacenter for L2, L3 and VXLAN-based networks. MSS is dynamically applied to cloud networks, depending on the type of host, for secure workload mobility and workflow visibility. Arista MSS provides dynamic and scalable network functions to insert security into the path of traffic, regardless of whether the security service or workload (physical or virtual) is physically present in the path of traffic. The trio of Arista, firewall partners and VMware drive the integration of security firewalls with ACLs [access control lists] using CloudVision. Using Arista’s patented state-based and change management configlets in CloudVision makes uniform security control across PICS possible. Figure 2 shows Arista’s MSS with next generation partners across datacenter and Campus for transparent insertion of firewall rules.

Figure 1: Arista redefines silo security to secure PICS with segmentation, controls and connectivity

Figure 2: Arista MSS with next generation partners across datacenter and Campus for transparent insertion of firewall rules

arista.comarista.com

White Paper

Flexible Cloud Security with Zone Segmentation ServiceWorkloads can and do move across intra- and inter-cloud boundaries, and security groups can dynamically move with them across multiple zone segments to secure automated deployment model. Arista’s recent Zone Segmentation Service does not try to own policy; instead, it co-exists with defined security tool framework while new actions, such as tracking protocols like SIP can be instantiated. Arista’s Zone Segmentation Service extends MSS security to the any public cloud. Working with CloudVision for Any Cloud communication, channels are authorized and subject to further inspection with CloudTracer for response time, jitter/latency etc. CloudVision receives state streams from the Arista network switches and this data allows for a continual monitoring of inter-cloud connection requests. These requests may be selectively filtered and forwarded to security analytics for further validation. If a connection is found to be in violation of authorized access, zone segmentation can work with identifiers such as IP addresses, subnets, and workloads to prevent this connection. Enterprises migrating workloads from their datacenters to a public cloud, such as Amazon AWS, Microsoft Azure or Google GCP, and exchanges such as Equinix can leverage security groups to segment their instances. Workloads are classified and segmented across zones and enforced via CloudVision for effective management and communication between zone segments to complement Macro Segmentation in the datacenter and Campus as shown in Figure 3.

Bridging the Virtual-Physical and Cloud-based SegmentationArista partnership with VMware has a robust security solution delivered through the hypervisor and NSX manager. This joint offering secures micro-services using distributed firewalling and tenant isolation. Application segmentation is achieved through policies that are enforced within the virtual switch. VMware’s micro-segmentation leverages the hypervisor and NSX manager to provide segmentation within the virtualized portion of the datacenter. This approach, however, does not extend to bare-metal servers hosting critical applications. Arista MSS in conjunction with VMware’s micro-segmentation delivers complete segmentation coverage from the host to the cloud. Arista switches along with NSX security directives and consistent segmentation actions can be utilized to secure applications hosted on virtualized and bare-metal servers as shown in Figure 4.

Figure 3: Arista Zone Segmentation Service applies across multi-cloud and premise for secure enforcement

Zone Segmentation

arista.comarista.com

White Paper

Arista Zone Segmentation Service is an extension of MSS, and a key security feature of vEOS. It allows the vEOS router to craft segmentation boundaries across groups of interfaces and any cloud network including AWS, Azure and GCP. Connections can be selectively allowed or precluded across these boundaries based on organizational needs. While MSS provides segmentation within the datacenter and the private cloud, Zone Segmentation Service goes further by providing secure segmentation for the inter-cloud network.

Secure Cognitive ControlsDealing with extensive security information requires a sophisticated management architecture to complement the security firewall management. Cognitive Controls are needed to secure PICS. Powered by Arista CloudVision, an enterprise can implement network-based segmentation, anomaly and audit controls, and zone-containerized segmentation. At the heart of this secure architecture is Arista’s Cognitive Management Plane (CMP). CloudVision can serve not only as a repository of secure directives but as a dashboard for security events. As a compliance dashboard, CloudVision can alert administrators to EOS bug alerts that may represent a vulnerability, and also help in complying with PSIRT (Product Security Incident Response Team) advisories. CloudVision can also perform as a security dashboard. Once client end-points are identified on its topology map, security appliances can send CloudVision alerts that are displayed with color coding to represent the severity of the threat as seen in Figure 5.

Figure 4: Network-wide segmentation capabilities of the Arista network to firewalls and into virtualized datacenters with VMware NSX and public cloud

Figure 5: Secure Cognitive Controls include compliance and audits, threat alerts and visualization

arista.comarista.com

White Paper

Secure EncryptionExtending connectivity between datacenters and Campus or cloud is possible with encryption options. MACsec is the IEEE 802.1AE standard for authenticating and encrypting packets between two MACsec-capable devices. Arista switches incorporate link-layer crypto to prevent man-in-the-middle attacks and ensure ethernet frame integrity. Arista vEOS implementations incorporate IPSec tunnel capability to create a secure multi-cloud underlay to facilitate the transition to payloads in Any Cloud.

Holistic Cloud Security Arista partner Zscaler provides its Zscaler Internet Access (ZIA) service at a time when the Internet has become the new corporate network. Zscaler’s Private Access (ZPA) service provides application-layer segmentation by grouping users by corporate roles, independent of the location from which they access the applications. Together the ZIA and ZPA provide cloud security that unifies network-based and application-based security. A primary component of ZPA, the Z-Connector, can be offered as an optional add-on to Arista vEOS. When deployed together, the Z-Connector and Arista vEOS deliver operational advantages. Figure 6 illustrates how the combination of Arista east-west and Zscaler north-south services secure the network and application layers.

Secure Cognitive CampusArista’s Splines, EOS and CloudVision, based on a breakthrough Cognitive Management Plane, are designed to deliver the next generation Cognitive Campus for customers. They provide a simplified, secure and automated experience, leveraging flow data to better secure Campus networks. With behavior-driven workflow data, administrators can employ various standards-based network segmentation technologies to isolate suspicious workflows. Unlike complex proprietary segmentation schemes, open, standards-based 802.1q, and VXLAN-based EVPN segmentation services can be combined to isolate suspect workflows or critical workloads across a Campus-wide, multi-vendor environment.

Additionally, Arista’s acquisition of Cognitive Wireless and Mojo Networks brings the patented Wireless Intrusion Protection System (WIPS) to the holistic security framework. The WIPS architecture, along with FIPS (Federal Information Processing Standards) certification with SSAE (Statement on Standards for Attestation Engagements) 16 Type 1 & 2 attestation, enhances security for the Campus and applications in the datacenter. The Mojo tri-radio access point (AP) design overcomes the deficiencies of background scanning to offer real-time application security. Another vital security feature for wired and wireless networks is authentication and authorization of network access points. It is relatively easy for attackers to spoof consumer-grade APs. The common techniques

Figure 6: The combination of Arista east-west and Zscaler north-south services delivers holistic network application security

arista.comarista.com

White Paper

involve MAC address spoofing that can be accomplished by leveraging the WiFi Pineapple and its PineAP suite. The Cognitive Marker packet approach allows for detection of such rogue APs followed by quick remediation actions to add another layer to Campus security.

For outlier Campus workflows, CloudVision provides traffic-steering and segmentation capabilities in its Macro Segmentation Security. The Campus is dynamically configured to enforce security directives without any impact on other workloads. This simplifies Campus network administration and helps automate security enforcement using standard traffic segmentation technologies as shown in Figure 7.

A properly designed and implemented security framework provides assurance to applications and workloads that are hosted across many network boundaries. Network and security operators frequently find their organizations undermanned to configure security parameters and to monitor alerts generated by them during network operations. Given these realities, customers often access third-party SecOps expertise as part of the security architecture and planning process. Such partners can include log aggregators such as Splunk and others that provide security alert management services.

Arista’s cloud security, with its innovative Zone Segmentation Service, provides enterprises a compelling solution, including:

• Location Freedom: This allows larger datacenters to centralize and insert security in the path between any workloads on demand or based on firewall rules at the premise or cloud boundaries for AWS, Azure or Google Cloud.

• Easy Integration: Traffic is monitored by existing tools with smooth integration across clouds and regions by not changing any frame formats.

• Open: Arista Zone Segmentation Service can fully function in today’s multi-vendor firewall networks without lock-in or proprietary protocols across virtual, physical and cloud domains.

• Agile: Workloads can and do move across intra- and inter-cloud boundaries while security groups can dynamically move with them across multiple zone segments to secure automated deployment models.

Figure 7: Arista’s Cognitive Management Plane brings increased anomaly detection and analysis down to Cognitive Wifi Intrusion Prevention System (WIPS)

arista.comarista.com

White Paper

• Seamless Co-existence: Arista’s Zone Segmentation Service does not try to ‘own policy’. Instead, it co-exists with defined firewall rules within the security tool framework while new actions, such as tracking protocols like SIP, can be instantiated.

Figure 8 illustrates the salient foundation for Secure PICS.

Figure 8: Silo to Secure PIC journey demands advanced underlying architecture

arista.comarista.comarista.com

Santa Clara—Corporate Headquarters5453 Great America Parkway, Santa Clara, CA 95054

Phone: +1-408-547-5500 Fax: +1-408-538-8920 Email: info@arista.com

Ireland—International Headquarters 3130 Atlantic Avenue Westpark Business Campus Shannon, Co. Clare Ireland

Vancouver—R&D Office 9200 Glenlyon Pkwy, Unit 300 Burnaby, British Columbia Canada V5J 5J8

San Francisco—R&D and Sales Office 1390 Market Street, Suite 800 San Francisco, CA 94102

India—R&D Office Global Tech Park, Tower A & B, 11th Floor Marathahalli Outer Ring Road Devarabeesanahalli Village, Varthur Hobli Bangalore, India 560103

Singapore—APAC Administrative Office 9 Temasek Boulevard #29-01, Suntec Tower Two Singapore 038989

Nashua—R&D Office 10 Tara Boulevard Nashua, NH 03062

White Paper

Copyright © 2018 Arista Networks, Inc. All rights reserved. CloudVision, and EOS are registered trademarks and Arista Networks is a trademark of Arista Networks, Inc. All other company names are trademarks of their respective holders. Information in this document is subject to change without notice. Certain features may not yet be available. Arista Networks, Inc. assumes no responsibility for any errors that may appear in this document. August 21, 2018 02-0080-01

Simple and Secure Cloud Networking Arista’s state-of-the art security framework brings forth best-of-breed cloud security technology, in collaboration with ecosystem partners. The ground-breaking formula for secure holistic cloud networking merges leading-edge offerings from eco partners with Arista’s Segmentation technologies for environments that range from cloud to campus to client with Cognitive WIFI. Crucial to Arista’s delivery of uncompromised security are its partnerships with Palo Alto Networks and other major firewalls along with alliances with ZScaler on the public cloud and VMware on micro segmentation. The signature result is secure segmentation beyond firewalls –yielding unprecedented simple, secure networking for customers.