From network security to secure networks
A new age of edge-less, multi-cloud, multi-device collaboration for hybrid work has given rise to a new network that transcends perimeters. As hybrid work models continue to gain precedence through the new network, it has become vital for organizations to address the cascading attack surface. Continuously evolving cyber threats can no longer be mitigated by reactionary bolt-on security measures. Instead, organizations need security to permeate everything that happens on the network today.
Security measures need to pivot from reactive to a more proactive approach of continuous contextual network monitoring that ensures a threat is detected before it can lead to a significant data breach.
Being secure in the new network, the zero trust way.
A zero trust networking approach to security is paramount for organizations looking to build a robust cybersecurity ecosystem today. Based on the premise of explicit trust, zero trust security ensures complete visibility and control over any enterprise network activity, regardless of which device, application, or user is accessing that resource.
This paradigm shift has prompted best-in-class enterprises to bake security into the core of their network infrastructure. Implementing security at this layer reduces operational costs and complexity and represents the most effective way to track and successfully manage threats coming in from the wider attack surface.
Zero Trust Networking
Arista’s suite of security solutions helps customers accelerate their journey towards zero trust maturity. Based on the CISA Zero Trust Maturity Model, Arista supports all the key functions CISA recommends for the network: network segmentation, network traffic management, traffic encryption, and network resilience along with controls for visibility and analytics, automation and orchestration, as well as governance.
Arista Security: Zero Trust Everywhere
The new network needs security that can scale and adapt based on context. Traditional security measures were simply not built to scale for the new network. Legacy solutions lack the deep integrations necessary to ensure real-time context flows through the entire system. Instead, most organizations struggle with a security strategy that relies on multiple vendors and individual point solutions that are narrowly focused.
How does Arista help? As evidenced by the Universal Cloud Network (UCN) architecture, Arista helps customers build networks that are secure by design. Arista’s zero trust portfolio eliminates the need for several network monitoring and security tools by delivering a unified architecture that provides real-time visibility to the threat posture across the network and the ability to take action. Arista is uniquely positioned to deliver these capabilities across a variety of networks: from the campus to the data center and the cloud.
Zero Trust for the Data Center:
Arista’s DFX (DANZ Forensics Exchange) solution combines the network packet filtering, forwarding, and storage capabilities of DANZ Monitoring Fabric™ (DMF) with the advanced Network Detection and Response (NDR) capabilities of the Arista NDR Platform powered by AVA™ (Autonomous Virtual Assist), the world’s first AI-based security expert system. Arista offers the industry's first multi-hundred gigabit solution for NDR that allows security teams to capture and monitor aggregated data center traffic, detect mal-intent or potential threats, and provide full packet network forensics.
DFX delivers visibility at the network, device, workload, application, and user level while also enabling autonomous threat hunting, detection, and response. It also offers fully programmable and API-friendly capabilities: from selecting the specific traffic to be monitored, to easily creating custom threat hunting models for threats unique to an enterprise’s data center and applications.
Zero Trust for the Cognitive Campus:
Arista’s zero trust campus solution embeds AVA NDR sensors into the switches and is thus uniquely able to offer a deep packet-inspection security analytics solution built into the campus network fabric. Unlike legacy NetFlow-based solutions that are limited in their depth of visibility–just port and IP address information along with the protocols, Arista AVA sensors analyze the full packet for a number of protocols and send that information to the NDR nucleus for further analysis.
Similarly, CloudVision Arista Guardian for Network Identity™ (CV AGNI) is a software-as-a-service network access control (NAC) solution that simplifies the onboarding and ongoing governance of network identity across users, their associated devices, and the Internet-of-Things, for both wired and wireless campus networks. CV AGNI uses existing identity providers and performs dynamic authorization via real time posture assessments based on data from Arista NDR as well as from third party technologies such as endpoint detection and response solutions.
Having AVA Sensors and CV AGNI capabilities provides the enterprise with broader visibility, increased traffic analysis, and robust enforcement mechanisms across the campus, and an integrated solution that enables both manual and automated remediation actions.
Securing the New Network with a Unified Security Strategy
Networks have evolved in the last 20 to 30 years, but network security still hasn’t. Siloed traditional models persist. Most organizations have several diverse cybersecurity solutions that are patched together to fix known threats. Arista’s solutions are designed to scale and support a variety of networks. Arista’s security approach allows organizations to proactively set up enforcement mechanisms via scalable encryption and segmentation approaches; enable predictive analytics that uncover malicious intent as early in the attack lifecycle as possible, and deliver prescriptive guidance so analysts can take remedial action. Arista’s security solutions support out-of-the-box automated integrations with the rest of the infrastructure while also delivering the necessary decision-support data to the human analyst.
The links below dive deeper into the various components of Arista’s Zero Trust Networking solution:
DANZ Monitoring Fabric (Arista DMF)
Edge Threat Management (Arista ETM)
To overcome the new security challenges and the explosion of clients in today’s perimeter-less enterprise networks, Arista delivers a novel AI-driven network Identity service, Arista Guardian for Network Identity or AGNI to connect the network, users, and devices across remote and geographically dispersed locations. Based on Arista’s flagship CloudVision, the new AGNI platform brings a revolutionary improvement to scale, simplicity, and security across users, their associated endpoints, and IoT devices.
Featured Video: Introducing Arista Guardian For Network Identity
CloudVision AGNI embraces modern design principles, Cloud native microservices architecture, and Machine Learning / Artificial Intelligence (ML/AI) technologies to significantly simplify administrative tasks and reduce complexities. It offers a comprehensive range of features to meet the requirements of modern networks.
CloudVision AGNI provides simple self-service onboarding using single sign-on (SSO) for wireless unique pre-shared keys and dot1x digital certificates, complete certificate life cycle management with cloud-native PKI infrastructure, authorization and segmentation, behavioral profiling, and visibility of all connected devices. AGNI integrates with all the leading Identity Providers including Okta, Google Workspace, Microsoft Azure, OneLogin, and Ping Identity. Devices are discovered, profiled, and classified into groups for single-pane-of-glass visibility and control.
CloudVision AGNI integrates with network infrastructure devices (wired switches and wireless access points) through a highly secure TLS-based RadSec tunnel. The highly secure and encrypted tunnel offers complete protection to the communications that happen in a distributed network environment. This mechanism offers much greater security to AAA workflows when compared with traditional RADIUS environment workflows, which are not encrypted. AGNI integrates with Arista products to enable the exchange of important user and client context, secure group segmentation (MSS-G), and authentication telemetry data. Additionally, AGNI can fetch consumer advanced profiling, posture, and network inventory data to provide comprehensive policy management and insights into network security. The platform’s API-first approach enables seamless integration with third-party solutions, allowing for the exchange of user and client context, authentication telemetry, and endpoint protection status. AGNI offers Arista’s Unique PSK (UPSK) solutions to enable secure authentication mechanisms for BYOD, IoT/IoMT, and gaming devices. AGNI extends its feature set to accommodate a wide range of client devices with its support for Captive Portal and MBA authentications.
AGNI integrates with Arista NDR and other third-party XDR and EDR solutions for post-admission control functionality.
Edge Threat Management
Bringing Cloud-managed Security & Connectivity to the Network Edge
Edge Threat Management is a comprehensive approach to security orchestration. Consisting of the award winning NG Firewall, Micro Edge and ETM Dashboard products, Edge Threat Management provides IT teams with the ability to ensure protection, monitoring and control for all devices, applications, and events on a network. This framework helps administrators enforce a consistent security posture across the entire digital attack surface—putting IT back in control of dispersed networks, hybrid cloud environments, IoT and mobile devices.
Featured Video: Arista Edge Threat Management
A Complete Network Security Solution
Edge Threat Management brings together a full range of different networking, security and optimization components to meet the needs of connected organizations, from core to cloud to network edge.
NG Firewall
Secure, Monitor and Manage Networks with Unified Threat Management Capabilities
Powerful policy management tools bring commercial-class security and access policies down to the level of specific devices or people, delivering a comprehensive, commercial-grade network security platform for organizations of any size in any industry.
Enabling IT administrators full access and visibility to monitor, manage, and control their network while also providing protection from evolving threats, NG Firewall simplifies network security implementation for IT administrators.
Micro Edge
Connect Branch Offices and Optimize the Network
Micro Edge is a lightweight network-edge device designed for branch office connectivity, network performance optimization, and business continuity.
Micro Edge uses optimal predictive path selection technology, which incorporates a sophisticated cloud component to identify applications at the first packet. This advanced technology enables Micro Edge to choose the best path for specific applications or categories of network traffic. When performance matters most, such as for business-critical, but bandwidth-intensive applications, Micro Edge will decide in real-time which link to use based on actual current link performance to ensure that traffic utilizes available connections in the most efficient manner.
Micro Edge simplifies and reduces the costs of branch office networking. Micro Edge is a lightweight edge device designed for the needs and budgets of small offices.
ETM Dashboard
Simplify Deployment and Management with Zero Touch Provisioning and Cloud-based Centralized Management
Every NG Firewall and Micro Edge deployment can connect to ETM Dashboard, making configuring and managing one appliance or thousands of appliances, easy.
ETM Dashboard’s integration with industry leading endpoint security vendors provides administrators with an easy way to see the status of remote firewalls and branch office routers, manage devices on the network, and initiate endpoint protection scans.
ETM Dashboard allows network administrators or MSPs to remotely view appliance status, bandwidth utilization and network traffic summaries, gathering valuable auditing logs about administrative changes, key to regulatory compliance, and manage software updates and business-critical data backups.
Literature
- .Zero Trust Security White Paper
- .CloudVision Macro-Segmentation Service Solution Brief
- .Arista Zero Trust Security for Cloud Networking White Paper
- .DANZ Monitoring Fabric Datasheet
- .Zone Segmentation Security Technical Brief
- .Secure Cloud Segmentation with Arista Networks and Zscaler Solution Brief
- .CloudVision White Paper
- .Arista Macro Segmentation Service - Firewall At-A-Glance
- .Security Monitoring with DANZ
- .Security for the Cloud Data Center White Paper
- .Extending secure segmentation with VMWare NSX
- .Building Your Zero Trust Strategy with NIST 800-207 and Arista NDR
- .The 5 Levels of Autonomous Security: What level are you?
- . Top 4 Roadblocks to SOC Productivity
Case Studies
Edge Threat Management
- .Edge Threat Management Datasheet
- .Cybersecurity Incident Response Plan
- .Keeping Your Network Safe
- .Building a Cybersecurity Risk Assessment Plan
- .Employee Training: Cybersecurity 101
- .Arista ETM Healthcare Data Sheet
- .Addressing Record Breaking Cyberattacks in Schools
Video
- .Network Detection and Response Demo – Awake in 3 Minutes
- .Innovate 2021 – Security Roundtable
- .TAG Cyber interviews Rahul Kashyap on the Technical Aspects of the New Network
- .TAG Cyber interviews Rahul Kashyap on the Business Problems & Challenges of the New Network
- .Cloud Visibility Solutions with Arista DANZ
- .Enterprise Wide Contextual Analysis with DMF