As organizations transform their digital infrastructure to accommodate hybrid & multi-cloud efforts, a mobile workforce, and the explosion of various IT, OT & IoT devices, the traditional network perimeter has vanished. Simultaneously, attacker tactics continue to evolve and the impact of breaches like ransomware and insider threats can be devastating. Organizations must adopt a zero trust posture with microperimeter-based defenses around each critical digital asset.
Microsegmentation is essential for zero trust
Zero trust is a people, process, and technology framework with controls that enforce explicit access checks for each digital resource in the environment. This framework is a departure from the traditional model that relied on implicit trust, simply because the access originated from a device on the “inside” of the network. Implementing zero trust therefore requires establishing microperometers around critical assets that need to be protected. This mitigates risk to the organization by impeding lateral movement of attackers and preventing them from accessing the digital crown jewels.
Perimeter firewalls are not designed to cope with the volume and complexity of internal east-west traffic. Microsegmentation solutions have emerged to combat this challenge, establishing access controls based on the identity of the endpoints or applications, rather than on traditional network boundaries like subnets and VRFs. However, these tools have their own challenges. Network-based microsegmentation historically has resulted in inconsistent and fragmented architectures across campus, and data center networks, leading to gaps in security coverage and operational complexity. They also lock enterprises into single-vendor solutions, due to the use of proprietary protocols. On the other hand, endpoint-based offerings are operationally cumbersome to manage and have limited portability across the variety of enterprise endpoints, therefore excluding significant parts of the organization’s attack surface.
Standards-based Microsegmentation with Arista MSS
The Arista Multi-domain Segmentation Services (MSS) deliver four vital capabilities that help organizations overcome deficiencies in existing microsegmentation solutions and place the network firmly at the foundation of an effective zero trust posture.
1. Endpoint identity and microperimeter tags
The first step in planning a microsegmentation strategy consists of binding endpoints, workloads, and even networks to specific microperimeter tags. CloudVision MSS powered by Arista NetDL automates the management of microperimeters by connecting to external sources and dynamically identifying and then tagging the endpoints and workloads. Arista MSS can connect to various external sources like NAC systems, CMDBs, and virtualization infrastructure management solutions such as VMware vSphere.
2. “Zero Trust” policy planning with traffic map
Zero trust architecture principles require that all traffic on the network must be explicitly allowed by security policies. To create zero trust policies, it is vital to have complete visibility into existing traffic flows on the network. This ensures that policies protect the right resources while at the same time not impeding legitimate business-justified flows. Arista MSS maps all the communications within and across different parts of the network and provides a set of recommended policies to only permit trusted communications based on the observed traffic map.
3. Microperimeter enforcement in the network or redirect to Firewall
Arista MSS then distributes the zero trust policies to EOS-powered network switches. In turn, the switches can perform wire-speed distributed enforcement themselves or redirect the traffic to a third-party firewall for stateful L4-7 inspection. Importantly, Arista’s switch-based enforcement overcomes the challenges associated with traditional ACL-based segmentation such as TCAM exhaustion, by leveraging an advanced tagging engine that optimizes hardware utilization and maximizes scalability. Furthermore, because the tags are internal to a switch and are not shared across the network infrastructure, Arista MSS can seamlessly insert into any multi-vendor network. This approach also avoids any proprietary protocols that force organizations into single-vendor networks.
4. Continuous Traffic monitoring and visibility of policy violations
Once the zero trust policies are deployed, MSS can monitor for policy violations and report on the specific flows dropped in the network. This provides vital intelligence to the administrator to update the zero trust policies when valid, yet new, services are denied as well as monitor specific endpoints that are attempting to violate traffic rules.
Arista Networks provides a unique multi-domain microperimeter segmentation architecture designed to maximize operational simplification and overcome the limitations of legacy microsegmentation solutions that are either host- or network-based.
Arista MSS offers a comprehensive solution for enterprise-wide zero trust networking. Arista’s offering is unique in delivering:
1. A single operational model for Campus, Branch and Datacenter Microsegmentation
Predicated on a single EOS binary, common across all switching platforms, a single Arista CloudVision® policy orchestration platform, and an aggregated Network Data Lake (Arista NetDL™) infrastructure for state management and monitoring.
2. Standards-based networking with no custom protocols or hardware
Unlike other switch-based microperimeter segmentation solutions, Arista MSS is not dependent on any custom protocol or custom hardware and is thus able to be integrated into any standard brownfield and multi-vendor network (wired and wireless).
3. Flexible to any endpoint with no custom agents or software
Since MSS does not require any software agents on endpoints and workloads, it seamlessly extends microperimeter segmentation from campus, to branch, factory, and IoT endpoints as well as virtualized and bare metal workloads in the data center. There is no limitation of specific operating system or virtualization platforms.
4. Simplified management of zero trust microperimeters
CloudVision integrates with multiple campus endpoint and datacenter workload identity sources, such as network access control solutions, IP address management offerings, IT service management tools and virtualization platforms. Arista MSS is thus able to dynamically establish and enforce identity-aware microperimeters across the entire enterprise.
5. Eliminates “blind spots” for safe deployment of zero trust policies
Using the data in Arista NetDL, MSS generates a map of all traffic sessions and then provides a set of zero trust police recommendations based on the observed traffic map. Once policies are deployed, MSS can continuously monitor traffic violating policies and stream the flow information to CloudVision for monitoring and rule update purposes. Importantly, MSS can also connect to other sources of context such as network detection and response (NDR) and endpoint detection and response (EDR). Thus, Arista MSS can quickly react to endpoints and workloads that might be misbehaving or compromised and isolate them as appropriate, minimizing breach impact on the organization.