From network security to secure networks

A new age of edge-less, multi-cloud, multi-device collaboration for hybrid work has given rise to a new network that transcends perimeters. As hybrid work models continue to gain precedence through the new network, it has become vital for organizations to address the cascading attack surface. Continuously evolving cyber threats can no longer be mitigated by reactionary bolt-on security measures or perimeter firewalls. Instead, organizations need security to permeate the underlying network infrastructure.

Security measures need to pivot from reactive to a more proactive approach of continuous contextual network monitoring that ensures threats are detected and mitigated before an expansive data breach.

Being secure in the new network, the zero trust way.

A zero trust networking approach to security is paramount for organizations looking to build a robust cybersecurity ecosystem today. Based on the premise of explicit trust, zero trust security ensures complete visibility and control over any enterprise network activity, regardless of which device, application, or user is accessing that resource.

This paradigm shift has prompted best-in-class enterprises to bake security into the core of their network infrastructure. Implementing security at this layer reduces operational costs and complexity and represents the most effective way to track and successfully manage threats coming in from the wider attack surface.

Zero Trust Networking

Arista’s suite of security solutions helps customers accelerate their journey towards zero trust maturity. Based on the CISA Zero Trust Maturity Model, Arista supports all the essential functions CISA recommends for the network: network segmentation, network traffic management, traffic encryption, and network resilience along with controls for visibility and analytics, automation and orchestration, as well as governance.

In fact, the network can be the center of any organization’s CISA zero trust maturity efforts.

The network is pervasive – every communication hits the network at some point enabling observability, threat detection, and access control to be transparently enabled. This provides risk mitigation for the legacy devices, workloads, and data stores that cannot be easily “ZT-fied.” As a result, implementing zero trust on the network can accelerate the overall zero trust program and buy time to address deeper challenges in the other domains – like data or workloads.

The network does not care whether the devices are managed or unmanaged -- instead, it can identify those devices and apply policies for authentication and authorization, irrespective of what they are and where they are currently.

The network is much more homogenous than devices, workloads, users, data, etc. Protocols like TCP/IP are universal unlike the complexity involved with different operating systems or application server software.

Of course, some would argue the network does have blind spots, for instance, remote endpoints or branches that do not backhaul network traffic but route directly to the Internet. These setups may not hit the organization’s traditional network and thus be “invisible” to the organization’s zero trust controls. Any zero trust networking architecture must therefore act as a strong network underlay and support tight workflow integrations with complementary security overlay solutions such as endpoint detection and response or zero trust network access technologies.

Arista Enables Universal Zero Trust Networking

As evidenced by the Universal Cloud Network (UCN) architecture, Arista helps customers build networks that are secure by design. Arista’s zero trust portfolio eliminates the need for several network monitoring and security tools by delivering a unified and integrated architecture that provides real-time visibility of the threat posture across the network and the ability to take action. Arista is uniquely positioned to deliver these capabilities across various networks: from the campus to the data center and the cloud.

Arista's Multi-Domain Segmentation Service (MSS) is a comprehensive microsegmentation solution that provides fine-grained security policies based on microperimeters defined around the identity of endpoints or applications.

MSS offers a consistent architecture across multiple network domains, is both network and endpoint-agnostic, and enables the distributed enforcement of stateless policies at wire speed within the Arista EOS-powered switches or can redirect traffic to a third-party firewall for stateful L4-7 inspection. Arista MSS thus enables lateral segmentation offloading the capability from firewalls that would have to be explicitly deployed for this purpose.

Arista MSS also automates the management of microperimeters by connecting to external sources and dynamically identifying and tagging the endpoints and workloads. To get this information, Arista MSS can connect to various external sources, such as NAC, CMDB, IPAM and server virtualization systems.

Network Traffic Management

The network traffic management function requires the ability first to identify applications and then classify them for optimal user experience. These capabilities are operationalized through quality of service and bandwidth reservations as well as granular monitoring policies. Arista EOS provides robust quality of service features as well as the ability to classify the traffic for appropriate prioritization within the network relative to other applications. The Arista DANZ Monitoring Fabric (DMF) enables IT operators to pervasively monitor all user, device/IOT, and application traffic (north-south and east-west) by gaining complete visibility into physical, virtual, and container environments. Deep hop-by-hop visibility, predictive analytics, and scale-out packet capture — integrated through a single dashboard — provides unprecedented observability to monitor, discover, and troubleshoot network and application performance issues, as well as accelerates discovery of root causes of security breaches and other outages.

Traffic Encryption

Arista network infrastructure natively supports encryption capabilities such as MACsec and TunnelSec. These capabilities, implemented on the switches, enable organizations to encrypt data to and from legacy applications and workloads without changing those systems but instead relying on the network to protect data from unauthorized access, interception, and tampering.

TunnelSec uses industry-standard protocols like IPSec and SSL/TLS to establish secure tunnels across any network, including the public internet and thus enable secure communication and data exchange between remote locations. This is particularly useful for organizations with multiple branch offices or data centers that need to communicate securely with each other over a public network.

MACsec operates at the link layer of the network stack and provides data encryption between campus or data center network devices. MACsec is used to secure communications between devices on the same physical network, such as within a data center.

Network Resilience

Arista EOS and CloudVision bring a modern approach to continuous application delivery and performance. The key to resilience in a zero trust context lies in the ability to dynamically expand or reduce with network demands. For instance, this could mean having the ability to burst and use a utility cloud when the demand is higher or availability is threatened. Similarly, network operations could use capacity from disaster recovery sites or backup data centers. Arista’s Cloud Vision and EOS work hand in hand to dynamically provide onboarding and connectivity to any public utility clouds securely and with optimal performance. In many instances, customers striving for zero trust maturity in this function deploy data centers in active/active configuration using robust EOS features such as EVPN that provide the entire capacity as a single virtual data center while still providing geo-specific fault tolerance. CloudVision, in turn, provides a single pane of glass management for both the traditional data center as well as the hybrid cloud.

Visibility and Analytics

Arista NDR is an AI-enabled platform that analyzes billions of network communications to autonomously discover, profile, and classify every device, user, and application across the new network—perimeter, core, IoT, and cloud networks. Based on this deep understanding of the attack surface, the platform detects threats to and from these entities while providing the context necessary to respond rapidly.

Arista NDR can deliver visibility and analytics enterprise-wide by utilizing existing deployed switches as network security sensors. As a result, organizations can benefit from broad situational awareness without the need to deploy additional network tapping infrastructure or network visibility solutions, but instead by relying on infrastructure that is already deployed. This is especially important in campus and branch locations where such components can be complex to deploy and maintain without dedicated rack space and local IT expertise.

Automation and Orchestration Capability

The Arista CI Pipeline provides an advanced CI environment for managing network and security operations, built upon the visibility delivered by the Arista CloudVision platform. This capability, along with Arista Validated Designs (AVD), greatly simplifies and enhances the automation of network and security operations workflows.

Governance Capability

CloudVision Arista Guardian for Network Identity™(CV AGNI) is a software-as-a-service network access control (NAC) solution that simplifies the onboarding and ongoing governance of network identity across users, their associated devices, and the internet-of-things for both wired and wireless networks. CV AGNI uses existing identity providers such as Microsoft Azure AD or Okta. It acts as the policy decision point (PDP) and policy enforcement point (PEP), both critical for an effective zero trust architecture. CV AGNI performs dynamic authorization via real-time posture assessments based on data from Arista NDR and third-party technologies such as endpoint detection and response solutions. Based on these assessments and policies defined by the organization, unauthorized entities or those violating security policies can be automatically quarantined.

Securing the New Network with a Unified Security Strategy

Networks have evolved in the last 20 to 30 years, but network security still hasn’t. Siloed traditional models persist and organizations are left with gaping holes in their visibility across the campus, branch, and data center networks. Most organizations have several diverse cybersecurity solutions that are patched together to combat known threats. Arista’s solutions are designed to scale and support a variety of networks. Arista’s security approach allows organizations to set up enforcement and access control mechanisms via scalable admission control, encryption, and segmentation approaches; enable analytics that uncover malicious intent as early in the attack lifecycle as possible, and deliver autonomous response and guidance for remedial action via microsegmentation capability. Arista’s security solutions support out-of-the-box automated integrations with the rest of the infrastructure while also delivering the necessary decision-support data to the human analyst.

See More | Know More | Protect More

With a variety of devices - desktops, laptops, IoT, OT, cloud, SaaS, work-from-anywhere, supply chain systems, and contractor devices-- seamlessly connected to an organization’s infrastructure, visibility, detection and response for these “new” networks has become increasingly important. Network detection and response (NDR) technology is designed to tackle today’s pressing security threats.

How does Arista NDR secure the new network?

Why Arista NDR?

Powered by AVA Sensors, Arista NDR provides deep network analysis across the data center, campus, Internet of Things, and cloud workload networks. These sensors are available in a variety of form factors: from Arista switches with built-in NDR capabilities to standalone, virtual and cloud-based offerings. The sensors feed security-relevant layer 2 - layer 7 data into the AVA Nucleus where a combination of AI-driven detection models are used to uncover malicious intent. The AVA Nucleus can run entirely on-premises or in the Arista cloud as a SaaS offering. The platform also automates threat hunting and incident triage using artificial intelligence and presents the user with end-to-end attack analysis rather than a plethora of meaningless alerts. Analysts thus see the entire scope of an attack along with investigation and remediation options on a single screen while avoiding the effort of piecing it together themselves.  

Use Cases

Detection

Response

Situational Awareness

Threat Hunting

The platform uses AI to detect & prioritize mal-intent & behavioral threats from both insiders & outside attackers while mapping these to the MITRE ATT&CK framework. AVA forensically correlates incidents across entities, time, protocols, and attack stages, surfacing Situations with all the decision support data necessary to respond rapidly to any threat. Arista NDR learns & tracks entities across IT, OT, or IoT environments, whether on-premise, cloud, or SaaS, and managed or unmanaged, including contractors and other third parties. The platform’s rich data set and query capabilities enable powerful threat hunting workflows. AVA can take a single trigger from a human analyst and autonomously expose the entire kill-chain in a matter of minutes.

Download the Arista NDR datasheet and whitepaper to learn more. 

 

Arista’s Awake Labs offers comprehensive security strategy, operations, and advisory solutions focused on the customer’s unique breach response needs. This team collectively has more than 200 person-years of security experience, including responding to some of the most significant breaches in the world. Network detection and response, digital forensics, and threat hunting are key components of Arista NDR's ability to provide protection against non-malware and insider threats as well as support for investigative workflows.  

 

Watch a 3-minute Arista NDR demonstration

 

Designed to be deployed in a few hours, Arista NDR also accelerates an organization’s zero-trust journey. The seamless integration of Arista NDR into other Arista technology as well as a customer’s existing security investments allows security teams to quickly identify high-risk incidents and compromised entities across their organization without requiring agents, manual configuration, or lengthy training periods. 

Secure Networks vs. Network Security


Detection


Narrow Insights


Increased Vulnerabilities

Many modern threats blend in with business-justified activities. Traditional security tools focus on malware, letting many behavioral threats go undetected. Traditional security systems do not connect the dots across the entire attack, instead leaving a trail of breadcrumbs that analysts have to piece together. If the enterprise security team can’t see every threat, detect malicious intent, or get insights to respond effectively, the enterprise can become extremely vulnerable to cyberattacks.

To discover how network and security can be integrated BOOK A DEMO.

Arista's Awake Labs team can help- RESOLVE AN INCIDENT. Contact them now! Learn more about Arista NDR here.

Read our blog to learn more about network security and Arista NDR platform

Get the Awake Security Resources

Follow NDR!

To overcome the new security challenges and the explosion of clients in today’s perimeter-less enterprise networks, Arista delivers a novel AI-driven network Identity service, Arista Guardian for Network Identity or AGNI to connect the network, users, and devices across remote and geographically dispersed locations. Based on Arista’s flagship CloudVision, the new AGNI platform brings a revolutionary improvement to scale, simplicity, and security across users, their associated endpoints, and IoT devices.

Featured Video: Introducing Arista Guardian For Network Identity

Introducing Arista Guardian For Network Identity

 

CloudVision AGNI embraces modern design principles, Cloud native microservices architecture, and Machine Learning / Artificial Intelligence (ML/AI) technologies to significantly simplify administrative tasks and reduce complexities. It offers a comprehensive range of features to meet the requirements of modern networks.

CloudVision AGNI provides simple self-service onboarding using single sign-on (SSO) for wireless unique pre-shared keys and dot1x digital certificates, complete certificate life cycle management with cloud-native PKI infrastructure, authorization and segmentation, behavioral profiling, and visibility of all connected devices. AGNI integrates with all the leading Identity Providers including Okta, Google Workspace, Microsoft Azure, OneLogin, and Ping Identity. Devices are discovered, profiled, and classified into groups for single-pane-of-glass visibility and control.

 

 

 

CloudVision AGNI integrates with network infrastructure devices (wired switches and wireless access points) through a highly secure TLS-based RadSec tunnel. The highly secure and encrypted tunnel offers complete protection to the communications that happen in a distributed network environment. This mechanism offers much greater security to AAA workflows when compared with traditional RADIUS environment workflows, which are not encrypted. AGNI integrates with Arista products to enable the exchange of important user and client context, secure group segmentation (MSS-G), and authentication telemetry data. Additionally, AGNI can fetch consumer advanced profiling, posture, and network inventory data to provide comprehensive policy management and insights into network security. The platform’s API-first approach enables seamless integration with third-party solutions, allowing for the exchange of user and client context, authentication telemetry, and endpoint protection status. AGNI offers Arista’s Unique PSK (UPSK) solutions to enable secure authentication mechanisms for BYOD, IoT/IoMT, and gaming devices. AGNI extends its feature set to accommodate a wide range of client devices with its support for Captive Portal and MBA authentications.

AGNI integrates with Arista NDR and other third-party XDR and EDR solutions for post-admission control functionality.

Edge Threat Management

Bringing Cloud-managed Security & Connectivity to the Network Edge

Edge Threat Management is a comprehensive approach to security orchestration. Consisting of the award winning NG Firewall, Micro Edge and ETM Dashboard products, Edge Threat Management provides IT teams with the ability to ensure protection, monitoring and control for all devices, applications, and events on a network. This framework helps administrators enforce a consistent security posture across the entire digital attack surface—putting IT back in control of dispersed networks, hybrid cloud environments, IoT and mobile devices.

Featured Video: Arista Edge Threat Management

A Complete Network Security Solution

Edge Threat Management brings together a full range of different networking, security and optimization components to meet the needs of connected organizations, from core to cloud to network edge.

 

NG Firewall

Secure, Monitor and Manage Networks with Unified Threat Management Capabilities

Powerful policy management tools bring commercial-class security and access policies down to the level of specific devices or people, delivering a comprehensive, commercial-grade network security platform for organizations of any size in any industry.

Enabling IT administrators full access and visibility to monitor, manage, and control their network while also providing protection from evolving threats, NG Firewall simplifies network security implementation for IT administrators.

Micro Edge

Connect Branch Offices and Optimize the Network

Micro Edge is a lightweight network-edge device designed for branch office connectivity, network performance optimization, and business continuity.

Micro Edge uses optimal predictive path selection technology, which incorporates a sophisticated cloud component to identify applications at the first packet. This advanced technology enables Micro Edge to choose the best path for specific applications or categories of network traffic. When performance matters most, such as for business-critical, but bandwidth-intensive applications, Micro Edge will decide in real-time which link to use based on actual current link performance to ensure that traffic utilizes available connections in the most efficient manner.

Micro Edge simplifies and reduces the costs of branch office networking. Micro Edge is a lightweight edge device designed for the needs and budgets of small offices.

ETM Dashboard

Simplify Deployment and Management with Zero Touch Provisioning and Cloud-based Centralized Management

Every NG Firewall and Micro Edge deployment can connect to ETM Dashboard, making configuring and managing one appliance or thousands of appliances, easy.

ETM Dashboard’s integration with industry leading endpoint security vendors provides administrators with an easy way to see the status of remote firewalls and branch office routers, manage devices on the network, and initiate endpoint protection scans.

ETM Dashboard allows network administrators or MSPs to remotely view appliance status, bandwidth utilization and network traffic summaries, gathering valuable auditing logs about administrative changes, key to regulatory compliance, and manage software updates and business-critical data backups.

As organizations transform their digital infrastructure to accommodate hybrid & multi-cloud efforts, a mobile workforce, and the explosion of various IT, OT & IoT devices, the traditional network perimeter has vanished. Simultaneously, attacker tactics continue to evolve and the impact of breaches like ransomware and insider threats can be devastating. Organizations must adopt a zero trust posture with microperimeter-based defenses around each critical digital asset.

Microsegmentation is essential for zero trust

Zero trust is a people, process, and technology framework with controls that enforce explicit access checks for each digital resource in the environment. This framework is a departure from the traditional model that relied on implicit trust, simply because the access originated from a device on the “inside” of the network. Implementing zero trust therefore requires establishing microperometers around critical assets that need to be protected. This mitigates risk to the organization by impeding lateral movement of attackers and preventing them from accessing the digital crown jewels.

Perimeter firewalls are not designed to cope with the volume and complexity of internal east-west traffic. Microsegmentation solutions have emerged to combat this challenge, establishing access controls based on the identity of the endpoints or applications, rather than on traditional network boundaries like subnets and VRFs. However, these tools have their own challenges. Network-based microsegmentation historically has resulted in inconsistent and fragmented architectures across campus, and data center networks, leading to gaps in security coverage and operational complexity. They also lock enterprises into single-vendor solutions, due to the use of proprietary protocols. On the other hand, endpoint-based offerings are operationally cumbersome to manage and have limited portability across the variety of enterprise endpoints, therefore excluding significant parts of the organization’s attack surface.

Multi-domain Segmentation Services for Campus and Data Center

 

Standards-based Microsegmentation with Arista MSS

The Arista Multi-domain Segmentation Services (MSS) deliver four vital capabilities that help organizations overcome deficiencies in existing microsegmentation solutions and place the network firmly at the foundation of an effective zero trust posture.

  

 

1. Endpoint identity and microperimeter tags
The first step in planning a microsegmentation strategy consists of binding endpoints, workloads, and even networks to specific microperimeter tags. CloudVision MSS powered by Arista NetDL automates the management of microperimeters by connecting to external sources and dynamically identifying and then tagging the endpoints and workloads. Arista MSS can connect to various external sources like NAC systems, CMDBs, and virtualization infrastructure management solutions such as VMware vSphere.

2. “Zero Trust” policy planning with traffic map
Zero trust architecture principles require that all traffic on the network must be explicitly allowed by security policies. To create zero trust policies, it is vital to have complete visibility into existing traffic flows on the network. This ensures that policies protect the right resources while at the same time not impeding legitimate business-justified flows. Arista MSS maps all the communications within and across different parts of the network and provides a set of recommended policies to only permit trusted communications based on the observed traffic map.

3. Microperimeter enforcement in the network or redirect to Firewall
Arista MSS then distributes the zero trust policies to EOS-powered network switches. In turn, the switches can perform wire-speed distributed enforcement themselves or redirect the traffic to a third-party firewall for stateful L4-7 inspection. Importantly, Arista’s switch-based enforcement overcomes the challenges associated with traditional ACL-based segmentation such as TCAM exhaustion, by leveraging an advanced tagging engine that optimizes hardware utilization and maximizes scalability. Furthermore, because the tags are internal to a switch and are not shared across the network infrastructure, Arista MSS can seamlessly insert into any multi-vendor network. This approach also avoids any proprietary protocols that force organizations into single-vendor networks.

4. Continuous Traffic monitoring and visibility of policy violations
Once the zero trust policies are deployed, MSS can monitor for policy violations and report on the specific flows dropped in the network. This provides vital intelligence to the administrator to update the zero trust policies when valid, yet new, services are denied as well as monitor specific endpoints that are attempting to violate traffic rules.

There are a number of wireless threat vectors that network managers need to defend against. One of the more common types of threats to WLANs is from rogue APs. An analysis of Wireless Intrusion Prevention Systems (WIPS) that are available today reveals that many require a high level of administration and often provide less-than-trustworthy rogue AP detection. Organizations that depend on these less capable systems often have a false sense of security as their networks are in fact vulnerable to breaches via rogue APs. Less capable WIPS are also prone to raising false alarms, which can lead administrators to ignore alerts or turn notifications off altogether, leaving their organizations unprotected. In contrast to competing WIPS offerings, the industry leading solution from Arista Networks requires a minimal amount of management overhead while providing reliable rogue AP detection and prevention.

Rogue Access Points

Rogue APs can be defined as any unauthorized AP that is connected to an authorized network. Rogue APs can appear on the enterprise network either due to naïve acts of employees or due to malicious attempts by insiders. Rogue APs are a serious threat to enterprise networks as they allow unauthorized wireless access to the private network and data, as shown in the diagram below.

Rogue Access Points

Rogue AP detection approaches

A naïve way to detect rogue APs in the LAN is to declare every AP seen in the air that does not belong to the list of authorized APs as rogue. In fact, many WIPS available in the market will actually follow this approach, by default. Such an approach has the following disadvantages:

  • False alarms: A security alert would be raised even if the non-authorized AP seen in the air but not actually connected to the monitored wired network and as such it does not pose any security threat
  • Manual intervention:The system administrator has to manually examine the non-authorized APs visible in the air to decide which of them are actual rogue APs and which of them are external APs (i.e. neighbor APs).
  • No automatic instantaneous prevention: Since it is highly undesirable to block neighbors' APs accidentally or indiscriminately, instantaneous and automatic blocking of rogue APs is not possible with such an approach.

Arista Approach

Using Arista's patented Marker Packet™ techniques, Arista Wireless Intrusion Prevention System (WIPS) automatically and quickly classifies wireless devices detected in the airspace as Authorized, Rogue and External. As a result, security administrators do not need to manually inspect devices or define complex rules to identify rogue wireless devices. This is better than the error-prone device classification integrated into most other WLAN solutions, which relies on slow and inconclusive CAM table lookups and MAC correlation, signatures, or passive wired network sniffing.

Arista WIPS focuses on the primary threat vectors and vulnerabilities that form the building blocks for all known and emerging Wi-Fi hacking attacks and tools. It offers comprehensive protection from all types of wireless threats, including Rogue APs, Soft APs, Honeypots, Wi-Fi DoS, Ad-hoc networks, Client misassociation, and Mobile hotspots.

Arista Approach

Highlighted capabilities

  1. Automatically detects, blocks and locates all types of wireless threats
  2. Patented Marker Packet&trade techniques eliminate false alarms in 'on wire' Rogue AP detection
  3. Secure BYOD policy enforcement
  4. Off-line sensor mode for fault tolerant continuous policy enforcement
  5. Detects and locates 'non Wi-Fi' interference & RF jamming
  6. Remote troubleshooting including remote 'live packet capture'
  7. Management options include virtual server or cloud