From network security to secure networks

A new age of edge-less, multi-cloud, multi-device collaboration for hybrid work has given rise to a new network that transcends perimeters. As hybrid work models continue to gain precedence through the new network, it has become vital for organizations to address the cascading attack surface. Continuously evolving cyber threats can no longer be mitigated by reactionary bolt-on security measures. Instead, organizations need security to permeate everything that happens on the network today.

Security measures need to pivot from reactive to a more proactive approach of continuous contextual network monitoring that ensures a threat is detected before it can proliferate to a data breach.

Being secure in the new network, the zero trust way.

A zero trust networking approach to security is paramount for organizations looking to build a robust cybersecurity ecosystem today. Based on the premise of explicit trust, zero trust security ensures complete visibility and control over any enterprise network activity, regardless of which device, application, or user is accessing that resource.

This paradigm shift has prompted best-in-class enterprises to bake security into the core of their network infrastructure. Implementing security at this layer reduces operational costs and complexity and represents the most effective way to track and successfully manage threats coming in from the wider attack surface.

Zero Trust Networking

Arista’s zero trust networking principles help customers build security into the network by default rather than making it a bolt-on. Based on NIST 800-207, the Arista approach delivers situational awareness, continuous diagnostics, and zero trust enforcement, three key pillars of a zero-trust architecture.

  • Situational Awareness: Arista uses its core switching and routing infrastructure, management plane, monitoring, and security fabric to deliver unprecedented visibility to everything on the network–whether managed or unmanaged by the corporate IT team. With Arista, organizations not only know the entities–devices, users, applications, etc.--on the network but the switch port these communicate over.
  • Continuous Diagnostics: The Arista NDR platform monitors the network, identifying entities that are compromised or acting with malicious intent. This information is key to driving access and admission control decisions that can isolate and quarantine compromised entities from the network.
  • Enforcement: Finally, Arista’s segmentation and encryption technologies allow enforcement and controls to protect access to critical assets. Moreover, extensive integrations with major security and IT infrastructure providers enable additional enforcement mechanisms.

Arista Security: Zero Trust Everywhere

The new network needs security that can scale and adapt based on context. Traditional security measures were simply not built to scale for the new network. Legacy solutions are not deeply integrated to ensure real-time context flows through the entire system. Most organizations today struggle with a security strategy that relies on multiple vendors and individual point solutions that are narrowly focused.

How does Arista help? As evidenced with the Universal Cloud Network (UCN) architecture, Arista helps customers build networks that are secure by design. Arista’s zero trust portfolio eliminates the need for several network monitoring and security tools, instead delivering a unified architecture that provides real-time visibility to the threat posture across the network and the ability to take action. Arista is uniquely positioned to deliver these capabilities across a variety of networks: from the campus to the data center and the cloud.

Zero Trust for the Data Center:

Arista’s DFX solution combines the network packet filtering, forwarding, and storage capabilities of DANZ Monitoring Fabric (DMF) with the advanced Network Detection and Response (NDR) capabilities of the Arista NDR Platform powered by AVA. Arista is the industry's first multi-hundred gigabit solution for NDR that allows security teams to capture and monitor aggregated data center traffic, detect mal-intent or potential threats and provide full packet network forensics.

DFX delivers visibility at the network, device, workload, application, and user-level while also enabling autonomous threat hunting, detection, and response. It also offers fully programmable and API-friendly capabilities: from selecting the specific traffic to be monitored to easily creating custom threat hunting models for threats unique to an enterprise’s data center and applications.

Zero Trust for the Cognitive Campus:

Arista’s zero trust campus solution embeds AVA NDR sensors into the switches and is thus uniquely able to offer a deep packet-inspection security analytics solution built into the campus network fabric. Unlike legacy NetFlow-based solutions that are limited in their depth of visibility–just port and IP address information along with the protocols, Arista AVA sensors analyze the full packet for a number of protocols and send that information to the NDR nucleus for further analysis.

Having AVA sensors and threat hunting capabilities provides the enterprise with broader visibility and increased traffic analysis across the campus (applications, endpoints, IoT devices, and users) and an integrated solution that enables both manual and automated remediation actions. .

Key Arista Security Offerings

Network Detection and Response:

The Arista NDR platform is built on a foundation of deep network analysis across the campus, data center, IoT, and cloud workload networks and offers continuous diagnostics and monitoring capabilities that are critical to a successful NIST 800-207 zero trust architecture. Arista’s NDR parses over three thousand protocols and processes layer 2 through layer 7 data, including performing encrypted traffic analysis. The platform analyzes encrypted traffic to identify important context such as the nature of traffic (including file transfers, and interactive shell), the applications communicating and the presence of remote access, all without forcing data decryption.

Arista NDR enables customers to discover, profile, and track devices, users, and applications using AI-based fingerprinting and automate threat hunting, triage, investigation & response skills. The NDR enables security analysts to uncover not just malware but end-to-end mal-intent attacks with low false positives and negatives.

Powered by AVA (Autonomous Virtual Assist), the world’s first AI-based security expert system, Arista NDR automatically connects the dots across the dimensions of time, entities, and protocols, enabling the solution to present end-to-end situations to security teams rather than a plethora of meaningless alerts. Security analysts can see the entire scope of an attack along with investigation and remediation options on a single pane of glass.

Arista NDR can be deployed on-premises, in the cloud, and in hybrid mode, depending on the customer’s needs.

For more information about Arista NDR: Click Here

DANZ Monitoring Fabric:

Arista DANZ Monitoring Fabric (DMF) is a next-generation network packet broker (NPB) designed for pervasive network observability, delivering real-time and historical insights into the organization’s physical, virtual, and container environments. DMF, powered by software-defined networking (SDN) controls and leveraging cloud principles, delivers a new class of Network Packet Brokers (NPBs) for pervasive hybrid-cloud visibility. DMF provides packet recording intelligence, deep hop-by-hop visibility, predictive analytics, and scale-out packet capture — integrated through a single dashboard — enables simplified network performance monitoring (NPM) and security monitoring workflows for real-time and historical context across on-premise data centers, enterprise campus/branch, and 4G/5G mobile networks.

DMF enables a high-performance, integrated NPB + analytics + packet capture solution that supports rapid detection and analysis of network performance and security anomalies. In addition, DMF leverages merchant-silicon switches and commodity hardware to provide significant capital and operational savings. By contrast, the traditional NPB-based approach has high TCO due to ever-expanding box by-box deployment, proprietary NPB hardware, and under-utilization of tools or inefficient use of them due to organizational silos.

For more information about Arista DMF: Click Here


The Arista Macro-Segmentation Service (MSS) solution set provides several leading-edge segmentation options while continuing to support legacy models such as VRFs, VXLANs, and PACLs. This approach provides a suite of capabilities for integrating security policy with the network through open and consistent segmentation across domains - campus to the data center to cloud.

Multi-Domain Segmentation (MSS®) solution for enterprise-wide use cases - is open, standards-based, best-of-breed partner integrations, and well-defined APIs. MSS-Group applies authorization policies to security segment groups rather than interfaces, subnets, or physical ports. IP addresses and/or IP subnets are placed into administratively defined security segment groups. Policies are applied to each group that defines both inter and intra-segment group communication.

Arista also supports segmentation via flexible placement of firewall policy across DMZ edge, data center, and campus networks. Additionally, security policies can also be extended to virtualized workloads.

Finally, Arista also simplifies cloud workload segmentation by leveraging stateful inspection mechanisms and logical zone groupings. Importantly, this capability is cloud-agnostic, working consistently across any cloud network including Amazon Web Services, Microsoft Azure, and Google Cloud Platform.

For more information about Arista MSS: Click Here

Securing the New Network with a Unified Security Strategy

Networks have evolved in the last 20 to 30 years but network security still hasn’t. Siloed traditional models persist. Most organizations have several diverse cybersecurity solutions that are patched together to fix known threats. Arista is the only modern AI-driven security platform that offers key building blocks for a zero-trust strategy, automated and advanced, threat hunting as well as network forensics. Arista’s solutions are designed to scale and support a variety of networks. Arista’s security approach allows organizations to proactively set up enforcement mechanisms via scalable encryption and segmentation approaches; enable predictive analytics that uncover malicious intent as early in the attack lifecycle as possible, and deliver prescriptive guidance so analysts can take remedial action. Arista’s security solutions support out-of-the-box automated integrations with the rest of the infrastructure while also delivering the necessary decision support data to the human analyst.

Edge Threat Management

Bringing Cloud-managed Security & Connectivity to the Network Edge

Edge Threat Management is a comprehensive approach to security orchestration. Consisting of the award winning NG Firewall, Micro Edge and Command Center products, Edge Threat Management provides IT teams with the ability to ensure protection, monitoring and control for all devices, applications, and events on a network. This framework helps administrators enforce a consistent security posture across the entire digital attack surface—putting IT back in control of dispersed networks, hybrid cloud environments, IoT and mobile devices.

Featured Video: Arista Edge Threat Management

A Complete Network Security Solution

Edge Threat Management brings together a full range of different networking, security and optimization components to meet the needs of connected organizations, from core to cloud to network edge.


NG Firewall

Secure, Monitor and Manage Networks with Unified Threat Management Capabilities

Powerful policy management tools bring commercial-class security and access policies down to the level of specific devices or people, delivering a comprehensive, commercial-grade network security platform for organizations of any size in any industry.

Enabling IT administrators full access and visibility to monitor, manage, and control their network while also providing protection from evolving threats, NG Firewall simplifies network security implementation for IT administrators.

Micro Edge

Connect Branch Offices and Optimize the Network

Micro Edge is a lightweight network-edge device designed for branch office connectivity, network performance optimization, and business continuity.

Micro Edge uses optimal predictive path selection technology, which incorporates a sophisticated cloud component to identify applications at the first packet. This advanced technology enables Micro Edge to choose the best path for specific applications or categories of network traffic. When performance matters most, such as for business-critical, but bandwidth-intensive applications, Micro Edge will decide in real-time which link to use based on actual current link performance to ensure that traffic utilizes available connections in the most efficient manner.

Micro Edge simplifies and reduces the costs of branch office networking. Micro Edge is a lightweight edge device designed for the needs and budgets of small offices.

Command Center

Simplify Deployment and Management with Zero Touch Provisioning and Cloud-based Centralized Management

Every NG Firewall and Micro Edge deployment can connect to Command Center, making configuring and managing one appliance, or thousands of appliances, easy.

Command Center’s integration with industry leading endpoint security vendors provides administrators with an easy way to see the status of remote firewalls and branch office routers, manage devices on the network, and initiate endpoint protection scans.

Command center allows network administrators or MSPs to remotely view appliance status, bandwidth utilization and network traffic summaries, gathering valuable auditing logs about administrative changes, key to regulatory compliance, and manage software updates and business-critical data backups.