Security

From network security to secure networks

A new age of edge-less, multi-cloud, multi-device collaboration for hybrid work has given rise to a new network that transcends perimeters. As hybrid work models continue to gain precedence through the new network, it has become vital for organizations to address the cascading attack surface. Continuously evolving cyber threats can no longer be mitigated by reactionary bolt-on security measures. Instead, organizations need security to permeate everything that happens on the network today.

Security measures need to pivot from reactive to a more proactive approach of continuous contextual network monitoring that ensures a threat is detected before it can proliferate to a data breach.

Being secure in the new network, the zero trust way.

A zero trust networking approach to security is paramount for organizations looking to build a robust cybersecurity ecosystem today. Based on the premise of explicit trust, zero trust security ensures complete visibility and control over any enterprise network activity, regardless of which device, application, or user is accessing that resource.

This paradigm shift has prompted best-in-class enterprises to bake security into the core of their network infrastructure. Implementing security at this layer reduces operational costs and complexity and represents the most effective way to track and successfully manage threats coming in from the wider attack surface.

Zero Trust Networking

Arista’s zero trust networking principles help customers build security into the network by default rather than making it a bolt-on. Based on NIST 800-207, the Arista approach delivers situational awareness, continuous diagnostics, and zero trust enforcement, three key pillars of a zero-trust architecture.

• Situational Awareness: Arista uses its core switching and routing infrastructure, management plane, monitoring, and security fabric to deliver unprecedented visibility to everything on the network–whether managed or unmanaged by the corporate IT team. With Arista, organizations not only know the entities–devices, users, applications, etc.--on the network but the switch port these communicate over.
• Continuous Diagnostics: The Arista NDR platform monitors the network, identifying entities that are compromised or acting with malicious intent. This information is key to driving access and admission control decisions that can isolate and quarantine compromised entities from the network.
• Enforcement: Finally, Arista’s segmentation and encryption technologies allow enforcement and controls to protect access to critical assets. Moreover, extensive integrations with major security and IT infrastructure providers enable additional enforcement mechanisms.

Arista Security: Zero Trust Everywhere

The new network needs security that can scale and adapt based on context. Traditional security measures were simply not built to scale for the new network. Legacy solutions are not deeply integrated to ensure real-time context flows through the entire system. Most organizations today struggle with a security strategy that relies on multiple vendors and individual point solutions that are narrowly focused.

How does Arista help? As evidenced with the Universal Cloud Network (UCN) architecture, Arista helps customers build networks that are secure by design. Arista’s zero trust portfolio eliminates the need for several network monitoring and security tools, instead delivering a unified architecture that provides real-time visibility to the threat posture across the network and the ability to take action. Arista is uniquely positioned to deliver these capabilities across a variety of networks: from the campus to the data center and the cloud.

Zero Trust for the Data Center:

Arista’s DFX solution combines the network packet filtering, forwarding, and storage capabilities of DANZ Monitoring Fabric (DMF) with the advanced Network Detection and Response (NDR) capabilities of the Arista NDR Platform powered by AVA. Arista is the industry's first multi-hundred gigabit solution for NDR that allows security teams to capture and monitor aggregated data center traffic, detect mal-intent or potential threats and provide full packet network forensics.

DFX delivers visibility at the network, device, workload, application, and user-level while also enabling autonomous threat hunting, detection, and response. It also offers fully programmable and API-friendly capabilities: from selecting the specific traffic to be monitored to easily creating custom threat hunting models for threats unique to an enterprise’s data center and applications.

Zero Trust for the Cognitive Campus:

Arista’s zero trust campus solution embeds AVA NDR sensors into the switches and is thus uniquely able to offer a deep packet-inspection security analytics solution built into the campus network fabric. Unlike legacy NetFlow-based solutions that are limited in their depth of visibility–just port and IP address information along with the protocols, Arista AVA sensors analyze the full packet for a number of protocols and send that information to the NDR nucleus for further analysis.

Having AVA sensors and threat hunting capabilities provides the enterprise with broader visibility and increased traffic analysis across the campus (applications, endpoints, IoT devices, and users) and an integrated solution that enables both manual and automated remediation actions. .

Key Arista Security Offerings

Network Detection and Response:

The Arista NDR platform is built on a foundation of deep network analysis across the campus, data center, IoT, and cloud workload networks and offers continuous diagnostics and monitoring capabilities that are critical to a successful NIST 800-207 zero trust architecture. Arista’s NDR parses over three thousand protocols and processes layer 2 through layer 7 data, including performing encrypted traffic analysis. The platform analyzes encrypted traffic to identify important context such as the nature of traffic (including file transfers, and interactive shell), the applications communicating and the presence of remote access, all without forcing data decryption.

Arista NDR enables customers to discover, profile, and track devices, users, and applications using AI-based fingerprinting and automate threat hunting, triage, investigation & response skills. The NDR enables security analysts to uncover not just malware but end-to-end mal-intent attacks with low false positives and negatives.

Powered by AVA (Autonomous Virtual Assist), the world’s first AI-based security expert system, Arista NDR automatically connects the dots across the dimensions of time, entities, and protocols, enabling the solution to present end-to-end situations to security teams rather than a plethora of meaningless alerts. Security analysts can see the entire scope of an attack along with investigation and remediation options on a single pane of glass.

Arista NDR can be deployed on-premises, in the cloud, and in hybrid mode, depending on the customer’s needs.

For more information about Arista NDR: Click Here

DANZ Monitoring Fabric:

Arista DANZ Monitoring Fabric (DMF) is a next-generation network packet broker (NPB) designed for pervasive network observability, delivering real-time and historical insights into the organization’s physical, virtual, and container environments. DMF, powered by software-defined networking (SDN) controls and leveraging cloud principles, delivers a new class of Network Packet Brokers (NPBs) for pervasive hybrid-cloud visibility. DMF provides packet recording intelligence, deep hop-by-hop visibility, predictive analytics, and scale-out packet capture — integrated through a single dashboard — enables simplified network performance monitoring (NPM) and security monitoring workflows for real-time and historical context across on-premise data centers, enterprise campus/branch, and 4G/5G mobile networks.

DMF enables a high-performance, integrated NPB + analytics + packet capture solution that supports rapid detection and analysis of network performance and security anomalies. In addition, DMF leverages merchant-silicon switches and commodity hardware to provide significant capital and operational savings. By contrast, the traditional NPB-based approach has high TCO due to ever-expanding box by-box deployment, proprietary NPB hardware, and under-utilization of tools or inefficient use of them due to organizational silos.

For more information about Arista DMF: Click Here

Segmentation:

The Arista Macro-Segmentation Service (MSS) solution set provides several leading-edge segmentation options while continuing to support legacy models such as VRFs, VXLANs, and PACLs. This approach provides a suite of capabilities for integrating security policy with the network through open and consistent segmentation across domains - campus to the data center to cloud.

Multi-Domain Segmentation (MSS®) solution for enterprise-wide use cases - is open, standards-based, best-of-breed partner integrations, and well-defined APIs. MSS-Group applies authorization policies to security segment groups rather than interfaces, subnets, or physical ports. IP addresses and/or IP subnets are placed into administratively defined security segment groups. Policies are applied to each group that defines both inter and intra-segment group communication.

Arista also supports segmentation via flexible placement of firewall policy across DMZ edge, data center, and campus networks. Additionally, security policies can also be extended to virtualized workloads.

Finally, Arista also simplifies cloud workload segmentation by leveraging stateful inspection mechanisms and logical zone groupings. Importantly, this capability is cloud-agnostic, working consistently across any cloud network including Amazon Web Services, Microsoft Azure, and Google Cloud Platform.

For more information about Arista MSS: Click Here

Securing the New Network with a Unified Security Strategy

Networks have evolved in the last 20 to 30 years but network security still hasn’t. Siloed traditional models persist. Most organizations have several diverse cybersecurity solutions that are patched together to fix known threats. Arista is the only modern AI-driven security platform that offers key building blocks for a zero-trust strategy, automated and advanced, threat hunting as well as network forensics. Arista’s solutions are designed to scale and support a variety of networks. Arista’s security approach allows organizations to proactively set up enforcement mechanisms via scalable encryption and segmentation approaches; enable predictive analytics that uncover malicious intent as early in the attack lifecycle as possible, and deliver prescriptive guidance so analysts can take remedial action. Arista’s security solutions support out-of-the-box automated integrations with the rest of the infrastructure while also delivering the necessary decision support data to the human analyst.