Arista targets lateral security threat in campus and data center networks

Arista Networks is bolstering a key part of its security software with new features that help customers reduce the blast radius of security breaches by setting up “microperimeters” to restrict lateral movement in campus and data center networks.

The new features are in the vendor’s Macro-Segmentation Service (MSS) software, which is an extension of its core Extensible Operating System (EOS) software. They’re tightly integrated with the company’s CloudVision management platform, which provides wired and wireless visibility, orchestration, provisioning, telemetry, automation and analytics across the data center, campus, and IoT devices on edge networks.

One rationale for microperimeters is the idea that firewalls are not optimized to protect against all lateral movement, which would require a proliferation of security appliances, soaring costs, and an explosion of complex rule sets that would still fail to protect against lateral movement, according to Arista.

“Historically, adding multiple layers of network security with the consequential add-on hardware deployments, ongoing operational costs, and configuration changes needed at the network infrastructure level has been cumbersome. These mechanisms are even less effective for the new network,” wrote Arista CEO Jayshree Ullal in a blog about the enhancements.

With MSS, east-west lateral protection is enabled by what Arista describes as stateless wire-speed enforcement in the network, which delivers zero-trust segmentation and enforcement to prevent that movement. “Thus, the network switch creates the microperimeters, while the classical firewall can continue inspecting north-south L4-L7 traffic. The combination delivers an elegant and secure network,” Ullal wrote. Arista’s approach “offloads the capability from firewalls, which must be explicitly deployed for this purpose at great cost.”

MSS does this without the need for endpoint software agents and proprietary network protocols.

In addition to the stateless wire-speed component, Arista MSS can integrate with firewalls and cloud proxies from partners such as Palo Alto Networks and Zscaler for stateful network enforcement, especially for north-south and inter-zone traffic, Ullal stated. “MSS thus ensures the right traffic is sent to these critical security controls, allowing them to focus on L4-L7 stateful enforcement while avoiding unnecessary hairpinning of all other traffic,” Ullal stated.  

The features, expected in MSS by the third quarter, are all supported by Arista’s CloudVision, which offers deep, real-time visibility into packets, flows, and endpoint identity. It gives customers a central ability to perform and control the east-west segmentations as well as manage any microperimeters they set up, Arista stated.  

To manage the microperimeters, MSS has been extended to support Arista’s Ask AVA (Autonomous Virtual Assist) service to provide a chat-like interface for operators to navigate the dashboard data and query and filter policy violations, Ullal stated.  

Arista’s MSS products are key to its plans to offer a zero-trust architecture for enterprise customers. Other components of MSS include Macro-Segmentation Service-Group, which authorizes network access based on logical groups rather than traditional approaches based on interfaces, subnets, or physical ports. MSS Firewall is software for setting security policies across customer network fabric, and MSS Host focuses on data-center security policies.