Arista embraces segmentation as part of its zero-trust security

Arista has expanded its security software to let customers control authorized network access and communication between groups from the data center to the cloud.

The new software, Macro-Segmentation Service (MSS)-Group, expands the company’s MSS security-software family, which currently includes MSS Firewall for setting security policies across customer edge, data-center and campus networks. Additionally, the company’s MSS Host focuses on data-center security policies.

MSS software works with Arista Extensible Operating System (EOS) and its overarching CloudVision management software to provide network-wide visibility, orchestration, provisioning and telemetry across the data center and campus. CloudVision’s network information can be utilized by Arista networking partners including VMware, Microsoft and IBM’s Red Hat.

MSS-Group authorizes access based on logical groups rather than traditional approaches based on interfaces, subnets, or physical ports, according to Jeff Raymond, vice president of Arista EOS Product Management and Services.

Unlike proprietary products, the MSS-Group segmentation architecture does not rely on proprietary Ethernet tags or protocols to work, Raymond said. That means upstream and downstream leaf and spine switches can be mixed and matched across multiple vendors. Arista MSS-Group-capable switches are agentless and can be deployed across client to campus to cloud in network-wide deployment, all orchestrated via CloudVision, Arista stated.  

As part of this product rollout, Arista and Forescout announced the result of a year-long co-development effort to streamline policy design and management: Forescout eyeSegment is now integrated with Arista CloudVision. The idea is to let customers utilize eyeSegment’s real-time device context to easily create, manage and monitor group-based segmentation policies.

Production-ready eyeSegment policy information is then shared with CloudVision to consistently enforce rules across multiple network domains via the MSS-Group architecture, according to Forescout.

“Organizations can use Forescout eyeSegment to automatically apply real-time context to associate each connected device with its relevant security segmentation group, easily design and monitor group-based policies, and communicate the appropriate segmentation policies to CloudVision. CloudVision is then responsible for the dynamic orchestration of the required policy to the Arista switches for enforcement,” Arista stated.

Driving the need for better security is the growth of SaaS services and the need to secure access to those services but also the proliferation of IoT devices. 

“In this world of networked IoT, a camera should only communicate with the DVR and security administrator. Security and network administrators need to have the ability to easily define, classify and group segments concerning who is accessing what, independent of IP addressing and other network protocol constructs,” wrote Arista CEO Jayshree Ullal in a blog about the MSS-Group announcement.

Arista’s MSS products are key to its overarching development of a zero trust architecture for enterprise customers that company execs say is built off of NIST’s zero trust framework, which basically states not to trust any user or device by default.

 “Zero trust assumes there is no implicit trust granted to assets or user accounts based solely on their physical or network location (i.e., local area networks versus the internet) or based on asset ownership (enterprise or personally owned). Authentication and authorization (both subject and device) are discrete functions performed before a session to an enterprise resource is established,” NIST states.

For its part, Arista’s zero-trust security includes network-based multi-domain segmentation, situational awareness—what’s connected to what—continuous monitoring for behavior, and  AI-driven network detection and response, which is where Forescout and Arista’s Awake platform come in. Arista purchased Awake Security in 2020 for its AI-based network detection and response system.

“We need to eliminate the implicit trust associated with traditional network architecture and instead build secure, zero-trust networks that assume devices only have access to resources they need and that once a device is on the network it is continuously monitored and detected for mal-intent,” Ullal stated.  

MSS Firewall and MSS Host features are available as part of Arista CloudVision. The MSS-Group support will begin trials in the first quarter of this year.