Over the past few years, arguably no vendor has been more disruptive in the networking industry than Arista Networks. The company has an excellent track record of executing on its vision of differentiation through software. Its operating system, EOS and CloudVision software have enabled Arista to create a high-performance, open network fabric for businesses with cloud-scale requirements in their data centers and, more recently, the campus.
Arista jumps into the security marketNow Arista has set its sights on the security market. For all of its strengths in networking,Arista has never established itself as a security vendor. It has provided some data that network operations might use for basic security, but the appeal to security operations has been light. Tthat’s about to change. The move is well-timed, since trends such as IoT, cloud and mobility are shifting security to the network. Trying to apply protection at the endpoint doesn’t work if IT doesn’t control it. What IT does control is the network, and it sees all.
Places in the network evolve into places in the cloudArista’s thesis is that, as the cloud has become more prevalent, the network has had to evolve, and now security needs to as well. For decades, security practitioners have thought about protection being applied at various places in the network, or PINs, as they're more commonly called. The rise of the cloud will inevitably lead to businesses adopting hybrid, multi-cloud approaches, effectively scattering data and applications everywhere. This means the PIN approach needs to evolve into “places in the cloud,” or PICs. Arista is aiming to help business move to PIC-based security while simplifying their architecture.
Segmentation sprawl is creating security complexityThe most commonly used tool to secure the various PICs has been segmentation, since it enables organizations to completely isolate workloads and content. As the use of segmentation grows, a new problem arises: segmentation sprawl. Businesses are using segmentation in the campus, the cloud and the data center. In fact, in data centers it’s common to have multiple segmentation schemes. One of the biggest areas of complexity is keeping policies aligned. For example, a business may use Vendor A in the campus, Vendor B in the data center and Vendor C in the cloud. A security professional might be able to keep the policies consistent at time of deployment. but as the environment changes, keeping policies aligned becomes exponentially more challenging.
Some SDN vendors have tried to jump into the segmentation space, but they can often add more complexity, since it’s another policy framework to manage. This is where Arista’s approach is different. It doesn’t want to be the policy engine. Instead, through its open interfaces, it will interoperate with leading security vendors so customers can take a best-of-breed approach and then use Arista as the enforcement mechanism.
Arista partners with security vendors to simplify architectureArista has partnered with red-hot security vendor Zscaler to secure the cloud. With the cloud, network segmentation requires consistency of architecture so that it does not need to be redesigned for each cloud. Zone segmentation security (ZSS) is a new feature in Arista’s vEOS router that segments inter- and intra-cloud traffic. Arista also has added a Zscaler Private Access (ZPA) agent that runs within a container in vEOS, enabling complete security of cloud traffic. An easy way to think about the combination of the two is that Arista’s ZSS secures east-west traffic, and Zscaler takes care of north-south application traffic, ensuring that cloud to cloud and cloud to user are both secure. This also obviates the need to use the cloud provider's own security services, since those are typically tied to the specific cloud provider.
Arista Networks
Arista has also expanded its long-standing relationship with VMware to extend segmentation across all workload types. The two companies have partnered to integrate CloudVision and VMware’s NSX product so NSX policies can be natively enforced on Arista switches across a multi-cloud environment and spanning virtual and physical workloads.
In addition to VMware and Zscaler, Arista has partnerships with many of the mainstream security vendors, such as Palo Alto Networks, Check Point and Fortinet, where its recently announced Macro-Segmentation Service allow for the enforcement of firewall policies on the network. The combination of VMware and the firewall vendors enables customers to secure the end-to-end network with a combination of coarse and fine-grained segmentation.
New hardware brings encryptionAlso, as part of this launch, Arista has added high-performance encryption options to secure data as it is being transmitted between locations. This required the following new switches:
Enterprise WAN: Arista 7020SRG 24 x 10 Gig-E + 2 x 100 Gig-E with integrated hardware based IPSec VPNs Data center interconnect: 7280CR2M-30 30 x 100 Gig-E, 7280SRAM-48C6 48x10 Gig-E with 6 x 100 Gig-E, 7280SRM-40CX2 40 x 10 Gig-E and 2 x 200-G Coherent interfaces for metro and long haul links. The first two offer point-to-point MACsec encryption and the third MACsec and CoherentLastly, Arista has created a compliance dashboard to become part of CloudVision. The portal provides alerts and reporting when configuration or software versions do not meet the company standard. Also, CloudVision can see new security vulnerabilities as they happen and then provide the operator the ability to implement hitless patching using automation.
It’s fair to say that Arista is late to the network security party, but it had to establish itself as a mainstream network vendor first. Unlike many of the SDN vendors that disrupt the status quo, Arista’s partner-friendly approach enables it to enforce security policies while simplifying the management of segmentation sprawl that’s currently under way in many organizations.