Arista Networks has introduced a significant update to its Arista MSSⓇ (Multi-Domain Segmentation Service) offerings that address the challenge of creating a truly enterprise-wide zero trust network. Without the need for endpoint software agents and proprietary network protocols, Arista MSS enables effective microperimeters that restrict lateral movement in campus and data center networks and thus reduces the blast radius of security breaches such as ransomware.
Enterprise-wide Zero Trust Requires Effective Microsegmentation
Today’s distributed IT infrastructure with work-from-anywhere, the explosion of IoT devices and multi-cloud applications has upended the traditional security perimeter and led to a dynamic and unpredictable attack surface. To improve their defensive posture, organizations have embarked on zero trust efforts that require granular control of both north-south and east-west communication paths. Firewalls are simply not optimized to protect against all lateral movement, which would require a proliferation of security appliances, soaring costs, and an explosion of complex rule sets that still fail to protect against lateral movement.
To address this challenge, the Cybersecurity and Infrastructure Security Agency (CISA) “Zero Trust Maturity Model” recommends the adoption of microsegmentation for highly distributed, fine-grained enforcement through microperimeters. While many microsegmentation solutions are available on the market, both network and endpoint-based, they struggle with operational complexity, interoperability and portability challenges, and cost, which has limited their widespread adoption across the enterprise. As a result, zero trust efforts often stall.
Standards-based Network Microsegmentation
Arista MSS offers standards-based microsegmentation using existing network infrastructure while overcoming the challenges of existing solutions. MSS is network-agnostic and endpoint-independent. It avoids proprietary protocols and can thus seamlessly integrate into a multi-network vendor environment. The solution also does not require endpoint software, avoiding the portability limitations and operational complexity typical of agent-based microsegmentation solutions.
"We are very impressed with the potential of Arista's MSS microperimter segmentation technology,” said Evan Gillette, Security Engineering, Paychex Inc. “We view this technology as highly promising and believe it has the potential to transform our approach to security and segmentation from a traditional perimeter approach to a more distributed network-centric architecture. We are excited to be working with Arista to explore the possibilities of this innovative technology and its applications in our infrastructure.”
Arista MSS combines three capabilities that enable organizations to build microperimeters around each digital asset they seek to protect, whether in the campus or the data center. Arista MSS enables:
Stateless Wire-speed Enforcement in the Network: Arista EOSⓇ-based switches deliver a simple model for fine-grained, identity-aware microperimeter enforcement. This enforcement model is independent of endpoint type and identical across campus and data center environments, simplifying day two operations. Importantly, Arista MSS thus enables lateral segmentation that is often missing today and offloads the capability from firewalls that would have to be explicitly deployed for this purpose.
Redirection to Stateful Firewalls: Arista MSS can seamlessly integrate with firewalls and cloud proxies from partners such as Palo Alto Networks and Zscaler for stateful network enforcement, especially for north-south and inter-zone traffic. MSS thus ensures the right traffic is sent to these critical security controls, allowing them to focus on L4-L7 stateful enforcement while avoiding unnecessary hairpinning of all other traffic.
CloudVision for Microperimeter Management: Arista CloudVisionⓇ powered by NetDL™ provides deep real-time visibility into packets, flows, and endpoint identity. This, in turn, enables effective east-west lateral segmentation. In addition, MSS dashboards within CloudVision ease operator effort to manage the microperimeters. MSS extends Arista’s Ask AVA™ (Autonomous Virtual Assist) service to provide a chat-like interface for operators to navigate the dashboard data and query and filter policy violations.
“As a bank, we are committed to delivering comprehensive financial products and solutions, while putting customer's data and security as our top priority. Security is also embedded in one of our core architectural principles when designing our data center networks,” said Komang Artha Yasa, Technology Division Head, OCBC. “Arista MSS completes our zero trust posture by working efficiently with our firewalls to microsegment our critical payment systems. Arista's approach is easy for us to adopt since it avoids software-based agents and still gives us interoperability across our entire data center environment.”
Zero Trust Ecosystem
Arista MSS seamlessly integrates with the broader Arista Zero Trust Networking solution, including Arista CloudVision, CV AGNITM and Arista NDR. It also integrates with industry-leading firewalls such as Palo Alto Networks, IT service management (ITSM) such as ServiceNow, and virtualization platforms such as VMware.
"Arista MSS has been a welcome addition to our zero trust strategy,” said Dougal Mair, Associate Director, Networks and Security at The University of Waikato. "The ability to provide an open but secure network for many users (e.g., students, faculty, guests), IT (e.g., laptops, printers), and IoT devices (including sensors and smart lighting) in a large environment was a huge challenge at the university. Arista MSS prevents any unauthorized peer-to-peer and lateral movement on our dynamic network."