CloudVision Macro-Segmentation Service

Similar documents
Arista Networks and F5 Solution Integration

Creating High Performance Best-In-Breed Scale- Out Network Attached Storage Solutions

Switching Architectures for Cloud Network Designs

Arista 7050X, 7050X2, 7250X and 7300 Series Performance Validation

Architecting Low Latency Cloud Networks

The Impact of Virtualization on Cloud Networking

The benefits Arista s LANZ functionality will provide to network administrators: Real time visibility of congestion hotspots at the microbursts level

TAP Aggregation with DANZ

Leveraging EOS and sflow for Advanced Network Visibility

Big Data Big Data Becoming a Common Problem

Virtual Extensible LAN (VXLAN) Overview

Arista FlexRoute TM Engine

Networking in the Hadoop Cluster

Arista Cognitive WiFi

Migration from Silo Security to Secure Holistic Cloud Networking

Investment Protection with the Arista 7500 Series

ARISTA WHITE PAPER Arista FlexRouteTM Engine

Rapid Automated Indication of Link-Loss

An Overview of Arista Ethernet Capture Timestamps

Traffic Visualization with Arista sflow and Splunk

Arista 7500 Series Interface Flexibility

Five ways to optimise exchange connectivity latency

Cloudifying Datacenter Monitoring with DANZ

Arista Telemetry. White Paper. arista.com

Latency Analyzer (LANZ)

Simplifying Network Operations through Data Center Automation

Solving the Virtualization Conundrum

NEP UK selects Arista as foundation for SMPTE ST 2110 modular OB trucks to deliver UHD content from world s largest events

The zettabyte era is here. Is your datacenter ready? Move to 25GbE/50GbE with confidence

Software Driven Cloud Networking

Why Big Data Needs Big Buffer Switches

CHANGING DYNAMICS OF IP PEERING Arista Solution Guide

Introduction: PURPOSE BUILT HARDWARE. ARISTA WHITE PAPER HPC Deployment Scenarios

Weiterentwicklung von OpenStack Netzen 25G/50G/100G, FW-Integration, umfassende Einbindung. Alexei Agueev, Systems Engineer

Arista 7060X & 7260X Performance

Arista 7160 Series Switch Architecture

10Gb Ethernet: The Foundation for Low-Latency, Real-Time Financial Services Applications and Other, Latency-Sensitive Applications

Arista Cognitive Campus Network

Arista AgilePorts INTRODUCTION

Arista CloudVision : Cloud Automation for Everyone

Cloud Interconnect: DWDM Integrated Solution For Secure Long Haul Transmission

The Arista Universal transceiver is the first of its kind 40G transceiver that aims at addressing several challenges faced by today s data centers.

DEFINING SECURITY FOR TODAY S CLOUD ENVIRONMENTS. Security Without Compromise

Arista 7050X3 Series Switch Architecture

Bioscience. Solution Brief. arista.com

STRATEGIC WHITE PAPER. Securing cloud environments with Nuage Networks VSP: Policy-based security automation and microsegmentation overview

Routing Architecture Transformations

Powering Next Generation Video Delivery

Cisco CloudCenter Solution with Cisco ACI: Common Use Cases

Deploying IP Storage Infrastructures

Arista 7500E DWDM Solution and Use Cases

Four key trends in the networked use of FPGAs

Arista 7170 Multi-function Programmable Networking

World Class, High Performance Cloud Scale Storage Solutions Arista and EMC ScaleIO

Using the Network to Optimize a Virtualized Data Center

ARISTA WHITE PAPER Arista 7500E Series Interface Flexibility

Use Case Brief BUILDING A PRIVATE CLOUD PROVIDING PUBLIC CLOUD FUNCTIONALITY WITHIN THE SAFETY OF YOUR ORGANIZATION

Spanning Tree Protocol Interoperability With Cisco PVST+/PVRST+/MSTP

5 STEPS TO BUILDING ADVANCED SECURITY IN SOFTWARE- DEFINED DATA CENTERS

Network Virtualization Business Case

Next-Generation Data Center Interconnect Powered by the Adaptive Cloud Fabric

DELL EMC VSCALE FABRIC

1V0-642.exam.30q.

Stop Cyber Threats With Adaptive Micro-Segmentation. Jeff Francis Regional Systems Engineer

Introducing VMware Validated Design Use Cases. Modified on 21 DEC 2017 VMware Validated Design 4.1

The Arista Advantage Cloud Networking Trends

Cisco Enterprise Cloud Suite Overview Cisco and/or its affiliates. All rights reserved.

Arista EOS Precision Data Analysis with DANZ

VMware NSX: Accelerating the Business

VMWARE CLOUD FOUNDATION: INTEGRATED HYBRID CLOUD PLATFORM WHITE PAPER NOVEMBER 2017

3 Ways Businesses Use Network Virtualization. A Faster Path to Improved Security, Automated IT, and App Continuity

Enabling Efficient and Scalable Zero-Trust Security

AWS Reference Design Document

Optimizing Pulse Secure Access Suite with Pulse Secure Virtual Application Delivery Controller solution

Exploring the Arista 7010T - An Overview

Introducing VMware Validated Design Use Cases

Broadcast Transition from SDI to Ethernet

Disclaimer This presentation may contain product features that are currently under development. This overview of new technology represents no commitme

WHITE PAPER MICRO-SEGMENTATION. illumio.com

Simplify Hybrid Cloud

Osynlig infrastruktur i datacentret med inbyggd säkerhet och resursoptimering.

The threat landscape is constantly

Cisco Cloud Application Centric Infrastructure

VMWARE CLOUD FOUNDATION: THE SIMPLEST PATH TO THE HYBRID CLOUD WHITE PAPER AUGUST 2018

MICRO-SEGMENTATION FOR CLOUD-SCALE SECURITY TECHNICAL WHITE PAPER

Introducing VMware Validated Designs for Software-Defined Data Center

White Paper. OCP Enabled Switching. SDN Solutions Guide

Evolution of Data Center Security Automated Security for Today s Dynamic Data Centers

Solution Overview Cisco Tetration Analytics and AlgoSec: Business Application Connectivity Visibility, Policy Enforcement, and Business-Based Risk and

Cyber Security and the Evolving Datacenter

Huawei CloudFabric and VMware Collaboration Innovation Solution in Data Centers

The Cisco HyperFlex Dynamic Data Fabric Advantage

Pluribus Adaptive Cloud Fabric

Cisco Application Centric Infrastructure

EOS CloudVision Overview Data Sheet

DISASTER RECOVERY- AS-A-SERVICE FOR VMWARE CLOUD PROVIDER PARTNERS WHITE PAPER - OCTOBER 2017

Securing the Software-Defined Data Center

VMware Cloud on AWS. A Closer Look. Frank Denneman Senior Staff Architect Cloud Platform BU

CASE STUDY INSIGHTS: MICRO-SEGMENTATION TRANSFORMS SECURITY. How Organizations Around the World Are Protecting Critical Data

Introducing VMware Validated Designs for Software-Defined Data Center

Transcription:

CloudVision Macro-Segmentation Service Inside Address network-based security as a pool of resources, stitch security to applications and transactions, scale on-demand, automate deployment and mitigation, allow transparent application of security policies; do it all seamlessly without introducing gratuitous interdependencies, for both physical and virtualized resources: Micro-Segmentation: inserting services in the path of inter-vm traffic by defining policies in an overlay/ virtualization controller for each individual workload enforced within the hypervisor virtual switch, by application, workload, or other tag. Macro-Segmentation : inserting services between workgroups (intertenant or inter-device) in the physical network by defining inter- segment service policies - enforced by the Arista cloud networking infrastructure. AristaMacro-Segmentation Service (MSS ): an extension in Arista EOS software that utilizes Arista CloudVision to automate security service insertion for next-generation firewalls and other networked devices. It s no secret that information security has failed to keep up with the needs of business and the accelerating cyber-threat landscape. Data centers have increasingly virtualized and partitioned, becoming more dynamic while accommodating on- the-fly deployment of new applications within shared private, public and hybrid clouds. Meanwhile cyber-security has remained static and bounded unable to protect the cloud environment from an increasingly threatening backdrop. Today s cloud environments need a more flexible approach to deploying security that adapts to constant workload changes, additions, and movements. The capacity of the security solution needs to scale upward to match the broadened attack surface of multi-tenant shared cloud environments. Infrastructures need to offer an unfettered selection of security technology options as opposed to siloed ecosystems of yesterdays solutions that limit flexibility and obstruct freedom of choice. Introducing Macro-Segmentation Service Arista Networks has unveiled a new Macro-Segmentation Service (MSS) capability for CloudVision that allows a variety of platforms, such as next-generation firewalls, to be deployed automatically for specific workloads and workflows across any network topology, including layer-2, layer-3 and overlay network virtualization frameworks. Figure 1: Arista CloudVision Services

Addressing a Growing Gap in Security Deployment Models Macro-Segmentation Service is a new capability within Arista CloudVision that addresses a growing gap in security deployment models wherein embedded security in the virtualization hypervisors addresses inter-vm communication and physical firewalls address at-depth protection for north-south traffic leaving the data center. However, no solution exists yet to dynamically insert advanced security services for east-west traffic in hybrid data centers utilizing a combination of hypervisors, or containing non-virtualized workloads like big data and storage, or attaching legacy systems to the same networks as new cloud applications. Figure 2: Evolution to Software Driven Cloud Networking Complicating this current situation are the range of design considerations for the cloud data center operator and application users imposed by legacy applications and network architectures. Migrating from legacy three-tier architecture to twotier leaf-spine network architecture improves network performance, but offers little mitigation for security risks as there is no longer a natural insertion point for firewalls. A more holistic network-wide segmentation approach at the macro- and micro-level is now becoming a mandate to mitigate security threats. This has been addressed in part by the implementation of distributed fine-grain security services within networking and computing hypervisors, often called micro-segmentation. The current compromised security deployment models must change to allow dynamic placement of security services and devices within and around the cloud to protect workloads and data from outside threats as well as from those threats that have already breached the perimeter, while enabling the agility for which the cloud data center was built to begin with.

Table 1: CloudVision MSS - An open dynamic service for any workload and any application Workload / Workflows Requirement Solution Ingress-egress from the cloud Inter-VM and Intra-Tenant (inside the tenant perimeter) Extra-VM and intra-tenant (hybrid cloud environment) Stateful and heuristic protection from external cyber-threats and attacks Isolation of workloads within tenant groups from each other and between tenants For workloads utilizing bare-metal (nonvirtualized) storage and server resources in combination with hypervisor resident components of micro-segmentation High performance next-generation firewalls and security monitoring Micro-segmentation of hypervisor workspace and embedded virtual instances of stateful firewalls Strong segmentation of resources within and across the cloud network with physical VLAN and VXLAN isolation, plus dynamic insertion of stateful next- generation firewalls and monitoring The Role of Arista Macro-Segmentation Service Macro-Segmentation Service is a complement to fine-grained security services delivered via micro-segmentation, which is implemented in the virtual switch of the physical host on which a VM is running. The delivery of enhanced microsegmentation security via platforms like VMware NSX is one of the most significant features enabled by network virtualization. Macro-segmentation extends the concept of fine-grained intra-hypervisor security to the rest of the data-center by enabling dynamic insertion of services for physical devices and non-virtualized devices. It is specifically aimed at physical-to-physical (so-called P-to-P) and physical to virtual (P-to-V) workloads. Figure 3: Placement of Security Platforms within Logical Topology with Macro-Segmentation Service Macro-segmentation provides a software-driven dynamic and scalable network service to insert security devices into the path of traffic, regardless of whether the service device or workload is physical or virtual, and with complete flexibility on placement of service devices and workloads. Arista MSS Key Characteristics Macro-Segmentation is one of the services enabled by Arista CloudVision. Since CloudVision maintains a network-wide database of all state within the network, it is aware of where every workload is within the network, and it learns in real time

By integrating with native APIs provided by the leading next-generation firewalls native APIs that already exist macro-segmentation learns which workloads the security policy needs to address or monitor. about new devices or workloads that are added or removed from the network, or moved across ports or servers. Complete flexibility on locality of devices: Service devices such as firewalls or load balancers can be anywhere in the network on any switch. This allows larger datacenters to centralize their security devices in a service rack and insert them in the path between any workloads on-demand or based on a firewall policy. There are no restrictions or limitations on where the service devices are physically attached within the fabric. Likewise, devices to whom services are targeted can be located anywhere in the network with no restrictions or limitations on physical placement. No new frame formats: There is no requirement for any new frame format, traffic steering or metadata in any new header fields. Macro-Segmentation inserts service devices into the path of traffic without requiring any new frame format, protocol, or anything else that is proprietary. This allows traffic to be monitored by existing tools and ensures that any platform can be easily integrated without modifications. Non-proprietary: Standards-based forwarding is used to stitch service devices into the path of traffic. To emphasize just how open the approach is, Macro- Segmentation can fully function if the network is comprised of devices from multiple vendors. Dynamic: Hosts can and do move (vmotion and Disaster Recovery), so services and dynamic service insertion should move with them. This is automatically accomplished with Macro-Segmentation and Arista VM Tracer. Enhances next-generation firewalls: Arista s Macro-Segmentation Service does not try to own policy or run a controller-of-controllers that understands every application flow or interaction. Customers prefer to define security policies within the security tool framework, such as the next-generation firewall manager. Support for Next Generation Security Platforms: An Open Ecosystem Approach By integrating with native APIs provided by the leading next-generation firewalls native APIs that already exist macro-segmentation learns which workloads the security policy needs to address or monitor. If the security policy requires a specific logical network topology, then the macro-segmentation service can instantiate that topology into the network. The automation capabilities of Arista Macro-Segmentation security operate automatically, in real-time, and without any need for a network operator to engage the security administrator (or vice-versa). Furthermore there is no need for the network to be architected in a manner specific to a particular workload. This flexibility is crucial to successful deployment of security in an enterprise private or hybrid cloud.

Figure 4: Example of Macro-Segmentation Configuration with Next Generation Firewall Policy Conclusion Macro-Segmentation Service with Arista CloudVision enables flexible deployment of security in the network, without forklift upgrades and without any proprietary lock-ins. It works in unison with server, storage, and network virtualization solutions from Arista s partners, including OpenStack, Docker, Microsoft and VMware. Macro- Segmentation Service complements the intelligence and functionality these provide with enhanced deployment of physical workloads and security services to enable deployment of the complete software defined data center. Santa Clara Corporate Headquarters 5453 Great America Parkway, Santa Clara, CA 95054 Phone: +1-408-547-5500 Fax: +1-408-538-8920 Email: info@ Ireland International Headquarters 3130 Atlantic Avenue Westpark Business Campus Shannon, Co. Clare Ireland Vancouver R&D Office 9200 Glenlyon Pkwy, Unit 300 Burnaby, British Columbia Canada V5J 5J8 San Francisco R&D and Sales Office 1390 Market Street, Suite 800 San Francisco, CA 94102 India R&D Office Global Tech Park, Tower A & B, 11th Floor Marathahalli Outer Ring Road Devarabeesanahalli Village, Varthur Hobli Bangalore, India 560103 Singapore APAC Administrative Office 9 Temasek Boulevard #29-01, Suntec Tower Two Singapore 038989 Nashua R&D Office 10 Tara Boulevard Nashua, NH 03062 Copyright 2016 Arista Networks, Inc. All rights reserved. CloudVision, and EOS are registered trademarks and Arista Networks is a trademark of Arista Networks, Inc. All other company names are trademarks of their respective holders. Information in this document is subject to change without notice. Certain features may not yet be available. Arista Networks, Inc. assumes no responsibility for any errors that may appear in this document. 07/16

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback