Enterprises are grappling with security in their infrastructure and many point products try to solve this in different use cases. As enterprises migrate from north-south to east-west traffic patterns, the need for consistent security across cloud-network and firewall infrastructure is paramount. Furthermore, additional security concerns emerge as organizations contemplate leveraging access to the public cloud along with hybrid deployment of virtual machines in the private data center. A true secure cloud architect must address both dedicated data centers (i.e. private cloud and virtual workloads) and also some of its applications into the public cloud. Migrating from legacy three-tier architecture to two-tier leaf-spine improves network performance, but adds security risk, as there is no longer an in-line natural insertion point for firewalls. Indeed, a more holistic network-wide segmentation to scale firewall services is now becoming a mandate to mitigate security threats.
Micro-segmentation Today for Secure Virtual Machines
Initiated by VMware NSX in 2014, Micro-segmentation is the application of security policies universally across the board and directly to all virtual machines providing service insertion for workloads. This comforts security teams by offering:
- Classification of all traffic, across all ports, all the time.
- Reduction of threats by preventing known vulnerabilities.
- Prevention of unknown threats.
Deploying Micro-segmentation by using virtualized firewalls (within either a public or private cloud environment), can be achieved with an Arista Universal Cloud Network and VMware NSX. There are many additional ways to virtualize your data center and a number of well-known virtualization hypervisors available on the market, such as Microsoft HyperV, VMware’s ESXi, Xen, and KVM.
Introducing Macro-Segmentation for Secure Virtual Physical Cloud
Complementing Micro-segmentation, Arista is proud to introduce Macro-Segmentation Service (MSS™). Macro-Segmentation is another example of our pioneering innovation with real-time automation of cloud network operations, in tandem with security administration, without massive re-architectures. MSS works with server, storage, and network virtualization solutions from Arista's key partners like VMware and security leaders Palo Alto Networks, Check Point, F5 and Fortinet. This enhanced deployment of physical workloads and security services validates the vision of the software defined data center for L2-, L3- and VXLAN-based networks.
MSS is dynamically applied to cloud networks, depending on the type of host connected, for secure workload mobility and workflow visibility. As an example, the trio of Arista, Palo Alto Networks and VMware are at the forefront of driving capabilities of integrating firewalling directly using CloudVision®. This is all standards-based without any proprietary frame formats. Using our patented state-based change management makes uniform security control with Palo Alto Networks' Panorama as shown in the example below:
Example: Arista Macro-Segmentation with Palo Alto Networks and VMware
Bringing Radical Shift to Flexible Cloud Security
MSS provides dynamic and scalable network functions to insert security into the path of traffic, regardless of whether the security service or workload is physical or virtual, with elastic placement of services, firewalls and workloads. Some salient highlights include:
- Location Independent: This allows larger data centers to centralize and insert security in the path between any workloads on demand or based on firewall rules.
- Easy Integration: By not changing any frame formats, it allows traffic to be monitored by existing tools and ensures that any platform can be easily integrated.
- Open: To emphasize just how non-proprietary the approach is, Macro-Segmentation can fully function if the network is multi-vendor without lock-in or proprietary protocols.
- Agile: Hosts can and do move (vMotion and DR), so services dynamically move with them to secure the deployment model.
- Seamless Co-existence: Arista's Macro-Segmentation Service does not try to "own policy" or run as an "uber-controller". It co-exists with defined firewall rules within the security tool framework.
I am excited by the power and potential of MSS into both the security and networking industries, where both are undergoing massive transitions to next generations. It unifies two islands, making a profound impact on our ecosystem and customers alike to deliver secure cloud networking. Together with CloudVision, we bring network-wide state integration of resources without a massive undertaking or re-do of existing enterprises. This is critical to successful deployment of uncompromised security in a private or hybrid cloud evolution. Welcome to the new world of secure cloud networking. I always welcome your comments firstname.lastname@example.org