The Era of Microperimeters

Paradigm Shift to Zero Trust Networking

The new age of edge, multi-cloud, multi-device collaboration for hybrid work has given rise to a new network. Historically, adding multiple layers of network security with the consequential add-on hardware deployments, ongoing operational costs, and configuration changes needed at the network infrastructure level has been cumbersome. These mechanisms are even less effective for the new network. Security teams are, therefore, forced to reckon with bare minimum network visibility and tactical solutions.

The paradigm shift to a vanishing perimeter has prompted organizations to embed security into the network infrastructure as a proactive zero trust approach to tracking and successfully managing risk from the wider attack surface. Arista’s zero trust networking is based on these prescriptive principles and builds security into the network by default.

Time to Rethink Firewalls with Microperimeters

Classical perimeter firewalls have three essential functions: network routing, segmentation with access lists ( ACLs), and stateful inspection of L4-L7 traffic for compliance purposes.  The CISA Zero Trust Maturity Model, based on NIST 800-207, requires perimeters around each asset the organization seeks to protect. Putting classical firewalls all across the enterprise is not a practical option. Instead, Arista’s network-based approach delivers zero trust segmentation and enforcement to prevent east-west lateral movement. Thus, the network switch creates the microperimeters, while the classical firewall can continue inspecting north-south L4-L7 traffic. The combination delivers an elegant and secure network, bringing the best of both worlds, as shown in the figure below.

Moving Firewall Functions Into The Network

Arista MSS: Enabling Microperimeters

• Stateless wire-speed enforcement in the network: Arista EOS-based switches deliver a simple policy and enforcement model for fine-grained, identity-aware microperimeters that enable east-west lateral segmentation, which organizations are often missing today. Thus, even the most minor breach can result in a significant impact. Our approach also offloads the capability from firewalls, which must be explicitly deployed for this purpose at great cost.
• Redirection to Stateful Firewalls: Arista MSS can seamlessly integrate with firewalls and cloud proxies from partners such as Palo Alto Networks and Zscaler for L4-L7 stateful network enforcement, especially for north-south and inter-zone traffic. This integration avoids hairpinning all other traffic while addressing the organization’s compliance needs.
• CloudVision for Microperimeter Management: Arista CloudVision powered by NetDL™ provides deep real-time visibility into packets, flows, and endpoint identity. In addition, MSS dashboards within CloudVision ease operator effort to manage the microperimeters. We are also enhancing our Ask AVA™ (Autonomous Virtual Assist) service to provide a chat-like interface for operators to navigate the dashboard data, query policy violations, and understand them.

Summary

It is the right time to unify the network and security world as organizations look for zero trust at terabit scale with flexible support for identity and microperimeters. Security must permeate everything we do on the network today to bring a proactive and continuous approach to active and pervasive segmentation, enforcement, and threat mitigation. Lethal threats must be detected and intercepted before they can expand to a massive data breach. Welcome to the holistic zero trust networking era built on Arista MSS microperimeters!

To learn more or see a demo, visit booth #6453 in the North Hall at the RSA Conference in San Francisco.

References:

• ZTN White Paper 
• MSS Press Release 
• MSS Video
• Webinar Link