Arista Networks has announced a new capability for CloudVision®, Macro-Segmentation Services (MSS™), that allows next-generation firewalls and Application Delivery Controllers to be enabled automatically for specific workloads and workflows across any network topology. This includes Layer-2, Layer-3 and overlay network virtualization frameworks.

MSS addresses a growing gap in current security deployment models wherein embedded security in the virtualization hypervisors addresses inter-VM communication and physical firewalls address north-south traffic. Yet no solution exists to dynamically insert security services for data centers consisting of a mixture of physical and virtualized workloads. Arista is working with leaders in the industry such as Check Point, F5 Networks, Fortinet, Palo Alto Networks and VMware to advance and simplify the integration of physical and virtualized resources with its cloud networking technologies.

“We look forward to deepening our partnership with Arista,” said Chad Kinzelberg, senior vice-president of business and corporate development at Palo Alto Networks, “The next phase of our integration efforts aims to offer a seamless bridge between virtual and physical networks and deliver on the security and network segmentation requirements for complex and dynamic cloud networks.”

MSS provides a dynamic and scalable network service to logically insert security devices into the path of traffic, regardless of whether the security device or workload is physical or virtual and with complete flexibility on placement of security devices and workloads.

MSS has the following characteristics:

  • Location Independent: This allows larger data centers to centralize and insert security in the path between workloads on demand.
  • Easy Integration: By not changing any frame formats, it ensures that any platform can be easily integrated.
  • Open: It can fully function if the network is multi-vendor without lock-in or proprietary protocols.
  • Agile: Hosts can and do move, so services dynamically move with them to secure the deployment model.
  • Seamless Co-existence: It co-exists with defined firewall rules within the security policy framework.
  • Security as a Service with CloudVision

MSS is one of the services enabled via Arista CloudVision. Since CloudVision maintains a network-wide database of all state within the network, as well as direct integration with hypervisor resources like VMware vSphere and NSX, it is aware of where every workload is within the network and it learns in real time about new devices or workloads that are added to the network, removed from the network, or moved across ports or servers.

Macro-segmentation extends the concept of fine-grained inter-hypervisor security to cloud networks by enabling dynamic security and services of physical to virtual workloads. Macro-segmentation security is a complement to fine-grained security delivered via micro-segmentation that is implemented in the virtual switch of the physical host on which a VM is running.

“We are experiencing accelerated mainstream adoption of VMware NSX network virtualization as enterprise customers recognize the operational, security and economic benefits achieved through a software defined data center approach,” said Hatem Naguib, vice president network and security for VMware. “Working with our strategic partner Arista Networks enables customers to augment NSX micro-segmentation controls by addressing bare metal or physical layer security requirements, ensuring that the agility and security advantages of NSX apply to any workload, anytime, any place.“

By integrating with native APIs provided by leading next-generation firewalls – native APIs that already exist, and with no specific version dependencies – MSS learns what workloads the security policy needs to address or monitor. If the security policy requires a specific logical network topology, Arista’s MSS can instantiate that into the network. The automation capabilities of MSS operate in real-time without any need for network operations to engage a security administrator or vice-versa, and without the network needing to be architected in a manner specific to a specific workload. This capability is critical to successful deployment of security in an enterprise private or hybrid cloud.

MSS with Arista CloudVision enables flexible deployment of services in the network, without forklift upgrades and without any proprietary lock-ins. Macro-segmentation services is in field trials today and will be generally available in the first half of 2016. Arista will be hosting a webinar on Macro-Segmentation with key partners on November 19, at 10:00 a.m. PT.


This article was originally posted “Arista Extends CloudVision For Secure Cloud Networking” from Cloud Strategy Magazine.