Arista has announced a new microsegmentation capability that uses Arista switches and its CloudVision management platform to create and enforce rules about which devices, users, and applications can communicate. Arista incorporates information about devices and users from sources including NAC systems, RADIUS, IPAM, and identity stores to inform access rules.
The goal is to provide fine-grained segmentation, which Arista calls microperimeters, to limit user and device connectivity only to approved resources and to prevent lateral movement by attackers. Arista says its approach can be applied to the campus, data center, and remote access. Enforcement happens on the switch. Arista’s approach doesn’t require endpoint or host-based software.
The Pieces Of The Microperimeter Puzzle
To create and enforce fine-grained connectivity and access rules, you need information about users, devices, and applications. Arista gets this information through integrations with its own and third-party products including ForeScout, Cisco ISE, Aruba ClearPass, and others. It also works with Arista’s own AGNI NAC solution and Arista’s NDR product.
User and device classification and context is pulled from these systems and provided to CloudVision, which stores this information about devices and endpoints, including IoT and OT devices, in its data lake. CloudVision can also use tags from Vsphere and ServiceNow to gather device metadata, and associate devices with IP addresses via integration with IPAM products.
The second piece of the puzzle comes from the network. Arista switches will mirror traffic and send that traffic to a hardware appliance. This appliance does stateful analysis of the traffic and relays that analysis to CloudVision via IPFIX.
CloudVision then combines this traffic analysis with user and device information to map out connectivity patterns among users, devices, and applications. It uses this map as a template to build and recommend rules. Customers can accept and amend rules as needed, and well as create their own.
Rules including allowing access between devices, denying access, or redirecting traffic elsewhere; for example, to a firewall for inspection.
Finally, the system will continually review rules and actions to ensure that the rules are aligned with policies and intended outcomes. For instance, if there’s a change on the network that causes traffic to get dropped, CloudVision will notify the networking team about the dropped traffic. If the connection is legitimate and should be allowed, CloudVision can propose a rule to allow for that communication to happen.
Enforcement On The Switch
Arista enforces rules via its switches. CloudVision programs the rules it has developed into a database on the switch. The rules are associated with group tags that are in turn associated with IP address prefixes associated with devices. As packets come into the switch, the switch performs a database lookup, matches the IP address with a tag, and applies the rule (i.e. forward or drop).
The switch performs this action for every packet. Arista says this process happens at line rate and does not have an impact on switch performance. “There is zero penalty on latency and bandwidth,” said Alessandro Barbieri, Product Manager at Arista, in a briefing. “We aren’t recirculating the packet for these lookups.”
Additional Information
For more details on microperimeters, see the Arista press release and this blog post by CEO Jayshree Ullal. Arista has also produced a white paper outlining its approach to zero trust.
