Arista Macro-Segmentation Service sets up microperimeters for enterprise resource protection. Credit: Gorodenkoff / Shutterstock Arista Networks is bolstering a key part of its security software with new features that help customers reduce the blast radius of security breaches by setting up “microperimeters” to restrict lateral movement in campus and data center networks. The new features are in the vendor’s Macro-Segmentation Service (MSS) software, which is an extension of its core Extensible Operating System (EOS) software. They’re tightly integrated with the company’s CloudVision management platform, which provides wired and wireless visibility, orchestration, provisioning, telemetry, automation and analytics across the data center, campus, and IoT devices on edge networks. One rationale for microperimeters is the idea that firewalls are not optimized to protect against all lateral movement, which would require a proliferation of security appliances, soaring costs, and an explosion of complex rule sets that would still fail to protect against lateral movement, according to Arista. “Historically, adding multiple layers of network security with the consequential add-on hardware deployments, ongoing operational costs, and configuration changes needed at the network infrastructure level has been cumbersome. These mechanisms are even less effective for the new network,” wrote Arista CEO Jayshree Ullal in a blog about the enhancements. With MSS, east-west lateral protection is enabled by what Arista describes as stateless wire-speed enforcement in the network, which delivers zero-trust segmentation and enforcement to prevent that movement. “Thus, the network switch creates the microperimeters, while the classical firewall can continue inspecting north-south L4-L7 traffic. The combination delivers an elegant and secure network,” Ullal wrote. Arista’s approach “offloads the capability from firewalls, which must be explicitly deployed for this purpose at great cost.” MSS does this without the need for endpoint software agents and proprietary network protocols. In addition to the stateless wire-speed component, Arista MSS can integrate with firewalls and cloud proxies from partners such as Palo Alto Networks and Zscaler for stateful network enforcement, especially for north-south and inter-zone traffic, Ullal stated. “MSS thus ensures the right traffic is sent to these critical security controls, allowing them to focus on L4-L7 stateful enforcement while avoiding unnecessary hairpinning of all other traffic,” Ullal stated. The features, expected in MSS by the third quarter, are all supported by Arista’s CloudVision, which offers deep, real-time visibility into packets, flows, and endpoint identity. It gives customers a central ability to perform and control the east-west segmentations as well as manage any microperimeters they set up, Arista stated. To manage the microperimeters, MSS has been extended to support Arista’s Ask AVA (Autonomous Virtual Assist) service to provide a chat-like interface for operators to navigate the dashboard data and query and filter policy violations, Ullal stated. Arista’s MSS products are key to its plans to offer a zero-trust architecture for enterprise customers. Other components of MSS include Macro-Segmentation Service-Group, which authorizes network access based on logical groups rather than traditional approaches based on interfaces, subnets, or physical ports. MSS Firewall is software for setting security policies across customer network fabric, and MSS Host focuses on data-center security policies. Related content how-to Compressing files using the zip command on Linux The zip command lets you compress files to preserve them or back them up, and you can require a password to extract the contents of a zip file. By Sandra Henry-Stocker May 13, 2024 4 mins Linux news High-bandwidth memory nearly sold out until 2026 While it might be tempting to blame Nvidia for the shortage of HBM, it’s not alone in driving high-performance computing and demand for the memory HPC requires. By Andy Patrizio May 13, 2024 3 mins CPUs and Processors High-Performance Computing Data Center opinion NSA, FBI warn of email spoofing threat Email spoofing is acknowledged by experts as a very credible threat. By Sandra Henry-Stocker May 13, 2024 3 mins Linux how-to Download our SASE and SSE enterprise buyer’s guide From the editors of Network World, this enterprise buyer’s guide helps network and security IT staff understand what Secure Access Service Edge (SASE) and Secure Service Edge) SSE can do for their organizations and how to choose the right solut By Neal Weinberg May 13, 2024 1 min SASE Remote Access Security Network Security PODCASTS VIDEOS RESOURCES EVENTS NEWSLETTERS Newsletter Promo Module Test Description for newsletter promo module. Please enter a valid email address Subscribe