Arista Networks and Palo Alto Networks have extended their partnership to offer customers a framework for implementing zero-trust security inside the data center.
The new framework is intended to offer customers a way to blend networking control and management activities with security policies to allow integrated automation and consistent enforcement across the enterprise. In the past, Arista and Palo Alto worked together to share information but acted on it separately, and customers basically had to do any integration on their own, the vendors stated. That changes with the new agreement.
DevOps teams build and update apps automatically using continuous integration/continuous delivery and other methods, and to keep those apps running smoothly as usage grows, they need systems that can automatically add resources and coordinate them, including when it requires orchestration across cloud environments, according to Kumar Srikantan, vice president and general manager, campus, at Arista, and Alessandro Barbieri, director of product management at Arista.
“This demand for agility and geo-distributed scale compounds the already profound security challenges stemming from the sheer scale of east-west traffic, which dramatically expands the attack surface. To exacerbate these issues, a new breed of AI-powered threats, where adversaries are leveraging AI to launch highly evasive attacks with a new level of sophistication and scale, significantly raises the impact of any security incident,” Srikanta and Barbieri wrote in a blog about the partnership. “Furthermore, AI-powered attacks are designed to slip past legacy defenses at increased speeds. Data exfiltration attacks, vulnerability exploits, or the development of ransomware that used to take weeks or days can now take hours or minutes.
With the expanded partnership, Arista and Palo Alto intend to address these issues.
The first of four key features is zero-trust segmentation for data centers, which unifies segmentation, visibility and inter-zone protection via Palo Alto’s next-generation firewall (NGFW) and Arista’s Multi-Domain Segmentation Services (MSS) fabric. With this feature, the Arista fabric, which has complete network visibility, intelligently steers east-west application traffic to the Palo Alto’s NGFW for deep, Layer 7 inspection, according to a blog by Srini Kotamraju, vice president of products at Palo Alto.
“Based on this inspection, the NGFW creates a comprehensive, application-aware security policy. It then instructs the Arista fabric to enforce that policy at wire speed for all subsequent, similar flows,” Kotamraju wrote. “This ‘inspect-once, enforce-many’ model delivers granular zero trust security without the performance bottlenecks of hairpinning all traffic through a firewall or forcing a costly, disruptive network redesign.”
The second capability is a dynamic quarantine feature that enables the Palo Alto NGFWs to identify evasive threats using Cloud-Delivered Security Services (CDSS). “These services, such as Advanced WildFire for zero-day malware and Advanced Threat Prevention for unknown exploits, leverage global threat intelligence to detect and block attacks that traditional security misses,” Kotamraju wrote.
The Arista fabric can intelligently offload trusted, high-bandwidth “elephant flows” from the firewall after inspection, freeing it to focus on high-risk traffic. When a threat is detected, the NGFW signals Arista CloudVision, which programs the network switches to automatically quarantine the compromised workload at hardware line-rate, according to Kotamraju: “This immediate response halts the lateral spread of a threat without creating a performance bottleneck or requiring manual intervention.”
The third feature is unified policy orchestration, where Palo Alto Networks’ management plane centralizes zone-based and microperimeter policies, and CloudVision MSS responds with the offload and enforcement of Arista switches. “This treats the entire geo-distributed network as a single logical switch, allowing workloads to be migrated freely across cloud networks and security domains,” Srikanta and Barbieri wrote.
Lastly, the Arista Validated Design (AVD) data models enable network-as-a-code, integrating with CI/CD pipelines. AVDs can also be generated by Arista’s AVA (Autonomous Virtual Assist) AI agents that incorporate best practices, testing, guardrails, and generated configurations.
“Our integration directly resolves this conflict by creating a clean architectural separation that decouples the network fabric from security policy. This allows the NetOps team (managing the Arista fabric) and the SecOps team (managing Palo Alto Networks security) to scale, upgrade, and innovate independently,” Kotamraju wrote. “NetOps can focus on building a high-performance, reliable network, while SecOps can focus on delivering best-in-class security services. Each team uses their own domain-specific management tools, and the integration layer automatically synchronizes policy and enforcement actions.”
Arista works with a number of security vendors such as Fortinet, Check Point, Splunk and more but none are as deeply integrated as Palo Alto is now. The networking vendor, too, offers its own security packages, including CloudVision MSS and its AI-driven network detection and response platform.
This story, Arista, Palo Alto bolster AI data center security, first appeared on Network World.
No Responses