Five years ago, almost all of the traffic in a data center moved in a North-South direction. Traffic moved from one server through the different tiers of a network, passed through the core, and then up to another server. Enabling security and application optimization services with this model was fairly simple. Put a big, honking firewall or ADC in the core of the network and all traffic would pass through these devices.
However, the past few years have seen an explosion in East-West traffic, primarily driven by servers and virtual machines (VMs) talking to each other and to database systems, storage systems, and other applications in the data center. Typically, East-West traffic never passes through the core of the network, where it can have the benefit of security inspection. Also, the volume of East-West traffic is rapidly becoming a much higher percentage relative to North-South. This makes it easier for a piece of malware that may have breached an unpatched server to spread laterally.
Security devices are meant to catch traffic moving North-South, but the growth in data center traffic is East-West. That seems like a problem.
Not to worry, though, this morning Arista Networks announced a new capability for its CloudVision product called Macro-Segmentation Services (MSS) that enables security devices and application delivery controllers (ADCs) automatically for specific workloads and workflows across any network of any topology. This includes layer 2, layer 3, and network virtualization overlays.
Through CloudVision, Arista customers can dynamically insert security services into the path of traffic, regardless of whether the security device is in a physical or virtual form factor. Also, the customer has complete flexibility on the placement of the security device as long as it’s connected somewhere in the Arista “spline” or fabric.
For those not familiar with CloudVision or how this might work, CloudVision is an abstraction layer that has end-to-end visibility of the entire network. It also maintains a database of all states within the network, has direct integration with hypervisor resources like VMware vSphere and NSX, and is aware of where every workload is in the network. Because of this, Arista can redirect a security service to any point in the network by organizing the network services into logical pools. Now, if a customer needs to enable a firewall to inspect traffic between two VMs, they get it from the pool.
To enable this, Arista leveraged the APIs made available from the leading next-generation firewall vendors. From the APIs, MSS knows what workloads the security policy needs to address or monitor. If the security policy needs a specific logical network topology, Arista’s MSS can dynamically insert that into the network. Once the policies are set up, MSS capabilities are automated and work in real-time, so there’s no requirement for network and/or security operations to do any configuration or tweaking to the network.
While this feature could work with virtually any service, Arista chose to apply it to both ADCs and next-generation firewalls initially, as this should solve the most immediate East-West generated pain points for customers. At time of launch, Arista announced several partners, including Check Point, F5 Networks, Fortinet, Palo Alto, and VMware. Ideally, Arista should eventually put a program in place to enable any vendor to drop into the Arista network, instead of requiring Arista to do the integration one step at a time.
For many customers, the growth of East-West traffic probably came faster than expected, and any time there’s a change to a network, it creates problems. Arista’s MSS can be a cure to many of those problems.