Cyber Security and the Evolving Datacenter · • Production-grade networking to containers running on any platform – Docker Swarm, Kubernetes or OpenShift • Ability to . migrate

Copyright © Arista 2018. All rights reserved.

Cyber Security and the Evolving DatacenterSegmenting PINs to PICs


Preface


• Who is Arista? • Work with 3rd party best of breed partners • Communication with customers and peers • Foster Discussion • Contact us to learn more

- Lindsay Clarke – Account Manager: [email protected] Rich Whitney – Engineering Manager: [email protected]

• *Vendors in this presentation are for reference only*

mailto:[email protected]

mailto:[email protected]

Arista PINs to PICs

● Elastic demand-based service models

● Extremely agile

Provider centric – hard to tie to on-premise DC architectures

Branch

● MPLS to IPSEC driven VPN architectures

● High vendor lock-in

Too many competing andvendor proprietary niches(i.e., SD-WAN)

Private Cloud Public Cloud

● On-premise and/or hosted models

● Hypervisor centric

Hard to integrate across hypervisor vendor platforms

Datacenter

● Open leaf & spine cloud networking

● Siloes breaking down

Remaining legacy fabric hold-outs dying offC

halle

nges

Silo Places in the Network (PINS) with Bolted After-Thoughts to Seamless and Secure Places-in-the-Cloud (PICs)

3 Copyright © Arista 2018. All rights reserved.

Secure Cloud Networking Goals


• Enable heterogeneous container deployments across virtual machines, bare-metal, and public or private clouds

• Production-grade networking to containers running on any platform – Docker Swarm, Kubernetes or OpenShift

• Ability to migrate containerized workloads to and between clouds

• Uniform way to connect, manage and secure micro-services in a multi-cloud deployment

• Provide application layer visibility in the public cloud and aggregating telemetry data

• Ability to secure traffic flows to/from or within micro-services (i.e. inter & intra VPC/Vnet) traffic using same security policy mechanism as private cloud independently of public cloud provider lock-in security mechanisms

• Automatically secure applications in the cloud based on consistent set of enforcement mechanisms

• Manage secure cloud using same security orchestration rules as private cloud

• Integrate with best-of-breed security management to orchestrate security with open API in any public or private cloud

• Reduce capex and opex costs of running a multi-cloud infrastructure

Arista EOS Use-cases

Spine

The spine runs BGP as its primary routing protocol

Data Center Spine

Appl i cat i on

P e r f o r m a n c e M oni tor

ID S/IPS

Packet M oni torTAP and Monitor Port Aggregat ion

Each leaf switch and each spine switch connects to this switch with either one 10Gb or on 40GbE interface to simplify monitoring and troubleshooti ng as well as enabling APM and IDS systems to seeany/all traffic as efficientl y as possible.

The network spine is provisioned to provide wire-speed connectivi ty with deep buffers to manage periods of sporadic congestion andincast. It is desi gned to be si m pl e and thus hi ghly avail able w hi le To S p i n e all owi ng for rout inenetwork operations and change control via Smart Sw i tches System Upgrades.

Leaf

Hosts

Dua l -Hom ed LeafM L A G Pai r

R a c k 1 R a c k 2

The dual-hom ed compute leaf is usually provisioned with a 3:1 oversubscri pt ion ratio. Ensure a thorough understanding of the failover characteri s ti cs of the NIC redundancy plan here and deployVARP for protocol- free first hop redundancy.

Edge Routers

Leaf

ExternalNetwork M P L S C O R E

M e t r o A M e t r o B

Data Center InterconnectM L A G Pai rVTEP(s)

VARP-FHRP

Storage Leaf

Leaf

Storage Devices

The Data Center Interconnec t Leaf serves as the gateway leaf to The storage leaf is usually provisioned with a 1:1 oversubscr ipti on the Metro D C Pair, the M PLS network, and the Core to the ratio when the storage is serving hosts connected to the compute remote Data Center. VXLAN is used as the L2 transport between leaves. Legacy Fiber Channel connections will remain in the M D S the Metro pairs and in limited amounts across the Core Network and connect to the IP Fabric through the storage Leaf

N A S

IP S t o r a g e

F C S A N

F i r s t H o p F C O E

Sw i tch

M L A G Pai r

C heckpoi nt/

PA N F i r ew al l s

F 5 Load

bal ancer

Services Leaf

Leaf

Network Services

M L A G Pai r

Accel er at i on/

E T C .

The services leaf is usually provisioned with an uplink capacity based on the throughput of the services connected to and through it. It is important to monitor both bandwidth and critical table utilizati on forshared services to ensure stable connectiv ity.

C V X

M anagem en t Leaf

Leaf

Network Services

The management leaf never needs much throughput, but does require maximum uptime and reliability to ensure the overall infrastructur e stays available. Each service is detailed in the accompanyi ng designdocument.

D H C P

Z T P / Z T R

Spl unk

M L A G Pai r

Edge Routers

Leaf

External Network

The D M Z terminates the Internet traffic on the external routers and connects up to a typical Leaf model leveraging services that arespecific for the D M Z connectiv ity

Services

Internet DM ZM L A G Pai r

Services FW/LB/IPS...

Storage

ComputeM L A G Pai r

Virtual Virtual Physical Servers Physical Firewalls & Storage

EOS EOS EOS

CloudVision

eXchange

Central Management

Monitoring Tools

Programmable Underlay with EOS

DWDM MUX/ DMUX

SPINE

LEAF/ TOR

SERVE RS DC 2DC1

>3000kmwith

Amplification

Universal Cloud Network Data Center Interconnect Macro Segmentation

IP Storage Media

DANZ, LANZ and TracersNSX

Software DefinedData Center

Network Virtualization IP Peering

ISP BISP A


Arista EOS Use-cases: Routing focus

Internet Inter-DCWAN

Spine Core

DCI

Transit PublicPeering

CClloouuddDDCCI

Universal Spine

Spine

Leaf AS2906 AS8075

IX IP Cloud network

Customer Edge

BGP VxLAN EVPN

BGP

IX Cloud

Path computat ion

IG P , B G P - Segm en t Routing

P rogram m atic A P I ’ s

D C 2

D C 1

S e g m e n t R o u t i n g r ed u c e s c omp l e x i t y an di m p r o v e s s c a l e b y of f er ing in tel l i g en t sourcer ou t i n g w i t h g l ob a l l y op t i m i z e d traf f ic e n g i n e e r i n g

W A N

x MP L S T E signaling

Inter -DC T raf f i c


Arista EOS Use-cases: Arista Any Cloud Platform

Hybrid cloud, expanding seamlessly beyond the datacenter

Arista Router at Equinix

vEOS Router in AWS

DC Aggregation with Arista Universal Cloud Network

vEOS Router in Azure West

Analytics

vEOS Router in Azure East

Automation

Any Cloud API

Agile Work-X

Available Architecture

Private Cloud Cloud Exchange Public Cloud


What is Segmentation?

“Process of implementing isolation and segmentation for security purposeswithin the virtual data center”

Gartner, 2017


Standard Segmentation Methods

Traditional physical firewalls and manually deploying security policies to isolate traffic


Micro-segmentation

L3/L4 security policies on distributed virtual switch or vNGFW down to VM


Adaptive Segmentation

Automated application discovery, Orchestrate L7 Policies on distributed firewalls and Isolate threats


Cloud Based Segmentation

L3/L4 security policy micro-segmentation enforcement by Cloud Providers


No silver bullets


Security Criteria Traditional Segmentation

Micro-Segmentation

Adaptive Segmentation

Cloud Segmentation

Firewall Type Physical IP Tables / ACLs (Plug to vNGFW)

Virtual Distributed IP tables / ACLs (plug into NGFW)

Firewall Location DMZ Top of Rack or Hypervisor

Operating System Hypervisor

Secure typical traffic flows North / South East/West & North/ South

East/West & North/ South

East/West & North/ South

Security layer L3 - L7 L3/L4 on vswitch L3-L7 L3/L4

Security Policies provision & maintaining

Manually Manually Application Learning Manually

Security policy management Central firewall controller

Central firewall controller

Central firewall controller

Cloud Orchestrator

Segmentations have created security islands

DMZ Security Island Multi-Silo DC Security Island Cloud Security Island

Security Policy Sprawl

Micro-Visibility

per island

Lack of Automation & Mobility & Agility

Vendor Lock-in &

lack of Open

Integration

Branch / Campus Security Island


2b). Adaptive Segmentation

2a). Micro Segmentation

1. Traditional Segmentation

Internet VPC

AZ2

AZ1

AZ2

AZ1

Transit VPC

AZ2

AZ1

Firewall Controller

TapAggregation

East Region

Packet Monitoring

Macro-Segmentation with Macro-State Visibility is open to accommodate & enables any segmentation architecture

4. CloudSegmentationCopyright © Arista 2018. All rights reserved.

TapAggregation

DANZ LANZ

VmTracer

MapReduce Tracer

SNMP

Syslog

Path Tracer

Bug Alerts

EOS SDK

EOS API

Atomic Counters

CloudTracer

Scripting

ZTP

Event Monitor Event Manager

3rd party RPM packages

VCS State Streaming

MSS

DFA

sflow

DigitalOptical Monitoring

FirewallController

PacketMonitoring

Macro-State Visibility to openly accommodate & enable any segmentation architecture

Use CV’s NetDB to collect Macro-State using countless EOS software features to provide network wide visibility and state stream the data using Open APIs to any 3rd party security controllers help provide

scalable Macro-segmentation across all PlCs


Macro-Segmentation with Macro-State Visibility

Compute / Big Data /

HPCEdge

Branch / Campus /

IoTEdge

Cloud Edge

Storage Edge

Macro Application & WorkFlow Visibility & Analytics

Open API Integration to with Best of Breed SecurityFull Security Automation &

Segmentation

VCS has Macro-State view of Network

State Stream & provide atomic

changes on end devicesconnected

to physical&virtualnetwork

State Stream & provide atomic

changes on storage

infrastructure

Provide Cloud Visibility &

Analytics to secure cloud workflows andworkloads

Provide Visibility, Security,

Analytics,Agilityto remoteusers

Places In the Cloud (PICs)


Macro Threat Detection & Enforcement

3) Real-time threat

analysis via machine learning

2) Real time data capture

& enforcement

1) 3rd Party threat security

intelligence or

enforcement

Macro

visibility

Macro

visibility

Macro10101010101010W1or0kfl1ow010101010101010101010Ne1tw0o1rk010101010110101010W1o0rk1lo0ad10101010101010101

visibility

Public Cloud

Private Cloud

Arista Macro Detection & Enforcement Software Roadmap

Phase 1) Provide 3rd Party security devices application visibility & network logs to do security intelligence & enforcement

Phase 2) Arista provides policy enforcement on virtual routers and physical devices integrated to 3rd party

Phase 3) Arista provides machine learning capabilities for advanced detection and correlation for intelligent & automated policy enforcement



www.arista.com19 Copyright © Arista 2018. All rights reserved.

Thank You

http://www.arista.com/

Documents

Cyber Security and the Evolving Datacenter · • Production-grade networking to containers running on any platform – Docker Swarm, Kubernetes or OpenShift • Ability to . migrate