All Tech Field Day Events

Arista Networks Refreshes CloudVision AGNI with New Feature Set

As businesses embrace cloud computing, it has given free passes to users to access IT resources from anywhere. Employees need access of the corporate network and work apps to get their job done. But the cloud provides anywhere-access indiscriminately. For example, to external parties like contractors, vendors, partners and customers. Meaning with a device connected to the Internet, any of these entities can access corporate applications and data from any part of the world.

This on one hand has unlocked tremendous opportunities of collaboration and coopetition, but on the other hand, it has unspooled chaos at the security front. With the rise of BYOD, the number of digital identities and online accounts of users have exploded, amplifying risk to data. For an average-size enterprise, managing millions of global identities in a way that access to corporate applications is maintained, while still being in control of sensitive company data, is a growing burden.

At the 2023 Mobility Field Day event, Arista Networks showcased their cloud NAC solution, CloudVision AGNI. Short for Arista Guardian for Network Identity, AGNI packed many useful security features that advance zero trust security in a perimeter-less environment. This Mobility Field Day event, Arista Networks returned with some significant enhancements that they say take CV AGNI to the next level.

Sriram Venkiteswaran, Director of Product Management, and Parul Sharma, Sr. Technical Marketing Engineer, jointly demoed the solution and the new capabilities to the audience.

The Zero Trust Journey Starts with AGNI

At the foundation, Arista’s Zero Trust Network architecture has AGNI for access control. It provides continuous authentication, frictionless onboarding, and profiling of endpoints for identity management.

All communications happen via a TLS-based RadSec tunnel which is highly secure and encrypted, and offers maximum protection across distributed networks.

“All our infrastructure components use RadSec to talk back to our NAC in the cloud. Underneath RadSec is the standard RADIUS protocol, and the best part is it works on any third-party infrastructure as long as it supports RadSec,” he says.

For devices that don’t support RadSec, Arista switches can behave as RadSec proxies with just an additional module.

AGNI integrates with Arista’s Microperimeter Segmentation Services (MSS) framework, a newly launched solution that works by implementing group-based security policies in the network based on AGNI’s inputs.

“The way we do segmentation is we don’t have any proprietary tags. We don’t modify the packets or the headers. It’s network agnostic and works obviously on top of our infrastructure, but also in multivendor environments,” says Venkiteswaran.

Inside Arista Networks’ Zero Trust Architecture

The last mile is covered by Arista NDR (Network Detection and Response), a platform that performs continuous threat monitoring of all wired and Wi-Fi devices in the network to deliver diagnostics for threats and anomalies.

Arista NDR works through an army of software sensors that are deployed on network switches. These sensors work natively scanning every packet passing through the switch and pulling their flow information. This it shares with the AVA Nucleus, an AI/ML engine that analyzes the behaviors of entities and alerts operators about suspicious changes, anomalies and threats.

Through integration with AGNI, Arista NDR can send back alerts after cranking up the threat profile of the suspect device. AGNI then takes over and enforces the required policies which include quarantining the device, blacklisting it, change the ACLs and so on.

During the demo, Sharma also highlighted AGNI’s two-step guest onboarding with U-PSK. The self-registration workflow entails entering the client email address at the kiosk which generates a QR code. To connect to the network, all they need to do is scan that QR code. All guest devices will be automatically granted guest network access without redirections.

Broad Integration with External Solutions

An API-first approach allows AGNI to integrate with all of Arista Networks’ products as well as a whole ecosystem of third-party solutions with which it can exchange client and user context, telemetry and protection status of endpoints.

When interacting with customers, Arista learned that a majority of the customers do not implement NAC despite paying for the licenses. “Setting up NAC policies in an existing environment is a PHD project – it’s super complex,” Venkiteswaran informs. “Also, customers don’t want to touch their networks because they fear they’re going to break something.”

To make the process simple, Arista Networks has built integrations with a suite of Concourse Apps that are both native and external services from which AGNI can receive feeds and notifications. Among them is CrowdStrike, a leading cloud-native, AI-powered threat hunting solution.

When CrowdStrike picks up anomalous behaviors, it can send the alerts back to AGNI. “The workflow is very similar. We take feed from CrowdStrike, say about a device that is non-compliant, and we go back and take actions on the network.”

Among things that are new, AGNI now supports TACACS+ for device administration for customers that are looking to migrate legacy NAC solutions to AGNI. “Essentially, at a high level, one of the switches acts as a gateway that terminates TACACS from all the infrastructure components and at the back end, talks to AGNI to complete the authentication,” explains Venkiteswaran.

Wrapping Up

Identity is the new perimeter, and ensuring secure identity and access is the biggest priority of enterprises. Arista CV AGNI offers top-notch convenience in accomplishing this daunting task. Around the clock, it vets entities before granting them permission to enter the network. Arista Networks’ goal to make it an adaptive solution is fulfilled through its broad integration with the rest of the Arista portfolio and external vendors which enables it to dynamically receive threat intelligence, evict bad actors, and secure resources by going beyond the known enterprise boundaries.

Be sure to watch Arista Networks’ demonstration from the recent Mobility Field Day event to watch CV AGNI in action.

About the author

Sulagna Saha

Sulagna Saha is a writer at Gestalt IT where she covers all the latest in enterprise IT. She has written widely on miscellaneous topics. On gestaltit.com she writes about the hottest technologies in Cloud, AI, Security and sundry.

A writer by day and reader by night, Sulagna can be found busy with a book or browsing through a bookstore in her free time. She also likes cooking fancy things on leisurely weekends. Traveling and movies are other things high on her list of passions. Sulagna works out of the Gestalt IT office in Hudson, Ohio.

Leave a Comment