Tag Archives: apply

Arista CloudVision gets multi-cloud, NSX security features

Arista Networks has added to its CloudVision management console the ability to apply security policies across virtualized switching fabrics running on Amazon Web Services, Google Cloud and Microsoft Azure.

Arista also introduced this week an integration between Arista CloudVision and NSX, VMware’s software for provisioning virtualized networks. The combination lets engineers take security policies created in NSX and apply them to Arista switches running in the data center.

The latest features come about a year after Arista introduced a virtualized version of its network operating system, called vEOS, for AWS, Google and Azure. At the time, Arista added some vEOS controls to CloudVision, which competes with Cisco CloudCenter.

The new multi-cloud feature within Arista CloudVision lets engineers modify the access control lists (ACLs) in vEOS switches, said Jeff Raymond, vice president of EOS product management. The capability, which the vendor calls Zone Segmentation Security, eliminates having to worry about the unique security mechanisms in each of the three public clouds.

Companies often create virtual networks in the public clouds to deliver security, load balancing and other services to applications. Amazon and Google call the networks Virtual Private Clouds (VPCs) while Microsoft refers to them as virtual networks (VNet).

Arista has integrated its Zone Segmentation feature with Zscaler’s cloud-based web gateway. The integration lets companies use Zscaler to apply security policies for traffic heading from a campus network or remote office to the cloud provider. Arista CloudVision applies policies to traffic flowing between and within virtual networks.

Overall, Arista is using CloudVision to address a trend toward more collaboration between corporate networking and security teams, said Shamus McGillicuddy, an analyst at Enterprise Management Associates, based in Boulder, Colo. A recent EMA survey found that 91% of security and network infrastructure teams were working together using shared or integrated tools.

The latest Arista offerings also show the vendor recognizes its customers need security that stretches from the private data center to the public cloud, said Bob Laliberte, an analyst at Enterprise Strategy Group, based in Milford, Mass. “Building out a strong security ecosystem will be critical, and delivering a capable management platform for hybrid cloud environments will be important for its customers to effectively manage those hybrid environments.”

VMware NSX integration with Arista CloudVision

The NSX integration bridges the gap between VMware virtual networks and Arista physical switches in the data center. With CloudVision, engineers will be able to take security policies created for NSX environments and apply them to workloads running on the hardware.

NSX policies define the network resources accessible to groups of workloads and applications running on the virtual network. CloudVision applies those policies to an Arista fabric by converting them into a format that can become a part of the switch’s ACL.

As a result, engineers can save time by using just NSX for creating security policies, according to Raymond.

New hardware-based encryption in Arista routers

Finally, Arista plans to release four routers with built-in support for encryption standards. For the enterprise WAN, Arista embedded hardware-based IPSec in the 7020SRG for site-to-site virtual private networks. The router is a 10 GbE platform.

For the data center interconnect, Arista will provide MACsec encryption in the new 7280CR2M and the 7280SRAM. Both routers offer wire-speed encryption with 10 GbE and 100 GbE for up to 100 kilometers. For MACsec encryption up to 2,500 km, Arista introduced the 7280SRM, which has 200 GbE Coherent interfaces for metro and long-haul links.

Arista plans to release all the new technology by the end of September.

Arista sells its products primarily to tier-one and tier-two service providers, financial institutions and high-tech companies, including Microsoft, Amazon and Facebook.

Recently, however, the company has aimed some new hardware at enterprises with more mainstream data centers. In May, for example, the company introduced switches for the campus LAN.

Roll your own Windows patching tool with PowerShell

Manage
Learn to apply best practices and optimize your operations.

This tutorial based on PowerShell helps administrators build an automated routine that audits Windows machines, then applies missing patches to lighten this management task.



It’s a necessary but loathsome activity for just about every systems administrator: Windows patching.

“;
}
});

/**
* remove unnecessary class from ul
*/
$(“#inlineregform”).find( “ul” ).removeClass(“default-list”);

/**
* Replace “errorMessageInput” class with “sign-up-error-msg” class
*/
function renameErrorMsgClass() {
$(“.errorMessageInput”).each(function() {
if ($(this).hasClass(“hidden”)) {
$(this).removeClass(“errorMessageInput hidden”).addClass(“sign-up-error-msg hidden”);
} else {
$(this).removeClass(“errorMessageInput”).addClass(“sign-up-error-msg”);
}
});
}

/**
* when validation function is called, replace “errorMessageInput” with “sign-up-error-msg”
* before return
*/
function validateThis(v, form) {
var validateReturn = urValidation.validate(v, form);
renameErrorMsgClass();
return validateReturn;
}

/**
* DoC pop-up window js – included in moScripts.js which is not included in responsive page
*/
$(“#inlineRegistration”).on(“click”,”a.consentWindow”, function(e) {
window.open(this.href, “Consent”, “width=500,height=600,scrollbars=1”);
e.preventDefault();
});

Windows systems get patched via Microsoft Update. There are many Windows patching tools that help with this procedure.

Windows Server Update Services (WSUS) is free, but lacks some tooling for administrators who might want to fine-tune the process. System Center Configuration Manager enables administrators to build highly customized patching rollouts, but it requires some time to learn — and it can be a sizeable expense for some organizations. Regardless of your choice, each uses the built-in Windows Update Agent to connect to Microsoft to obtain new updates.

If a commercial Windows patching tool is too costly and the limitations of a free tool are too constraining, there is the option to create your own automated procedure. There are several advantages to this approach. The main perk is the flexibility to build a Windows patching system that matches the organization’s needs. But this method requires specific expertise and will take a significant amount of work to build.

To start construction of a Windows patching tool, it helps to think about the details behind the process before writing a single line of code; for example:

  • How do you target the systems that need patches?
  • What source do you use for the patches?
  • Which patches do you apply?
  • How do you deliver the patches and install them?

There are several ways to handle these tasks, but in this article, we will address those areas in this fashion:

  • Targeting: via Active Directory organizational unit (OU);
  • Patch source: Microsoft Update;
  • Patch type: all critical patches; and
  • Delivery: use PowerShell to remotely invoke the Windows Update Agent.

The administrator can configure all the options at the time of patching, except perhaps the patch source. The Windows Update Agent uses the registry — possibly through a group policy object — to determine if the updates will come from Microsoft Update or a local WSUS server. A Windows patching tool built on PowerShell will use the source set in the Windows Update agent.

To start, we will use a prebuilt PowerShell module I developed called WindowsUpdate. Download and install the module. To see a list of available commands, enter:

Get-Command -Module WindowsUpdate

Next, query a list of computers to update. For this article, we’ll use a single Active Directory OU, but the source can be anything from a database, CSV file or an Excel spreadsheet, for example. We’ll use the Active Directory module included with Microsoft’s Remote System Administration Tools package.

After installing that module, we can query AD computers with the Get-AdComputer cmdlet. To find all computers in a single OU, use the SearchScope and SearchBase parameters. With the command below, we can find computers in the Servers OU from the domain mylab.local and return their names:

$computerToPatch = Get-AdComputer -SearchScope Base -SearchBase ‘OU=Servers,DC=mylab,DC=local’ | Select-Object -ExpandProperty Name

Next, let’s target a machine. When I use a new tool, I usually retrieve the existing state of the machine first. I perform a Get operation as a test for the tool and assess the current patch state. The command below queries the first computer in our variable and finds all the available updates that are not installed. By default, it just checks for missing updates:

Get-WindowsUpdate -ComputerName $computersToPatch[0]

Once you’ve seen the output and you’re comfortable with the patches the tool will install, use the Install-WindowsUpdate command to force the Windows Update agent on the remote computer to download and install the missing updates.

Install-WindowsUpdate -ComputerName $computersToPatch[0] -ForceReboot

Notice we’ve chosen to force a reboot on the machine if needed. By default, Install-WindowsUpdate does not attempt to reboot the computer if an update requires it.

We can take things a step further and install updates on all the target computers. In PowerShell, we can use a ForEach loop to iterate through each computer name in the $computersToPatch array and run Install-WindowsUpdate against each one.

foreach ($computer in $computersToPatch) {

Install-WindowsUpdate -ComputerNBame $computer -ForceReboot
}

The loop goes through each computer in the Servers OU, checks each for missing patches, installs them and reboots the machine to complete the update process.

This basic demonstration shows what’s possible with a free PowerShell tool. Open up the code for these commands and give them a closer look to see where a few modifications might work better with your environment.

Dig Deeper on Windows Operating System Management