Data center security for the age of AI
Today we are excited to announce a major step forward in data center security. Palo Alto Networks and Arista Networks are taking the next evolution in our partnership, enabling an intelligent framework that allows businesses to deploy best-in-class, consistent Zero Trust security in the data center at the speed of cloud.
Security challenges in the modern data center
As the data center becomes the backbone of AI innovation and is increasingly distributed across hybrid and multi-cloud environments, it faces a perfect storm of risks:
- Exponential East-West Growth: Over 80% of data center traffic is East-West - often a blind spot from a security standpoint, allowing threats to move unchecked once the perimeter is breached.
- AI-Powered Attacks: Adversaries are using AI to launch highly sophisticated, evasive malware and Day Zero attacks that are difficult for legacy defenses to catch. The time from initial compromise to data theft has dropped from 9 days to just 1 - and is projected to get to just 20 minutes next year.
- New AI Applications Exposure: The rise of AI applications introduces new threat vectors like prompt injection, model poisoning, and adversarial attacks, that requires advanced security capabilities to protect the datacenter
Two leaders joining together
Palo Alto Networks is the leader in cybersecurity, pioneering the future of Zero Trust and AI-driven defense, while Arista Networks is the leader in cloud networking, delivering high-performance, programmable data center fabrics. We engaged with our customers both separately and together, and the message was clear: they need the best of both worlds, uncompromising security efficacy seamlessly integrated with high-speed, scalable networking performance.
And that’s what we delivered.
Our unified solution addresses these challenges head-on, delivering a comprehensive Zero Trust posture for your entire distributed infrastructure while dramatically reducing complexity and total cost of ownership (TCO).
The four pillars of our unified solution
Our latest integration is built on four critical pillars, providing best-in-class security delivered with best-in-class networking performance:
Flexible segmentation with pervasive visibility
To achieve a true Zero Trust posture, enterprises must eliminate security blind spots by gaining full visibility and control over all data center traffic. This is especially critical for East-West (server-to-server) flows, which are the primary path for an attacker's lateral movement. The joint Palo Alto Networks and Arista integration provides this pervasive visibility and enables flexible, granular segmentation for both inter-zone and intra-zone traffic.
This solution works through an intelligent division of labor. The Arista fabric, which has complete network visibility, intelligently steers critical East-West application traffic to the Palo Alto Networks NGFW for deep, Layer 7 inspection. Based on this inspection, the NGFW creates a comprehensive, application-aware security policy. It then instructs the Arista fabric to enforce that policy at wire speed for all subsequent, similar flows. This "inspect-once, enforce-many" model delivers granular Zero Trust security without the performance bottlenecks of hairpinning all traffic through a firewall or forcing a costly, disruptive network redesign.
Advanced security with dynamic quarantine
To combat sophisticated, AI-powered threats, a joint Palo Alto Networks and Arista deployment provides a high-performance, automated defense. Palo Alto Networks NGFWs identify evasive threats using a powerful suite of Cloud-Delivered Security Services (CDSS). These services, such as Advanced WildFire for zero-day malware and Advanced Threat Prevention for unknown exploits, leverage global threat intelligence to detect and block attacks that traditional security misses.
This integrated solution delivers comprehensive security without compromising network speed. The Palo Alto Networks firewall uses a Single-Pass Parallel Processing (SP3) architecture to perform all security tasks in one pass, minimizing latency. Simultaneously, the Arista fabric can intelligently offload trusted, high-bandwidth "elephant flows" from the firewall after inspection, freeing it to focus on high-risk traffic. When a threat is detected, the NGFW instantly signals Arista CloudVision, which programs the network switches to automatically quarantine the compromised workload at hardware line-rate. This immediate response halts the lateral spread of a threat without creating a performance bottleneck or requiring manual intervention.
As more data center applications become AI applications, the specialized capabilities of Prisma AIRS AI Runtime Security secure the AI infrastructure itself. It provides deep Layer 7 visibility and behavioral analysis of application flows, enabling the security platform to detect and block specific AI-related attack patterns, not just general threats. Moreover, Prisma AIRS secures critical applications with east-west protection and workload inspection using Micro Perimeter. This ensures the high-value AI environment remains secure and compliant while utilizing the high-throughput performance of the Arista fabric
Unified policy orchestration across distributed environments
Modern data centers are complex, making it crucial to maintain consistent security—inter- and intra-zone, across distributed data centers, and throughout multi-cloud environments. The goal is to manage a unified security policy from a single pane of glass: write once and enforce everywhere. However, a key challenge in these large, distributed environments is asymmetric routing, especially when you stretch subnets for workload mobility. This asymmetry is a major problem for security, as a stateful firewall sees a request go out but the reply takes a different path back and bypasses it. Since the firewall only sees half the conversation, it correctly drops the session, which breaks the application for the user.
Typically, you'd try to solve this with complex firewall clustering or by manipulating default gateway settings, but these solutions are often rigid, operationally complex, and not optimal for dynamic environments. This is where our joint approach is different: the network itself is intelligent. It's aware of the workload, its location, and the security policy attached to it. It automatically steers both the initial request and its reply through the same firewall so the context is never lost—all without requiring complex manual configuration. This ensures traffic symmetry, guaranteeing your security posture remains consistent, no matter where your workloads are.
Operational flexibility and independence
Historically, network operations (NetOps) and security operations (SecOps) have faced significant operational friction due to the tight, manual coupling of their domains. A change in network architecture by NetOps—like deploying a new data center fabric or modifying network segments—often forces a complex and time-consuming redesign of security policies and firewall insertion points by SecOps. Conversely, when SecOps needs to deploy new security controls or update enforcement policies (like a quarantine rule), NetOps is frequently required to re-engineer complex traffic flows using PBR or VRFs to redirect data through the appropriate security stacks. This rigid codependency creates bottlenecks, slows down critical projects, and prevents both teams from innovating at the speed of business.
Our integration directly resolves this conflict by creating a clean architectural separation that decouples the network fabric from security policy. This allows the NetOps team (managing the Arista fabric) and the SecOps team (managing Palo Alto Networks security) to scale, upgrade, and innovate independently.
NetOps can focus on building a high-performance, reliable network, while SecOps can focus on delivering best-in-class security services. Each team uses their own domain-specific management tools, and the integration layer automatically synchronizes policy and enforcement actions. This flexible approach translates security intent from SecOps into automated network-level controls on the Arista fabric, eliminating the friction and allowing both teams to operate at maximum efficiency.
Take the next step
Ready to move beyond legacy solutions and implement a dynamic, Zero Trust architecture that secures your network at the speed of cloud?
- See the power in action: Watch the on-demand webinar to see a live demonstration of how unified policy orchestration and dynamic quarantine work instantly to secure distributed workloads.
- Get the technical deep dive: Download the integration brief for the technical blueprint on how Arista's Multi-Domain Segmentation Services and the Palo Alto Networks NGFW seamlessly integrate to deliver wire-speed security.
- See what our partner is saying: Read the Arista blog, "Arista and Palo Alto Networks Strengthen Partnership in the New Age of AI Security.