Skip to main content

Aviz Networks ONES details CI/CD scans, CA-signed HTTPS, RBAC, and mTLS

Aviz Networks describes how its ONES network orchestration and assurance platform implements enterprise security controls for multi-vendor SONiC deployments, covering automated image and application scans, certificate handling, identity access, encryption, telemetry, and patching. The update matters for IT and security teams managing data center fabrics that require consistent controls across network software and services.

Research Overview

The blog positions ONES as a solution for multi-vendor, multi-NOS network infrastructure that provides network orchestration, visibility, and assurance, with support for SONiC. It links the platform design to an enterprise product security approach built around scanning, identity controls, encryption, monitoring, and ongoing patch management.

The post also frames its content as mapping common enterprise security practices to ONES implementation, including automated security checks in a CI/CD workflow and continuous compliance monitoring. It references collaboration with enterprise security and audit teams starting at pre-deployment stages.

Key Findings

ONES includes automated security scanning steps integrated into its CI/CD pipeline to validate software packages and reduce the risk of releasing vulnerable code. The blog states that checks include installer scanning and SAST/DAST using tools such as Synk and SonarQube.

For secure communications, the blog describes enforcement of HTTPS over port 443 with certificates signed by trusted certificate authorities, and support for mutual TLS for identity verification between communicating parties. It further describes API protection using authentication mechanisms and an API gateway for rate limiting.

Technical Breakdown

On user access, the blog says each ONES user has an independent account and credentials are not shared, while a separate “super admin” account can be used for troubleshooting and recovery scenarios such as locked accounts or forgotten passwords. It also describes fine-grained RBAC that restricts access to special features based on roles, with examples including permissions for vendor staff operations such as reboot and ZTP.

For centralized identity management, ONES is described as integrating with Active Directory by communicating through LDAP for user authentication. The blog also explains that ONES uses gRPC infrastructure and TLS to secure client-server communication and to provide authentication, confidentiality, and integrity through digital certificates.

Operational Impact

The blog describes ONES telemetry as streaming metrics used for software compliance monitoring, including software versions for NOS, Kernel, and ONIE, EOL licenses, and security vulnerabilities. It says ONES provides policy and alert capabilities and dashboards to show compliance status and help identify and address compliance issues.

For vulnerability remediation, the post describes the use of security patches and states that ONES uses cloud-native and microservice design to support container upgrades without impacting the data path or application downtime. It also states that patching and security fixes can be applied without upgrading the whole system, supported by continuous monitoring and its CI/CD workflow.

The article ends by summarizing a combined approach that applies scanning, certificate handling, account management and RBAC, LDAP-based authentication, mutual TLS, streaming telemetry, and patching to enterprise product security needs. Blog Signals brief is a fact-based summary of the vendor blog.