Network segmentation is the practice of dividing networks into smaller, isolated sections to help reduce lateral movement and improve network performance.
After reading this article you will be able to:
Copy article link
Network segmentation is the practice of dividing a network* into smaller, isolated sections. These partitions can be created and secured via physical hardware or software, each of which come with their own implementation challenges.
By cordoning off different segments of a network, organizations can more easily prevent lateral movement, exert granular control over network traffic, and improve network performance. They may even set policies for individual workloads and applications, an approach known as microsegmentation.
*A network is a group of computers that are connected to each other.
Network segmentation divides a network into multiple sections, to which different controls can then be applied. Typically, this process is performed using one of two methods: physical segmentation and logical segmentation.
Physical segmentation requires hardware appliances — like routers, switches, and firewalls — to separate a network into discrete sections. These appliances control the type of traffic that is allowed to enter and exit each section via segmentation policies, which can be configured according to specific criteria (e.g. traffic source, destination, and so on).
Physical segmentation (also called perimeter-based segmentation) is often expensive and labor-intensive to set up and maintain. It also operates under the assumption that most organizations still maintain a physical network perimeter.
With the advent of cloud computing, however, this perimeter has all but disappeared, as users can access data and applications over the Internet, rather than internal, IT-managed networks. Even organizations that use on-premises infrastructure often allow users to connect to internal resources from external devices and software.
Logical segmentation, or virtual network segmentation, uses software to divide a network into smaller sections. These segments may be created via subnetting, virtual local area networks (VLANs), and network addressing schemes.
Like physical segmentation, logical segmentation also uses segmentation policies to restrict the flow of traffic into and out of each network segment.
Because logical segmentation does not depend on configuring, maintaining, and updating multiple hardware appliances, it is widely considered to be a more flexible, scalable, and cost-effective method of separating and securing a network.
When properly implemented, network segmentation can help organizations make security, performance, and compliance improvements with greater efficiency. Several of the most significant advantages include the following:
Network segmentation divides a network into smaller sections, to which different security controls and policies are applied.
Microsegmentation, by contrast, is a subset of network segmentation that allows even more granular controls to be applied to individual workloads. (A workload is a program or application — like a server, virtual machine, or serverless function — that uses a certain amount of memory and computing resources.) It is part of a Zero Trust security model, in which no user or device is trusted by default.
To better understand the security benefits of network segmentation vs. microsegmentation, imagine that a king has a large sum of gold and jewels he wants to protect. He might put all of his treasure into several secret vaults, each of which could only be unlocked using a specific key (network segmentation). If a thief stole a key to one vault, they might be able to steal the treasure inside of it, but would not be able to access additional vaults without stealing additional keys to those rooms. In the same way, an attacker that breaches one subnetwork may compromise the data within it, but will not be able to move freely to another subnetwork.
Alternatively, the king could not only distribute his treasure among multiple vaults, but place them into locked chests within those rooms — and ensure that each box could only be unlocked with its own key (microsegmentation). That way, if a thief stole the key to one of the treasure vaults, they could not unlock the individual treasure chests without procuring additional keys. Similarly, in a microsegmented network, even if an attacker compromises one workload, they may not be able to compromise (or even access) additional workloads.
Learn more about how microsegmentation helps organizations achieve a Zero Trust security posture.