What is network segmentation?

Network segmentation is the practice of dividing networks into smaller, isolated sections to help reduce lateral movement and improve network performance.

Learning Objectives

After reading this article you will be able to:

  • Define ‘network segmentation’
  • Understand the security and performance benefits of network segmentation
  • Contrast network segmentation vs. microsegmentation

Copy article link

What is network segmentation?

Network segmentation is the practice of dividing a network* into smaller, isolated sections. These partitions can be created and secured via physical hardware or software, each of which come with their own implementation challenges.

By cordoning off different segments of a network, organizations can more easily prevent lateral movement, exert granular control over network traffic, and improve network performance. They may even set policies for individual workloads and applications, an approach known as microsegmentation.

*A network is a group of computers that are connected to each other.

How does network segmentation work?

Network segmentation divides a network into multiple sections, to which different controls can then be applied. Typically, this process is performed using one of two methods: physical segmentation and logical segmentation.

Physical segmentation

Physical segmentation requires hardware appliances — like routers, switches, and firewalls — to separate a network into discrete sections. These appliances control the type of traffic that is allowed to enter and exit each section via segmentation policies, which can be configured according to specific criteria (e.g. traffic source, destination, and so on).

Physical segmentation (also called perimeter-based segmentation) is often expensive and labor-intensive to set up and maintain. It also operates under the assumption that most organizations still maintain a physical network perimeter.

With the advent of cloud computing, however, this perimeter has all but disappeared, as users can access data and applications over the Internet, rather than internal, IT-managed networks. Even organizations that use on-premises infrastructure often allow users to connect to internal resources from external devices and software.

Logical segmentation

Logical segmentation, or virtual network segmentation, uses software to divide a network into smaller sections. These segments may be created via subnetting, virtual local area networks (VLANs), and network addressing schemes.

  • Subnets help break a network into smaller segments, thereby allowing network traffic to travel a shorter distance without passing through unnecessary routers to reach its destination
  • VLANs split traffic on a single physical network into two networks, without requiring multiple routers or Internet connections to route network traffic to different destinations
  • Network addressing schemes create network segments by dividing network resources among multiple layer 3 subnets

Like physical segmentation, logical segmentation also uses segmentation policies to restrict the flow of traffic into and out of each network segment.

Because logical segmentation does not depend on configuring, maintaining, and updating multiple hardware appliances, it is widely considered to be a more flexible, scalable, and cost-effective method of separating and securing a network.

What are the benefits of network segmentation?

When properly implemented, network segmentation can help organizations make security, performance, and compliance improvements with greater efficiency. Several of the most significant advantages include the following:

  • Reducing lateral movement: Once attackers have breached a network, they cannot freely move throughout it, since they have only breached one specific segment of the network. This in turn helps minimize an organization’s attack surface
  • Remediating malicious activity: When an attack or suspicious activity is confined within a specific area, IT teams can more effectively detect and remediate it — without impacting the rest of the network
  • Boosting performance: Restricting certain traffic types to specific areas of the network can help reduce overall network congestion and optimize performance
  • Ensuring compliance: Segmentation can isolate areas of the network that are subject to compliance standards, making it easier to update them on an as-needed basis

Network segmentation vs. microsegmentation

Network segmentation divides a network into smaller sections, to which different security controls and policies are applied.

Microsegmentation, by contrast, is a subset of network segmentation that allows even more granular controls to be applied to individual workloads. (A workload is a program or application — like a server, virtual machine, or serverless function — that uses a certain amount of memory and computing resources.) It is part of a Zero Trust security model, in which no user or device is trusted by default.

To better understand the security benefits of network segmentation vs. microsegmentation, imagine that a king has a large sum of gold and jewels he wants to protect. He might put all of his treasure into several secret vaults, each of which could only be unlocked using a specific key (network segmentation). If a thief stole a key to one vault, they might be able to steal the treasure inside of it, but would not be able to access additional vaults without stealing additional keys to those rooms. In the same way, an attacker that breaches one subnetwork may compromise the data within it, but will not be able to move freely to another subnetwork.

Alternatively, the king could not only distribute his treasure among multiple vaults, but place them into locked chests within those rooms — and ensure that each box could only be unlocked with its own key (microsegmentation). That way, if a thief stole the key to one of the treasure vaults, they could not unlock the individual treasure chests without procuring additional keys. Similarly, in a microsegmented network, even if an attacker compromises one workload, they may not be able to compromise (or even access) additional workloads.

Learn more about how microsegmentation helps organizations achieve a Zero Trust security posture.