Network segmentation is the practice of dividing networks into smaller, isolated sections to help reduce lateral movement and improve network performance.
After reading this article you will be able to:
Related Content
Subscribe to theNET, Cloudflare's monthly recap of the Internet's most popular insights!
Copy article link
Network segmentation is the practice of dividing a network* into smaller, isolated sections. These partitions can be created and secured via physical hardware or software, each of which come with their own implementation challenges.
By cordoning off different segments of a network, organizations can more easily prevent lateral movement, exert granular control over network traffic, and improve network performance. They may even set policies for individual workloads and applications, an approach known as microsegmentation.
*A network is a group of computers that are connected to each other.
Network segmentation divides a network into multiple sections, to which different controls can then be applied. Typically, this process is performed using one of two methods: physical segmentation and logical segmentation.
Physical segmentation requires hardware appliances — like routers, switches, and firewalls — to separate a network into discrete sections. These appliances control the type of traffic that is allowed to enter and exit each section via segmentation policies, which can be configured according to specific criteria (e.g. traffic source, destination, and so on).
Physical segmentation (also called perimeter-based segmentation) is often expensive and labor-intensive to set up and maintain. It also operates under the assumption that most organizations still maintain a physical network perimeter.
With the advent of cloud computing, however, this perimeter has all but disappeared, as users can access data and applications over the Internet, rather than internal, IT-managed networks. Even organizations that use on-premises infrastructure often allow users to connect to internal resources from external devices and software.
Logical segmentation, or virtual network segmentation, uses software to divide a network into smaller sections. These segments may be created via subnetting, virtual local area networks (VLANs), and network addressing schemes.
Like physical segmentation, logical segmentation also uses segmentation policies to restrict the flow of traffic into and out of each network segment.
Because logical segmentation does not depend on configuring, maintaining, and updating multiple hardware appliances, it is widely considered to be a more flexible, scalable, and cost-effective method of separating and securing a network.
When properly implemented, network segmentation can help organizations make security, performance, and compliance improvements with greater efficiency. Several of the most significant advantages include the following:
Network segmentation divides a network into smaller sections, to which different security controls and policies are applied.
Microsegmentation, by contrast, is a subset of network segmentation that allows even more granular controls to be applied to individual workloads. (A workload is a program or application — like a server, virtual machine, or serverless function — that uses a certain amount of memory and computing resources.) It is part of a Zero Trust security model, in which no user or device is trusted by default.
To better understand the security benefits of network segmentation vs. microsegmentation, imagine that a king has a large sum of gold and jewels he wants to protect. He might put all of his treasure into several secret vaults, each of which could only be unlocked using a specific key (network segmentation). If a thief stole a key to one vault, they might be able to steal the treasure inside of it, but would not be able to access additional vaults without stealing additional keys to those rooms. In the same way, an attacker that breaches one subnetwork may compromise the data within it, but will not be able to move freely to another subnetwork.
Alternatively, the king could not only distribute his treasure among multiple vaults, but place them into locked chests within those rooms — and ensure that each box could only be unlocked with its own key (microsegmentation). That way, if a thief stole the key to one of the treasure vaults, they could not unlock the individual treasure chests without procuring additional keys. Similarly, in a microsegmented network, even if an attacker compromises one workload, they may not be able to compromise (or even access) additional workloads.
Learn more about how microsegmentation helps organizations achieve a Zero Trust security posture.
Network segmentation enhances security by splitting a network into smaller, isolated segments. This practice limits what an attacker can access if they breach the network and allows for better control over network traffic.
Microsegmentation is a granular form of network segmentation that applies security controls to individual workloads or applications, allowing specific security policies for each. In contrast with other types of network segmentation, microsegmentation takes place at the application layer rather than the network layer.
Network segmentation limits an attacker's ability to move to other parts of a network after a breach, confining their access to only the compromised segment and protecting the rest of the network.
Physical segmentation uses hardware like routers and firewalls to separate network sections. Logical segmentation uses software-based methods such as subnetting and virtual local area networks (VLANs) to create virtual barriers within a network.
Segmentation may help organizations optimize network performance by ensuring only necessary traffic flows between segments, reducing network congestion.
Cloud computing has blurred traditional network perimeters, making flexible, software-based segmentation methods more important to secure modern, distributed environments. Hardware-based network segmentation does not do much for securing cloud deployments.
Zero Trust is a security model in which threats are assumed to already be present within a network and no user or device is trusted by default. Network segmentation, especially microsegmentation, is a key principle of Zero Trust security because it stops these already-present threats from breaching the entire network.