- Network segmentation divides a larger network into smaller, isolated segments to improve security and reduce the attack surface.
- It enhances performance by limiting broadcast traffic and allowing for tailored security policies for different segments.
- Proper implementation can help in compliance with regulations and improve incident response times during security breaches.
Businesses face growing cybersecurity threats that can compromise sensitive data and disrupt operations in this increasingly interconnected world. One effective strategy to mitigate these risks is network segmentation, which involves dividing a larger network into smaller, manageable parts.
This approach not only enhances security but also improves network performance by isolating issues and controlling data flow. As organisations seek robust solutions to protect their digital assets, understanding the principles and benefits of network segmentation becomes essential.
Definition of network segmentation
Network segmentation is an architectural approach that divides a network into multiple segments or subnets, each acting as its own small network. This allows network administrators to control the flow of network traffic between subnets based on granular policies. Organisations use segmentation to improve monitoring, boost performance, localise technical issues and enhance security.
Also read: Key facts about a NIC (network interface card)
Also read: DMZ Network: Definition, working principles and benefits
The trust assumption
In the past, network architects targeted their security strategies at the internal network perimeter, the invisible line that separates the outside world from the data vital to an enterprise’s business. Individuals within the perimeter were assumed to be trustworthy and therefore not a threat. Thus, they were subject to few restrictions on their ability to access information.
However, legacy security infrastructures are generally flat network architectures that rely on a perimeter firewall as their only point of traffic inspection and control. Since network boundaries don’t exist as they used to, and most data center traffic is east-west, traditional port-based firewalls provide limited value in a cloud and mobile world.
Recent high-profile breaches have called the trust assumption into question. For one thing, insiders can indeed be the source of breaches, often inadvertently but sometimes deliberately. In addition, when threats penetrate the perimeter, they are free to move laterally in the network to access virtually any data, application, asset or services (DAAS). With virtually unhindered access, attackers can easily exfiltrate a full range of valuable assets, often before the breach has even been detected.
The zero trust response
Because of the inherent weaknesses of assumed trust, many organisations have begun to adopt the Zero Trust strategy. Zero trust assumes nobody is trustworthy by default, even those already inside the network perimeter. Zero Trust works on the principle of a “protect surface” built around the organisation’s most critical and valuable DAAS. Because it contains only what’s most critical to business operations, the protect surface is orders of magnitude smaller than the attack surface of the full network perimeter.
This is where network segmentation comes in. Using segmentation, network architects can construct a microperimeter around the protect surface, essentially forming a second line of defense. In some instances, virtual firewalls can automate security provisioning to simplify segmenting tasks. However it is accomplished, authorised users can access assets within the protect surface while all others are barred by default.
Segmentation is bad news for attackers because, unlike in the days of assumed trust, simply penetrating the perimeter isn’t enough to gain access to sensitive information. Microperimeters, whether physical or virtual, prevent threats from moving laterally within the network, essentially negating much of the work that went into creating the initial breach.
Use cases
Organisations can use network segmentation for a variety of applications.
Guest wireless network: Using network segmentation, a company can offer Wi-Fi service to visitors and contractors at relatively little risk. When someone logs in with guest credentials, they enter a microsegment that provides access to the internet and nothing else.
User group access: To guard against insider breaches, many enterprises segment individual internal departments into separate subnets consisting of the authorised group members and the DAAS they need to do their jobs. Access between subnets is rigorously controlled. For example, someone in engineering attempting to access the human resources subnet would trigger an alert and an investigation.
Public cloud security: Cloud service providers are typically responsible for security in the cloud infrastructure, but the customer is responsible for the security of the operating systems, platforms, access control, data, intellectual property, source code and customer-facing content that typically sit atop the infrastructure. Segmentation is an effective method for isolating applications in public and hybrid cloud environments.
PCI DSS compliance: Network administrators can use segmentation to isolate all credit card information into a security zone – essentially a protect surface – and create rules to allow only the absolute minimum, legitimate traffic in the zone while automatically denying everything else. These isolated zones are frequently virtualised SDNs in which PCI DSS compliance and segmentation can be achieved via virtual firewalls.
