Network segmentation is the process of dividing a computer network into subnets, each of which is isolated from the others. The purpose of this is to improve security and performance by keeping traffic local to each subnet. This way, if one subnet is compromised, the others will remain secure.
In a properly segmented network, traffic between devices on different segments is restricted, preventing unauthorized access to sensitive information and improving overall network reliability. This allows for greater security and performance, as well as easier management of network resources.
How Does Network Segmentation Work?
Network Segmentation works by dividing a network into multiple subnets, each of which has its own distinct address range. Devices on one subnet cannot communicate directly with devices on another subnet. Instead, they must go through a router or other gateway device that connects the two subnets.
Network segmentation is often used in conjunction with firewalls and other security measures to create a more secure environment. By isolating different parts of the network, it becomes more difficult for attackers to gain access to sensitive data or systems. This is because there are more individual components that need to be breached, and each segment can be configured with its own security settings.
The Trust Assumption
A trust assumption is a fundamental security principle that states that devices on a network can be trusted to behave in accordance with the security policy. In other words, devices on a network are assumed to be trustworthy until proven otherwise. This allows for more relaxed security measures, as it is not necessary to protect every device on the network all of the time.
Operating under the assumption that most devices on a network are not malicious and will not attempt to harm the security of a system, the trust assumption assumes devices are trustworthy and suggests administrators focus on protecting the most important resources and systems.
The Zero Trust Response
The zero trust response is a security strategy based on the trust assumption. It replaces the traditional security model of allowing all devices on a network access to all resources with a model where devices are only granted access to the resources they need to do their job. Rather than blindly trusting all devices on a network, the zero trust response requires that each device be authenticated and authorized before it is granted access to any resources. This prevents unauthorized access to sensitive information and improves overall network security.
At the intersection of network segmentation and zero trust response is the inception of the “protect surface," where an organization’s most critical and valuable DAAS can be located and surrounded by a microperimeter that acts as a second line of defense. Virtual firewalls can automate security provisioning to simplify segmenting tasks and authorized users can access assets within the protect surface while all others are barred by default.
Uses Cases Include the Following:
Guest wireless networks - Through the use of network segmentation, an organization can offer Wi-Fi to its visitors with a relatively low degree of risk. When users log in with guest credentials, they receive access to a microsegment that provides them the network's internet and nothing else.
User group access - Many organizations divide internal departments into separate subnets, each of which is split between the authorized group members and the DAAS required to do their work. Subnet connections are strictly controlled. Someone attempting to gain entry to the human resources subnet, for example, would set off an alert and a thorough inquiry.
Public cloud security - Cloud service providers are generally in charge of security when it comes to cloud infrastructure, but the customer is responsible for the security of the operating systems, platforms, access control, data, intellectual property, source code and customer-facing content that run on top of it. In a public or hybrid cloud environment, application segmentation is an effective approach for separating and isolating apps.
PCI DSS compliance - Networks can also utilize segmentation to divide all of their credit card data into a secure zone and establish regulations that allow only the necessary amount of traffic in while automatically rejecting everything else. These zones are frequently virtualized SDNs in which PCI DSS compliance and segmentation can be obtained by way of virtual firewalls.
What Is Microsegmentation?
A security strategy that involves dividing a network into small segments, or microsegments, microsegmentation limits the spread of malware and other malicious activity by isolating each segment from the others. Network segmentation is ideal for north-south traffic, whereas microsegmentation adds a layer of security for east-west traffic — server to server, application to server, web to server, and so on.
Microsegmentation can be used to secure both physical and virtual networks and has many benefits, including improved security, better performance, and reduced costs. It is especially useful for organizations that have complex network architectures or that need to comply with strict security regulations.
Physical vs Logical Network Segmentation
Network segmentation can be physical or logical. Physical segmentation involves using hardware, such as routers and switches, to divide a network into segments. Logical segmentation uses software to segment a network.
The process of physical segmentation divides a larger network into several smaller subnets. A physical or virtual firewall serves as the subnet gateway, limiting what traffic enters and leaves. Physical segmentation is simple to manage since its architecture is fixed.
Logical segmentation is generally considered the more popular way of isolating a network into smaller, manageable chunks. Logical segmentation typically won't require new hardware, provided that the existing infrastructure is already being managed. Logical segmentation builds on pre-existing network infrastructure such as creating distinct virtual local area networks (VLANs) connected to the same physical switch, or separating distinct asset types into different Layer 3 subnets and utilizing a router to move information between them.
Adopting a segmentation architecture provides organizations with an opportunity to simplify the management of firewall policies and alongside the use of a single consolidated policy for access control, threat detection, and mitigation can be a catalyst for observability and a comprehensive security posture.