Network segmentation is the process of dividing a network into smaller, more manageable pieces (segments) to improve its security posture. Network segmentation creates secure zones (subnetworks or subnets) within your larger network to help mitigate the impact of a security breach. By breaking the network into smaller pieces, you limit the spread of malicious events and activities within the contained segment and provide additional protections for insecure devices.
Modern networks facilitate essential operations, communication, and data transfer. And networks continue to get more complex, growing in scope with more services, more devices, more locations, and a more mobile workforce. Administrators have to constantly improve security standards, controlling what happens, where, on the network—while also being able to monitor and understand it all.
Benefits of network segmentation
Network segmentation is a critical piece of an overall cybersecurity / network security model. It's used to help you:
- Improve your security posture. Network segmentation improves the security posture of an organization by limiting the potential attack surface. By dividing the network into smaller segments, businesses can control access to different areas of the network and limit the exposure of sensitive data.
- Mitigate risk. Network segmentation helps businesses mitigate the risks associated with data breaches and malware. If a breach occurs in one segment of the network, it will not impact other segments, thereby reducing the overall risk of data loss.
- Meet compliance requirements. It's crucial to industry standards such as PCI DSS, HIPAA, and GDPR. These standards require strict control over storage and access to sensitive data.
How does network segmentation work?
You can accomplish network segmentation through the use of firewalls, ACLs (Access Control Lists), and VLANs (Virtual Local Area Networks). Your approach depends on how you break down your datacenter and networked infrastructure into subnetworks: physical vs. virtual (logical).
Physical segmentation works exactly how it sounds—you use physical hardware (firewalls, routers, etc) to divide your network. Oftentimes, the location of your networked infrastructure becomes a segment.
Virtual (logical) segmentation uses software to define the segment. This approach can be easier, since you aren't limited by access to physical devices and can build virtual networks or use ACLs to separate networked devices.
Is this the same as microsegmentation?
Not exactly. Network segmentation and microsegmentation are very similar in approach, but differ in capability and execution. While network segmentation relies on a single constraint to govern access (for example, physical location), microsegmentation goes a bit further, isolating each device or application into its own segment. For organizations looking to adhere to a zero-trust architecture approach, microsegmentation is essential. Since you separate each entity from all others, access and traffic must be explicitly granted, regardless of whether it originated within the same segmented network.
Think of your network as a city block, full of apartment buildings. Each building has a locked front door and only the people living there have the code, so you trust them with access to the building itself. That's a segment on your network. Microsegmentation is each locked apartment. You trust entities with access to the building, but not the apartment. So, only the owner of each apartment, or microsegment, has the ability to enter—or grant entry—to their apartment.
How to segment your network
The typical steps in segmenting networks include:
1. Identify critical assets. The first step is to identify the critical assets on your network that need protection. These could include sensitive data, critical applications, and components that control network access.
2. Map your network. Once you've defined your critical assets, map the network to identify the different segments or subnets that need to exist. This includes physical network devices such as routers, switches, and firewalls.
3. Define access policies. Now that you know your assets and have laid out the segmentation approach, you need to configure firewalls, access controls, and other security measures to define what gets access to each segment.
4. Implement security controls. Here's where you bring it all online. You're ready to implement your security policies and controls. From here, you'll also set up intrusion detection systems and other measures to protect each network segment.
5. Monitor and adapt. Network segmentation isn't a "set it and forget it" process. You'll need to continuously monitor the network to ensure it acts as expected and remains secure. Regular security audits and vulnerability assessments are also essential to the ongoing health and efficacy of your network segmentation project.