Network segmentation is a network security technique that divides a network into smaller, distinct sub-networks that enable network teams to compartmentalize the sub-networks and deliver unique security controls and services to each sub-network.
The process of network segmentation involves partitioning a physical network into different logical sub-networks. Once the network has been subdivided into smaller more manageable units, controls are applied to the individual, compartmentalized segments
Network segmentation provides unique security services per network segment, delivering more control over network traffic, optimizing network performance, and improving security posture.
First, better security. We all know that with security, you are only as strong as your weakest link. A large flat network inevitably presents a large attack surface. However, when a large network is split into smaller sub-networks, the isolation of network traffic within the sub-networks reduces the attack surface and impedes lateral movement. Thus, if the network perimeter is breached, network segments prevent attackers from moving laterally throughout the network.
Furthermore, segmentation provides a logical way to isolate an active attack before it spreads across the network. For example, segmentation ensures malware in one segment does not affect systems in another. Creating segments limits how far an attack can spread and reduces the attack surface to an absolute minimum.
Next, let’s talk about performance. Segmentation reduces network congestion which improves network performance by removing unnecessary traffic in a particular segment. For example, a hospital's medical devices can be segmented from its visitor network so that medical devices are unaffected by guest web browsing traffic.
As a result of network segmentation, we have fewer hosts per subnetwork, minimize local traffic per sub-network and limit external traffic only to that designated for the sub-network.
Network segmentation creates multiple, isolated segments within a larger network, each of which can have varying security requirements and policy. These segments hold specific application or endpoint types with the same trust level.
There are multiple ways to perform network segmentation. We’ll look at perimeter-based segmentation implemented with VLANs, and then segmentation performed deeper in the network with network virtualization techniques.
Perimeter-based segmentation creates internal and external segments based on trust: what’s internal to the network segment is trusted and anything external is not. As a result, there are few restrictions on internal resources, which commonly operate over a flat network with minimal internal network segmentation. Filtering and segmentation are at fixed network points.
Originally, VLANs were introduced to divide broadcast domains to improve network performance. Over time VLANs grew to be used as a security tool – but they were never meant to be used as a security tool. The problem with VLANs is there is no intra-VLAN filtering; they have a very broad level of access.
Furthermore, to move between segments, there needs to be a policy. With policy, you can either stop the traffic flow from one segment to another or limit the traffic (based on the traffic type, source, and destination).
The network firewall is a common tool used for perimeter-based segmentation. It was originally employed to control the north–south movement of network traffic while permitting any-to-any communication within a segment.
Today, many organizations maintain a variety of network areas with specific functions that require segmentation at numerous network points. In addition, the endpoints the network must support have grown to include numerous endpoint types, each with varying trust levels.
As a result, perimeter-based segmentation is no longer sufficient. With the advent of, for example, cloud, BYOD, and mobile, the perimeter is now blurred with no clear demarcation points. We now require more segmentation, deeper into the network, to achieve better security and network performance. Moreover, with today's east–west traffic patterns, still more network segmentation is needed. This is where network virtualization comes into play, as it takes segmentation to the next level.
In its simplest form, network virtualization is the provisioning of network and security services independent of the physical infrastructure. By enabling network segmentation in the entire network and not just at the perimeter, network virtualization plays a key role in driving efficient network segmentation. In effect, the perimeter-based segmentation that we were used to in the past is now virtualized and distributed — along with flexible, fine-grained security policies — down to each and every segment in the network.