Microsegmentation (network security)

Microsegmentation is a network security approach for separating and securing workloads in data centers and cloud deployments per machine.^[1]^[2]

Types of microsegmentation

There are three main types of microsegmentation:

Host-agent segmentation: This style of microsegmentation makes use of endpoint-based agents. By having a centralized manager with access to all data flows, the difficulty of detecting obscure protocols or encrypted communications is mitigated.^[3] The use of host-agent technology is commonly acknowledged as a powerful method of microsegmentation.^[4] Because infected devices act as hosts, a solid host strategy can prevent issues from manifesting in the first place. This software, however, must be installed on every host.^[5]
Hypervisor segmentation: In this implementation of microsegmentation, all traffic passes through a hypervisor.^[6] Since hypervisor-level traffic monitoring is possible, existing firewalls can be used, and rules can be migrated to new hypervisors as instances are spun up and spun down.^[7] Hypervisor segmentation typically doesn't function with cloud environments, containers, or bare metal, which is a downside.^[8]
Network segmentation: This approach builds on the current setup by using tried-and-true techniques like access-control list (ACLs) for network segmentation.^[9]

Challenges

Despite its useful features, implementing and maintaining microsegmentation can be difficult. The first deployment is always the most challenging. Some applications may not be able to support microsegmentation, and the process of implementing microsegmentation may cause other problems.^[10]

Defining policies that meet the requirements of every internal system is another potential roadblock. Internal conflicts may occur as policies and their ramifications are considered and defined, making this a difficult and time-consuming process for certain adopters.^[11]

Network connection between high and low-sensitivity assets inside the same security boundary requires knowledge of which ports and protocols must be open and in which direction. Inadvertent network disruptions are a risk of sloppy implementation.^[12]

Microsegmentation is widely compatible with environments running common operating systems including Linux, Windows, and MacOS. However, this is not the case for companies that rely on mainframes or other outdated forms of technology.^[13]

References

[1] ttps://www.networkworld.com/article/3247672/what-is-microsegmentation-how-getting-granular-improves-network-security.html

[2] ttps://www.nccoe.nist.gov/publication/1800-24/VolB/index.html

[3] ttps://www.networkworld.com/article/3537672/microsegmentation-architecture-choices-and-how-they-differ.html

[4] ttps://www.networkworld.com/article/3537672/microsegmentation-architecture-choices-and-how-they-differ.html

[5] ttps://www.networkworld.com/article/3537672/microsegmentation-architecture-choices-and-how-they-differ.html

[6] ttps://www.networkworld.com/article/3537672/microsegmentation-architecture-choices-and-how-they-differ.html

[7] ttps://www.networkworld.com/article/3537672/microsegmentation-architecture-choices-and-how-they-differ.html

[8] ttps://www.networkworld.com/article/3537672/microsegmentation-architecture-choices-and-how-they-differ.html

[9] ttps://www.networkworld.com/article/3537672/microsegmentation-architecture-choices-and-how-they-differ.html

[10] ttps://www.networkworld.com/article/3537672/microsegmentation-architecture-choices-and-how-they-differ.html

[11] ttps://www.networkworld.com/article/3537672/microsegmentation-architecture-choices-and-how-they-differ.html

[12] ttps://www.networkworld.com/article/3537672/microsegmentation-architecture-choices-and-how-they-differ.html

[13] ttps://www.networkworld.com/article/3537672/microsegmentation-architecture-choices-and-how-they-differ.html

[1]

[2]

[3]

[4]

[5]

[6]

[7]

[8]

[9]

[10]

[11]

[12]

[13]