Microsegmentation (network security)

In network security, microsegmentation is a network security architecture that establishes security zone boundaries at the level of individual workloads within data centers and cloud environments, which allows workloads to be isolated and secured independently.^[1]^[2] Although originally applied to data center networks, microsegmentation is also used in client network environments.

Types of microsegmentation

Native OS host-based firewall segmentation

It uses operating system firewalls to regulate network traffic between segments. Rather than relying on routers, network firewalls, or agents, each host firewall performs auditing and enforcement to limit lateral movement between machines.^[3]

Host-agent segmentation

The host-agent segmentation approach relies on endpoint-based agents that are centrally managed and provide visibility into data flows, reducing the difficulty of identifying obscure or encrypted communications.^[4] Host-based agent technology is widely recognized as an effective method for microsegmentation, as compromised devices operate as hosts and can be controlled directly. However, this approach requires software to be installed on every host.^[4]

Hypervisor segmentation

Hypervisor segmentation is a microsegmentation implementation in which all traffic passes through the hypervisor.^[4] It enables hypervisor-level traffic monitoring, allows existing firewalls to be used, and supports rule migration as instances are created or removed.^[4]

Network segmentation

The network segmentation approach builds on existing infrastructure by using tried-and-true techniques such as access control lists (ACLs) for segmentation.^[4]

Applications

Microsegmentation helps limit attack propagation by restricting internal network attack paths.^[4] In Internet of Things (IoT) environments, microsegmentation helps organizations control lateral communication between devices, which is often unmanaged by perimeter-focused security measures.^[5]

Challenges

Microsegmentation is generally compatible with environments running common operating systems such as Linux, Windows, and macOS, but support is limited for mainframes and other legacy systems.^[4] During the initial deployment, some applications may not support microsegmentation, and it can result in operational issues.^[4] Defining policies that meet the requirements of all internal systems can also be difficult. Policy development may involve internal trade-offs and extended coordination, making the process time-consuming for some organizations.^[4] To mitigate deployment complexities and manage policy trade-offs, organizations use automation and self-service applications.^[6]

References

^ Bednarz, Ann (January 30, 2018). "What is microsegmentation? How getting granular improves network security". Network World.
^ "1 Summary — NIST SP 1800-24 documentation".
^ Huang, Dijiang; Chowdhary, Ankur; Pisharody, Sandeep. Software-Defined Networking and Security. doi:10.1201/9781351210768-8.
^ ^a ^b ^c ^d ^e ^f ^g ^h ⁱ Edwards, John (April 16, 2020). "How microsegmentation can limit the damage that hackers do". Network World.
^ Violino, Bob (October 10, 2019). "Can microsegmentation help IoT security?". Network World.
^ "Israeli start-up company Zero Networks has raised $20.3 million". 25 February 2022.

[1] Bednarz, Ann (January 30, 2018). "What is microsegmentation? How getting granular improves network security". Network World.

[2] "1 Summary — NIST SP 1800-24 documentation".

[3] Huang, Dijiang; Chowdhary, Ankur; Pisharody, Sandeep. Software-Defined Networking and Security. doi:10.1201/9781351210768-8.

[auto-4] ^ ^a ^b ^c ^d ^e ^f ^g ^h ⁱ Edwards, John (April 16, 2020). "How microsegmentation can limit the damage that hackers do". Network World.

[5] Violino, Bob (October 10, 2019). "Can microsegmentation help IoT security?". Network World.

[JP-6] "Israeli start-up company Zero Networks has raised $20.3 million". 25 February 2022.

[1]

[2]

[3]

[4]

[5]

[6]