Network segmentation is the division of an entire network into smaller segments or sub-networks (subnets). For example, if a business has a computer network, segmentation could mean limiting traffic to a database with customer information to only those employees who explicitly need that access.
How does network segmentation work?
There are multiple ways to segment a computer network:
- Organizations use multiple virtual local area networks (VLANs) within their larger company network so that each segment receives its own network, prohibiting traffic from jumping between two VLANs.
- IT personnel can configure hardware to filter specific traffic, often IP addresses, between segments of the network. Only users or devices with permitted IP addresses can enter that part of the network, such as a database with sensitive customer information.
- Software-defined networking allows users to manage segmentation with applications or software rather than hardware.
- Deploying firewalls at each network segment filters traffic between databases, accounts, and applications rather than allowing anyone who makes it past the perimeter firewall to enter company accounts. Using firewalls for each network segment is expensive and can be difficult to configure.
Why is network segmentation important?
Businesses have discovered that a single firewall at the perimeter of a computer network doesn’t always protect the applications within it. If an attacker passes the firewall, and the firewall is the network’s only protection, the attacker then has opportunities to move between different applications, even high-level access ones. Network segmentation makes it more difficult for attackers to move laterally through the network. If IP traffic is constantly filtered or applications require credentials to enter, attackers are less likely to continue moving within the network.
Segmentation also makes it easier to track a breach. If each subnet or segment has its own filtering procedures, and if security software is implemented with each, organizations can more readily locate an unauthorized visitor.
Network segmentation helps traffic to flow more efficiently. If traffic is limited for each segment, it will be less likely to clog and slow that part of the network. The database mentioned above will only have traffic from the users allowed access, which better uses bandwidth.
Lastly, segmentation helps organizations comply with data protection regulations. Any business bound by rules like GDPR must be able to document who accesses customer data. Segmentation makes it easier for businesses to track which employees have accessed accounts, applications, and databases. It’s also an important practice for better protecting sensitive customer information.
Difference between network segmentation and microsegmentation
They’re very similar concepts, but microsegmentation refers specifically to limiting user access to applications through authentication protocols. Microsegmentation is user-facing, managing traffic through entry points that users must pass through by presenting the correct credentials. It’s a form of network segmentation, but traditionally network segmentation referred more to hardware-configured segments and firewalls, while microsegmentation occurs at application access points. They’re helpful additional tools, but many security professionals argue that microsegmentation is the best way to control lateral traffic in computer networks and data centers. It uses the principle of zero trust to strictly limit network traffic to those who can provide legitimate credentials.