Content deleted Content added
HCIhistory (talk | contribs) |
Added {{Tone}} tag: This is written a bit like marketing copy designed to make people think they need microsegmentation, rather than a neutral and factual treatment of the topic. |
||
| (36 intermediate revisions by 9 users not shown) | |||
Line 1:
{{Short description|Network security approach}}
{{Tone|date=August 2025}}
'''Microsegmentation''' is a [[network security]] approach that enables security architects to construct network security zones boundaries per machine in [[data center]]s and cloud deployments in order to segregate and secure workloads independently.<ref>{{Cite web|url=https://www.networkworld.com/article/3247672/what-is-microsegmentation-how-getting-granular-improves-network-security.html|title=What is microsegmentation? How getting granular improves network security|first=Ann|last=Bednarz|date=January 30, 2018|website=[[Network World]]}}</ref><ref>{{Cite web|url=https://www.nccoe.nist.gov/publication/1800-24/VolB/index.html|title=1 Summary — NIST SP 1800-24 documentation|website=www.nccoe.nist.gov}}</ref>
It is now also used on the client network as well as the data center network.
==Types of microsegmentation==
There are three main types of microsegmentation:
* '''Native OS host-based firewall segmentation''' employs OS firewalls to regulate network traffic between network segments. Instead of using a router or network firewalls or deploying agents, each host firewall is used to perform both auditing and enforcement, preventing attackers from moving laterally between network machines. While Native OS host-based firewalls can implement many segmentation schemes, including microsegmentation, only recent innovations in the space have made implementation and management achievable at scale.<ref>{{Cite book|url=https://www.taylorfrancis.com/chapters/mono/10.1201/9781351210768-8/microsegmentation-dijiang-huang-ankur-chowdhary-sandeep-pisharody|title=Software-Defined Networking and Security|first1=Dijiang|last1=Huang|first2=Ankur|last2=Chowdhary|first3=Sandeep|last3=Pisharody|doi=10.1201/9781351210768-8}}</ref>
* '''Host-agent segmentation''': This style of microsegmentation makes use of endpoint-based agents. By having a centralized manager with access to all data flows, the difficulty of detecting obscure protocols or [[secure communication|encrypted communication]]s is mitigated.<ref name="auto">{{Cite web |last=Edwards |first=John |date=April 16, 2020 |title=How microsegmentation can limit the damage that hackers do |url=https://www.networkworld.com/article/3537672/microsegmentation-architecture-choices-and-how-they-differ.html |website=[[Network World]]}}</ref> The use of host-agent technology is commonly acknowledged as a powerful method of microsegmentation.<ref name="auto"/> Because infected devices act as hosts, a solid host strategy can prevent issues from manifesting in the first place. This software, however, must be installed on every host.<ref name="auto"/>
* '''Hypervisor segmentation''': In this implementation of microsegmentation, all traffic passes through a [[hypervisor]].<ref name="auto"/> Since hypervisor-level traffic monitoring is possible, existing [[firewall (computing)|firewall]]s can be used, and rules can be migrated to new hypervisors as instances are spun up and spun down.<ref name="auto"/> Hypervisor segmentation typically doesn't function with cloud environments, containers, or bare metal, which is a downside.<ref name="auto"/>
* '''Network segmentation''': This approach builds on the current setup by using tried-and-true techniques like [[access-control list]] (ACLs) for network segmentation.<ref name="auto"/>
==Benefits==
Microsegmentation allows defenders to thwart almost any attack methods by closing off attack vectors within [[internal network]]s so that the attackers are stopped in their tracks.<ref name="auto"/>
Microsegmentation in [[internet of things]] (IoT) environments can help businesses gain command over the increasing volume of [[lateral communication]] taking place between devices, which is currently unmanaged by perimeter-focused security measures.<ref>{{Cite web |last=Violino |first=Bob |date=October 10, 2019 |title=Can microsegmentation help IoT security? |url=https://www.networkworld.com/article/3442753/iot-can-be-a-security-minefield-can-microsegmentation-help.html |website=[[Network World]]}}</ref>
==Challenges==
Defining policies that meet the requirements of every internal system is another potential roadblock. Internal conflicts may occur as policies and their ramifications are considered and defined, making this a difficult and time-consuming process for certain adopters.<ref
Network connection between high
▲Defining policies that meet the requirements of every internal system is another potential roadblock. Internal conflicts may occur as policies and their ramifications are considered and defined, making this a difficult and time-consuming process for certain adopters.<ref>https://www.networkworld.com/article/3537672/microsegmentation-architecture-choices-and-how-they-differ.html</ref>
Microsegmentation is widely compatible with environments running common
▲Network connection between high- and low-sensitivity assets inside the same security boundary requires knowledge of which ports and protocols must be open and in which direction. Inadvertent network disruptions are a risk of sloppy implementation.<ref>https://www.networkworld.com/article/3537672/microsegmentation-architecture-choices-and-how-they-differ.html</ref>
To reap the benefits of microsegmentation despite its challenges, companies have developed solutions by using automation and self service.<ref name="JP">{{Cite web|url=https://www.jpost.com/business-and-innovation/tech-and-start-ups/article-698602|title=Israeli start-up company Zero Networks has raised $20.3 million|date=25 February 2022 }}</ref>
▲Microsegmentation is widely compatible with environments running common OSes including Linux, Windows, and MacOS. However, this is not the case for companies that rely on mainframes or other outdated forms of technology.<ref>https://www.networkworld.com/article/3537672/microsegmentation-architecture-choices-and-how-they-differ.html</ref>
==References==
| |||