Content deleted Content added
HCIhistory (talk | contribs) |
Added {{Tone}} tag: This is written a bit like marketing copy designed to make people think they need microsegmentation, rather than a neutral and factual treatment of the topic. |
||
| (23 intermediate revisions by 9 users not shown) | |||
Line 1:
{{Short description|Network security approach}}
'''Microsegmentation''' is a [[network security]] approach for separating and securing workloads in [[data center]]s and cloud deployments per machine.<ref>https://www.networkworld.com/article/3247672/what-is-microsegmentation-how-getting-granular-improves-network-security.html</ref><ref>https://www.nccoe.nist.gov/publication/1800-24/VolB/index.html</ref>▼
{{Tone|date=August 2025}}
▲'''Microsegmentation''' is a [[network security]] approach
It is now also used on the client network as well as the data center network.
==Types of microsegmentation==
There are three main types of microsegmentation:
* '''Native OS host-based firewall segmentation''' employs OS firewalls to regulate network traffic between network segments. Instead of using a router or network firewalls or deploying agents, each host firewall is used to perform both auditing and enforcement, preventing attackers from moving laterally between network machines. While Native OS host-based firewalls can implement many segmentation schemes, including microsegmentation, only recent innovations in the space have made implementation and management achievable at scale.<ref>{{Cite book|url=https://www.taylorfrancis.com/chapters/mono/10.1201/9781351210768-8/microsegmentation-dijiang-huang-ankur-chowdhary-sandeep-pisharody|title=Software-Defined Networking and Security|first1=Dijiang|last1=Huang|first2=Ankur|last2=Chowdhary|first3=Sandeep|last3=Pisharody|doi=10.1201/9781351210768-8}}</ref>
* '''Host-agent segmentation''': This style of microsegmentation makes use of endpoint-based agents. By having a centralized manager with access to all data flows, the difficulty of detecting obscure protocols or [[secure communication|encrypted communication]]s is mitigated.<ref name="auto">{{Cite web |last=Edwards |first=John |date=April 16, 2020 |title=How microsegmentation can limit the damage that hackers do |url=https://www.networkworld.com/article/3537672/microsegmentation-architecture-choices-and-how-they-differ.html |website=[[Network World]]}}</ref> The use of host-agent technology is commonly acknowledged as a powerful method of microsegmentation.<ref
* '''Hypervisor segmentation''': In this implementation of microsegmentation, all traffic passes through a [[hypervisor]].<ref
* '''Network segmentation''': This approach builds on the current setup by using tried-and-true techniques like [[access-control list]] (ACLs) for network segmentation.<ref
==Benefits==
Microsegmentation allows defenders to thwart almost any attack methods by closing off attack vectors within [[internal
Microsegmentation in [[internet of things]] (IoT) environments can help businesses gain command over the increasing volume of [[lateral communication]] taking place between devices, which is currently unmanaged by perimeter-focused security measures.<ref>{{Cite web |last=Violino |first=Bob |date=October 10, 2019 |title=Can microsegmentation help IoT security? |url=https://www.networkworld.com/article/3442753/iot-can-be-a-security-minefield-can-microsegmentation-help.html |website=[[Network World]]}}</ref>
==Challenges==
Defining policies that meet the requirements of every internal system is another potential roadblock. Internal conflicts may occur as policies and their ramifications are considered and defined, making this a difficult and time-consuming process for certain adopters.<ref
Network connection between high and low-sensitivity assets inside the same security boundary requires knowledge of which ports and protocols must be open and in which direction. Inadvertent network disruptions are a risk of sloppy implementation.<ref
▲Defining policies that meet the requirements of every internal system is another potential roadblock. Internal conflicts may occur as policies and their ramifications are considered and defined, making this a difficult and time-consuming process for certain adopters.<ref>https://www.networkworld.com/article/3537672/microsegmentation-architecture-choices-and-how-they-differ.html</ref>
Microsegmentation is widely compatible with environments running common operating systems including [[Linux]], [[Windows]], and [[MacOS]]. However, this is not the case for companies that rely on
▲Network connection between high and low-sensitivity assets inside the same security boundary requires knowledge of which ports and protocols must be open and in which direction. Inadvertent network disruptions are a risk of sloppy implementation.<ref>https://www.networkworld.com/article/3537672/microsegmentation-architecture-choices-and-how-they-differ.html</ref>
To reap the benefits of microsegmentation despite its challenges, companies have developed solutions by using automation and self service.<ref name="JP">{{Cite web|url=https://www.jpost.com/business-and-innovation/tech-and-start-ups/article-698602|title=Israeli start-up company Zero Networks has raised $20.3 million|date=25 February 2022 }}</ref>
▲Microsegmentation is widely compatible with environments running common operating systems including [[Linux]], [[Windows]], and [[MacOS]]. However, this is not the case for companies that rely on mainframes or other outdated forms of technology.<ref>https://www.networkworld.com/article/3537672/microsegmentation-architecture-choices-and-how-they-differ.html</ref>
==References==
| |||