Microsegmentation (network security): Difference between revisions

Browse history interactively

← Previous edit

Content deleted Content added

VisualWikitext

Revision as of 13:09, 27 February 2023 edit Wissenks (talk \| contribs) 24 edits No edit summary ← Previous edit		Latest revision as of 23:36, 17 August 2025 edit undo Falcon Kirtaran (talk \| contribs) Extended confirmed users, New page reviewers, Pending changes reviewers, Rollbackers 10,219 edits Added {{Tone}} tag: This is written a bit like marketing copy designed to make people think they need microsegmentation, rather than a neutral and factual treatment of the topic. Tag: Twinkle
(7 intermediate revisions by 6 users not shown)
Line 1: {{Short description\|Network security approach}} {{Tone\|date=August 2025}} '''Microsegmentation''' is a [[network security]] approach that enables security architects to construct network security zones boundaries per machine in [[data center]]s and cloud deployments in order to segregate and secure workloads independently.<ref>{{Cite web\|url=https://www.networkworld.com/article/3247672/what-is-microsegmentation-how-getting-granular-improves-network-security.html\|title=What is microsegmentation? How getting granular improves network security\|first=Ann\|last=Bednarz\|date=January 30, 2018\|website=[[Network World]]}}</ref><ref>{{Cite web\|url=https://www.nccoe.nist.gov/publication/1800-24/VolB/index.html\|title=1 Summary — NIST SP 1800-24 documentation\|website=www.nccoe.nist.gov}}</ref> It is now also used on the client network as well as the data center network. Line 6 ⟶ 7: ==Types of microsegmentation== There are three main types of microsegmentation: * '''Native OS host-based firewall segmentation''' employs OS firewalls to regulate network traffic between network segments. Instead of using a router or network firewalls or deploying agents, each host firewall is used to perform both auditing and enforcement, preventing attackers from moving laterally between network machines. While Native OS host-based firewalls can implement many segmentation schemes, including microsegmentation, only recent innovations in the space have made implementation and management achievable at scale.<ref>{{Cite book\|url=https://www.taylorfrancis.com/chapters/mono/10.1201/9781351210768-8/microsegmentation-dijiang-huang-ankur-chowdhary-sandeep-pisharody\|title=Software-Defined Networking and Security\|first1=Dijiang\|last1=Huang\|first2=Ankur\|last2=Chowdhary\|first3=Sandeep\|last3=Pisharody\|doi=10.1201/9781351210768-8~~/microsegmentation-dijiang-huang-ankur-chowdhary-sandeep-pisharody~~}}</ref> * '''Host-agent segmentation''': This style of microsegmentation makes use of endpoint-based agents. By having a centralized manager with access to all data flows, the difficulty of detecting obscure protocols or [[secure communication\|encrypted communication]]s is mitigated.<ref name="auto">{{Cite web \|last=Edwards \|first=John \|date=April 16, 2020 \|title=How microsegmentation can limit the damage that hackers do \|url=https://www.networkworld.com/article/3537672/microsegmentation-architecture-choices-and-how-they-differ.html~~\|title=How~~ ~~microsegmentation can limit the damage that hackers do\|first=John\|last=Edwards\|date=April 16, 2020~~\|website=[[Network World]]}}</ref> The use of host-agent technology is commonly acknowledged as a powerful method of microsegmentation.<ref name="auto"/> Because infected devices act as hosts, a solid host strategy can prevent issues from manifesting in the first place. This software, however, must be installed on every host.<ref name="auto"/> * '''Hypervisor segmentation''': In this implementation of microsegmentation, all traffic passes through a [[hypervisor]].<ref name="auto"/> Since hypervisor-level traffic monitoring is possible, existing [[firewall (computing)\|firewall]]s can be used, and rules can be migrated to new hypervisors as instances are spun up and spun down.<ref name="auto"/> Hypervisor segmentation typically doesn't function with cloud environments, containers, or bare metal, which is a downside.<ref name="auto"/> * '''Network segmentation''': This approach builds on the current setup by using tried-and-true techniques like [[access-control list]] (ACLs) for network segmentation.<ref name="auto"/> Line 14 ⟶ 15: Microsegmentation allows defenders to thwart almost any attack methods by closing off attack vectors within [[internal network]]s so that the attackers are stopped in their tracks.<ref name="auto"/> Microsegmentation in [[internet of things]] (IoT) environments can help businesses gain command over the increasing volume of [[lateral communication]] taking place between devices, which is currently unmanaged by perimeter-focused security measures.<ref>{{Cite web \|last=Violino \|first=Bob \|date=October 10, 2019 \|title=Can microsegmentation help IoT security? \|url=https://www.networkworld.com/article/3442753/iot-can-be-a-security-minefield-can-microsegmentation-help.html~~\|title=Can~~ ~~microsegmentation help IoT security?\|first=Bob\|last=Violino\|date=October 10, 2019~~\|website=[[Network World]]}}</ref> ==Challenges== ~~Despite its useful features, implementing~~Implementing and maintaining microsegmentation can be difficult.<ref name="auto"/> The first deployment is always the most challenging.<ref name="auto"/> Some applications may not be able to support microsegmentation, and the process of implementing microsegmentation may cause other problems.<ref name="auto"/> Defining policies that meet the requirements of every internal system is another potential roadblock. Internal conflicts may occur as policies and their ramifications are considered and defined, making this a difficult and time-consuming process for certain adopters.<ref name="auto"/> Line 25 ⟶ 26: Microsegmentation is widely compatible with environments running common operating systems including [[Linux]], [[Windows]], and [[MacOS]]. However, this is not the case for companies that rely on [[mainframe]]s or other outdated forms of technology.<ref name="auto"/> To reap the benefits of microsegmentation despite its challenges, companies have developed solutions by using automation and self service.<ref name="JP">{{Cite web\|url=https://www.jpost.com/business-and-innovation/tech-and-start-ups/article-698602\|title=Israeli start-up company Zero Networks has raised $20.3 million\|date=25 February 2022 }}</ref> ~~==Service providers==~~ * Cisco<ref name="auto1">{{Cite web\|url=https://venturebeat.com/security/10-steps-every-business-can-take-to-avoid-a-cybersecurity-breach/\|title=10 steps every business can take to avoid a cybersecurity breach\|date=January 27, 2023}}</ref> * Palo Alto Networks<ref name="auto2">{{Cite web\|url=https://venturebeat.com/security/why-the-manufacturing-sector-must-make-zero-trust-a-top-priority-in-2023/\|title=Why the manufacturing sector must make zero trust a top priority in 2023\|date=December 13, 2022}}</ref> * VMware<ref name="auto2"/> * Zero Networks<ref name="JP">{{Cite web\|url=https://www.jpost.com/business-and-innovation/tech-and-start-ups/article-698602\|title=Israeli start-up company Zero Networks has raised $20.3 million}}</ref> * Zscaler<ref name="auto1"/> ==References==