Content deleted Content added
HCIhistory (talk | contribs) |
HCIhistory (talk | contribs) No edit summary |
||
Line 1:
'''Microsegmentation''' is a [[network security]] approach for separating and securing workloads in [[data center]]s and cloud deployments per machine.<ref>{{Cite web|url=https://www.networkworld.com/article/3247672/what-is-microsegmentation-how-getting-granular-improves-network-security.html|title=What is microsegmentation? How getting granular improves network security|first=Ann|last=Bednarz|date=January 30, 2018|website=Network World}}</ref><ref>{{Cite web|url=https://www.nccoe.nist.gov/publication/1800-24/VolB/index.html|title=1 Summary — NIST SP 1800-24 documentation|website=www.nccoe.nist.gov}}</ref>
==Types of microsegmentation==
There are three main types of microsegmentation:
* '''Host-agent segmentation''': This style of microsegmentation makes use of endpoint-based agents. By having a centralized manager with access to all data flows, the difficulty of detecting obscure protocols or [[secure communication|encrypted communication]]s is mitigated.<ref name="auto">{{Cite web|url=https://www.networkworld.com/article/3537672/microsegmentation-architecture-choices-and-how-they-differ.html|title=How microsegmentation can limit the damage that hackers do|first=John|last=Edwards|date=April 16, 2020|website=Network World}}</ref> The use of host-agent technology is commonly acknowledged as a powerful method of microsegmentation.<ref
* '''Hypervisor segmentation''': In this implementation of microsegmentation, all traffic passes through a [[hypervisor]].<ref
* '''Network segmentation''': This approach builds on the current setup by using tried-and-true techniques like [[access-control list]] (ACLs) for network segmentation.<ref
==Benefits==
Microsegmentation allows defenders to thwart almost any attack methods by closing off attack vectors within [[internal network]]s so that the attackers are stopped in their tracks.<ref
Microsegmentation in [[internet of things]] (IoT) environments can help businesses gain command over the increasing volume of [[lateral communication]] taking place between devices, which is currently unmanaged by perimeter-focused security measures.<ref>{{Cite web|url=https://www.networkworld.com/article/3442753/iot-can-be-a-security-minefield-can-microsegmentation-help.html|title=Can microsegmentation help IoT security?|first=Bob|last=Violino|date=October 10, 2019|website=Network World}}</ref>
==Challenges==
Despite its useful features, implementing and maintaining microsegmentation can be difficult.<ref
Defining policies that meet the requirements of every internal system is another potential roadblock. Internal conflicts may occur as policies and their ramifications are considered and defined, making this a difficult and time-consuming process for certain adopters.<ref
Network connection between high and low-sensitivity assets inside the same security boundary requires knowledge of which ports and protocols must be open and in which direction. Inadvertent network disruptions are a risk of sloppy implementation.<ref
Microsegmentation is widely compatible with environments running common operating systems including [[Linux]], [[Windows]], and [[MacOS]]. However, this is not the case for companies that rely on [[mainframe]]s or other outdated forms of technology.<ref
==References==
| |||