Wikipedia

Microsegmentation (network security): Difference between revisions

Browse history interactively
← Previous editNext edit →
Content deleted Content added
VisualWikitext
Wissenks (talk | contribs)
24 edits
No edit summary
Wissenks (talk | contribs)
24 edits
No edit summary
Line 6:
==Types of microsegmentation==
There are three main types of microsegmentation:
* '''Native OS host-based firewall segmentation''' employs OS firewalls to regulate network traffic between network segments. Instead of using a router or network firewalls or deploying agents, each host firewall is used to perform both auditing and enforcement, preventing attackers from moving laterally between network machines. While Native OS host-based firewalls can implement many segmentation schemes, including microsegmentation, only recent innovations in the space have made implementation and management achievable at scale.<ref>{{Cite book|url=https://www.taylorfrancis.com/chapters/mono/10.1201/9781351210768-8/microsegmentation-dijiang-huang-ankur-chowdhary-sandeep-pisharody|title=Software-Defined Networking and Security|first1=Dijiang|last1=Huang|first2=Ankur|last2=Chowdhary|first3=Sandeep|last3=Pisharody|doi=10.1201/9781351210768-8/microsegmentation-dijiang-huang-ankur-chowdhary-sandeep-pisharody}}</ref>
* '''Host-agent segmentation''': This style of microsegmentation makes use of endpoint-based agents. By having a centralized manager with access to all data flows, the difficulty of detecting obscure protocols or [[secure communication|encrypted communication]]s is mitigated.<ref name="auto">{{Cite web|url=https://www.networkworld.com/article/3537672/microsegmentation-architecture-choices-and-how-they-differ.html|title=How microsegmentation can limit the damage that hackers do|first=John|last=Edwards|date=April 16, 2020|website=Network World}}</ref> The use of host-agent technology is commonly acknowledged as a powerful method of microsegmentation.<ref name="auto"/> Because infected devices act as hosts, a solid host strategy can prevent issues from manifesting in the first place. This software, however, must be installed on every host.<ref name="auto"/>
* '''Hypervisor segmentation''': In this implementation of microsegmentation, all traffic passes through a [[hypervisor]].<ref name="auto"/> Since hypervisor-level traffic monitoring is possible, existing [[firewall (computing)|firewall]]s can be used, and rules can be migrated to new hypervisors as instances are spun up and spun down.<ref name="auto"/> Hypervisor segmentation typically doesn't function with cloud environments, containers, or bare metal, which is a downside.<ref name="auto"/>
Retrieved from "https://en.wikipedia.org/wiki/Microsegmentation_(network_security)"