×

STAY TUNED


A SECURITY REVOLUTION
FOR YOUR CLOUD & DATA CENTER.


JUNE 11TH

Coming June 11th
 
 

How Microsegmentation Differs from Network Segmentation

Microsegmentation as both a term and a network security concept has been in the playbooks for years. Its main purpose is to reduce the network attack surface by limiting east-west communication through the application of granular security controls at the workload level. Laid out this way, it’s pretty easy to understand what microsegmentation is. However, as with all newer security-related terminology, it’s harder to determine what microsegmentation isn’t — because marketers and salespeople get ahold of the term and distort it in an effort to be relatable, sell more products, or even just to make comparisons with the trusted and familiar.

That said, it is important for network security engineers and architects to understand the difference between microsegmentation and network segmentation, from which microsegmentation was born.

Network segmentation in a nutshell

Network segmentation is the practice of creating sub-networks within the overall network to prevent attackers from moving laterally once inside the perimeter and to boost system performance. Typically companies build network segments via VLANs or firewalls, and the newly created zones are based on geographic region or existing network tiers — data, applications, or network. Administrators can group like resources by type and sensitivity, and set controls that permit only specific network communication between zones.

Network segmentation is generally considered a north-south network traffic control, meaning that once inside a designated zone of the network, communication/software/users are trusted. Trust models lead to breach, and that’s one major reason microsegmentation evolved. Further, VLANs and firewalls are network-based constructs, and managing the security of a network by network characteristics is no longer a viable solution in today’s public cloud and container environments. Not only is the use of physical data centers declining due to the advantages cloud offers, but IP addresses, ports, and protocols are easily spoofed or hijacked by malicious adversaries. When an adversary can blend in with normal traffic, how effective is the security control?

Further, data center-defined segments are too big and cumbersome to manage. Thousands of course-grained policies need to be created for each network zone, and no human alone can possibly tackle all the exception handling required by network-based policies. In other words, network segmentation is a heavy load to carry. It’s a necessary one in certain circumstances, but it can’t be the primary method of managing east-west, internal network traffic.


Subscribe to our newsletter:


The basics of microsegmentation

In the most simplistic terms, the differences between microsegmentation and network segmentation could be boiled to:

Segmentation

Microsegmentation

Course policies

Granular policies

Physical network

Virtual or overlay network

North-south traffic

East-west traffic

Address based/network level

Identity based/workload level

Hardware

Software

 
Microsegmentation originated as a way to moderate lateral traffic between servers in the same segment, but it has evolved over the years to include intra-segment traffic so that server A can talk to server B or Application A can communicate with Host B, etc. if the identity of the requesting resources matches the permission configured for that server/application/host/user. Since policies and permissions for microsementation are based on resource identity (versus a user’s/person’s identity), it is independent from the underlying infrastructure which means:Of course it’s not that cut-and-dried, but at its core, microsegmentation is a method of creating intelligent groupings of workloads based on characteristics of the workloads communicating inside the data center. As such, microsegmentation is not reliant on dynamically changing networks or the business or technical requirements placed on them, which means that it is both stronger and more reliable security.

  • Fewer policies to manage
  • Centralized policy management across networks
  • Policies which automatically adapt regardless of infrastructure changes
  • Gap-free protection across cloud, container, and on-premises data centers

Choosing between segmentation and microsegmentation

When it comes to the network security strategy, organizations shouldn’t be choosing “either/or”. Network segmentation is best for north-south traffic and microsegmentation adds a layer of protection for east-west traffic — server-to-server, application-to-server, web-to-server, etc. Using the age-old (and some security professionals might say “tired”) analogy: Network segmentation is the thick walls and wide moats of the castle while microsegmentation is the castle guards standing at the doors of each stateroom armed with pitchforks and knives. You can’t have security at only one juncture and for limited purposes. The same can be said for security in the cyber realm.

Katherine Teitler, Director of Content

Written by Katherine Teitler, Director of Content

Katherine Teitler leads content strategy and development for Edgewise Networks. In her role as Director of Content she is a storyteller; a translator; and liaison between sales, marketing, and the customer. Prior to Edgewise, Katherine was the Director of Content for MISTI, a global training and events company, where she was in charge of digital content strategy and programming for the company's cybersecurity events, and the Director of Content at IANS, where she built, managed, and contributed to the company's research portal.