What Is Network Segmentation?
Network segmentation is the division of an organization’s network architecture into subnets. Each of these subnets is its own, albeit smaller, network. This is done for both performance and for network security. Network or IT administrators can set policies to control how traffic flows within these subnets, as well as create other granular controls.
When it comes to cybersecurity, specifically internet of things (IoT) security, network segmentation prevents unauthorized users from accessing specific network-connected resources like databases and applications and creates micro-perimeters around critical assets and network components, isolating each from the other.
Network segmentation is broken up into two general types: physical segmentation and logical segmentation.
- Physical segmentation is when the network is physically broken into subnets using a firewall (which acts as a gateway for traffic) or hardware such as routers and switches. This is also known as perimeter segmentation. As the volume of endpoints grows (as is often the case for enterprises and IoT-heavy industries), the yes/no nature of this kind of segmentation can prove ineffective
- Logical segmentation, also called virtual segmentation, uses virtual local area networks (VLANs) to automatically send traffic to various subnets, creating more granular and specific segmentation.
As highlighted above, network segmentation is enforced by internal firewalls, VLANs, and various user access controls as part of a broader identity and access management (IAM) architecture. The IT and security teams are the architects of this segmentation.
Network Segmentation vs. Microsegmentation
The simplest way to differentiate network segmentation and microsegmentation, is that microsegmentation is more granular. Unlike network segmentation, microsegmenation is virtual and software based, and is often used to break up individual segments based on criteria like resource identity. Instead of relying on physical firewalls, as is often the case with network segmentation, microsegmentation utilizes virtualization technology, and deals with intra-segment traffic.
Microsegmentation can be considered a stronger form of network security, as it doesn’t rely on changing networks or the technical requirements placed on them.
How Does Network Segmentation Work?
Network segmentation works by restricting the flow of traffic between zones of the network, or subnets. When network segmentation is in place, an organization’s security team gains granular control over who has access to various systems, allowing them to head off common IoT threats, such as botnet-enabling malware, that thrive on easy proliferation across devices.
Types of Network Segmentation
Technically, a network can be divided or segmented in an infinite number of ways depending on the organization’s security and operational needs. But there are some common examples that IT teams employ for IoT security.
Examples of network segmentation include:
- A guest wireless network. Think of logging into Wi-Fi at a coffee shop as a latte-sipping customer. Your access is not the same as the manager of that shop or the IT team. It’s limited in capabilities and breadth of access.
- Group access. While insider threats are rare, they are still real and need to be protected against. As such, some networks will be segmented by group, providing privileged access to only certain groups, limiting the access of others.
- Cloud security-focused segmentation. The cloud is often subject to misconfiguration and is a constant target of cybercriminals. Segmentation can boost cloud security by isolating applications, assets, and user access.
Example of Network Segmentation
Let’s look back at the guest Wi-Fi example. In this instance, as a guest, you would log on to a different network than the employee network. That separation increases security, because a guest uses unmanaged hosts and endpoints not provisioned by the organization’s IT — an issue that will only become more pronounced as IoT expands the overall number and variety of possible devices. That’s network segmentation in action.
Benefits of Network Segmentation
Network segmentation is done for a variety of reasons that can benefit operations, efficiency, compliance, and security.
- Increased access control among subnets, which limits the attack surface and prevents lateral movement during an incident
- Better, simplified network monitoring and response due to reduced surface area.
- Ability to control or restrict traffic between subnets
- Isolated network segments that cannot spread a virus or malware
- Easier management (in terms of both security and operations) of an organization’s network
Zero Trust and Network Segmentation
In a Zero Trust framework, no user has implicit access to any aspect of the network, any asset, or any application. Instead, access and the user’s identity must be verified every time access is granted. It’s based on a strict set of access controls.
Network segmentation helps enforce this framework by eliminating the idea of a trusted network within a defined perimeter while increasing visibility and monitoring of user behavior within a network. Network segmentation reduces that implicit trust, in turn reducing the attack surface and limiting lateral movement, achieving similar goals to a Zero Trust framework.
Learn more about network security with “Why You Need Continuous Network Monitoring.”