What is network segmentation?

Network segmentation is the practice of dividing networks into smaller, isolated sections to help reduce lateral movement and improve network performance.

What is network segmentation?

Network segmentation is the practice of dividing a network* into smaller, isolated sections. These partitions can be created and secured via physical hardware or software, each of which come with their own implementation challenges.

By cordoning off different segments of a network, organizations can more easily prevent lateral movement, exert granular control over network traffic, and improve network performance. They may even set policies for individual workloads and applications, an approach known as microsegmentation.

*A network is a group of computers that are connected to each other.

How does network segmentation work?

Network segmentation divides a network into multiple sections, to which different controls can then be applied. Typically, this process is performed using one of two methods: physical segmentation and logical segmentation.

Physical segmentation

Physical segmentation requires hardware appliances — like routers, switches, and firewalls — to separate a network into discrete sections. These appliances control the type of traffic that is allowed to enter and exit each section via segmentation policies, which can be configured according to specific criteria (e.g. traffic source, destination, and so on).

Physical segmentation (also called perimeter-based segmentation) is often expensive and labor-intensive to set up and maintain. It also operates under the assumption that most organizations still maintain a physical network perimeter.

With the advent of cloud computing, however, this perimeter has all but disappeared, as users can access data and applications over the Internet, rather than internal, IT-managed networks. Even organizations that use on-premises infrastructure often allow users to connect to internal resources from external devices and software.

Logical segmentation

Logical segmentation, or virtual network segmentation, uses software to divide a network into smaller sections. These segments may be created via subnetting, virtual local area networks (VLANs), and network addressing schemes.

  • Subnets help break a network into smaller segments, thereby allowing network traffic to travel a shorter distance without passing through unnecessary routers to reach its destination

  • VLANs split traffic on a single physical network into two networks, without requiring multiple routers or Internet connections to route network traffic to different destinations

  • Network addressing schemes create network segments by dividing network resources among multiple layer 3 subnets

Like physical segmentation, logical segmentation also uses segmentation policies to restrict the flow of traffic into and out of each network segment.

Because logical segmentation does not depend on configuring, maintaining, and updating multiple hardware appliances, it is widely considered to be a more flexible, scalable, and cost-effective method of separating and securing a network.

What are the benefits of network segmentation?

When properly implemented, network segmentation can help organizations make security, performance, and compliance improvements with greater efficiency. Several of the most significant advantages include the following:

  • Reducing lateral movement: Once attackers have breached a network, they cannot freely move throughout it, since they have only breached one specific segment of the network. This in turn helps minimize an organization’s attack surface

  • Remediating malicious activity: When an attack or suspicious activity is confined within a specific area, IT teams can more effectively detect and remediate it — without impacting the rest of the network

  • Boosting performance: Restricting certain traffic types to specific areas of the network can help reduce overall network congestion and optimize performance

  • Ensuring compliance: Segmentation can isolate areas of the network that are subject to compliance standards, making it easier to update them on an as-needed basis

Network segmentation vs. microsegmentation

Network segmentation divides a network into smaller sections, to which different security controls and policies are applied.

Microsegmentation, by contrast, is a subset of network segmentation that allows even more granular controls to be applied to individual workloads. (A workload is a program or application — like a server, virtual machine, or serverless function — that uses a certain amount of memory and computing resources.) It is part of a Zero Trust security model, in which no user or device is trusted by default.

To better understand the security benefits of network segmentation vs. microsegmentation, imagine that a king has a large sum of gold and jewels he wants to protect. He might put all of his treasure into several secret vaults, each of which could only be unlocked using a specific key (network segmentation). If a thief stole a key to one vault, they might be able to steal the treasure inside of it, but would not be able to access additional vaults without stealing additional keys to those rooms. In the same way, an attacker that breaches one subnetwork may compromise the data within it, but will not be able to move freely to another subnetwork.

Alternatively, the king could not only distribute his treasure among multiple vaults, but place them into locked chests within those rooms — and ensure that each box could only be unlocked with its own key (microsegmentation). That way, if a thief stole the key to one of the treasure vaults, they could not unlock the individual treasure chests without procuring additional keys. Similarly, in a microsegmented network, even if an attacker compromises one workload, they may not be able to compromise (or even access) additional workloads.

Learn more about how microsegmentation helps organizations achieve a Zero Trust security posture.

FAQs

What is network segmentation?

Network segmentation enhances security by splitting a network into smaller, isolated segments. This practice limits what an attacker can access if they breach the network and allows for better control over network traffic.

What is microsegmentation?

Microsegmentation is a granular form of network segmentation that applies security controls to individual workloads or applications, allowing specific security policies for each. In contrast with other types of network segmentation, microsegmentation takes place at the application layer rather than the network layer.

How does network segmentation prevent lateral movement?

Network segmentation limits an attacker's ability to move to other parts of a network after a breach, confining their access to only the compromised segment and protecting the rest of the network.

What is the difference between physical and logical segmentation?

Physical segmentation uses hardware like routers and firewalls to separate network sections. Logical segmentation uses software-based methods such as subnetting and virtual local area networks (VLANs) to create virtual barriers within a network.

What performance benefits does network segmentation offer?

Segmentation may help organizations optimize network performance by ensuring only necessary traffic flows between segments, reducing network congestion.

How has cloud computing impacted network segmentation?

Cloud computing has blurred traditional network perimeters, making flexible, software-based segmentation methods more important to secure modern, distributed environments. Hardware-based network segmentation does not do much for securing cloud deployments.

How does Zero Trust security relate to network segmentation?

Zero Trust is a security model in which threats are assumed to already be present within a network and no user or device is trusted by default. Network segmentation, especially microsegmentation, is a key principle of Zero Trust security because it stops these already-present threats from breaching the entire network.