Network segmentation is an architectural approach that divides a network into multiple segments or subnets, each acting as its own small network. This allows network administrators to control the flow of traffic between subnets based on granular policies. Organizations use segmentation to improve monitoring, boost performance, localize technical issues and – most importantly – enhance security. Show With network segmentation, network security personnel have a powerful tool with which to prevent unauthorized users, whether curious insiders or malicious attackers, from gaining access to valuable assets, such as customers’ personal information, corporate financial records and highly confidential intellectual property, the so-called “crown jewels” of the enterprise. Today, these assets are frequently found spread across hybrid and multi-cloud environments – public clouds, private clouds and software-defined networks (SDNs) – all of which need to be secured against attacks. To understand the security usage of network segmentation, it’s first necessary to consider the concept of trust in network security. The Trust Assumption In the past, network architects targeted their security strategies at the network perimeter, the invisible line that separates the outside world from the data vital to an enterprise’s business. Individuals within the perimeter were assumed to be trustworthy and therefore not a threat. Thus, they were subject to few restrictions on their ability to access information. Recent high-profile breaches have called the trust assumption into question. For one thing, insiders can indeed be the source of breaches, often inadvertently but sometimes deliberately. In addition, when threats penetrate the perimeter, they are free to move laterally in the network to access virtually any data, application, asset, or services (DAAS). With virtually unhindered access, attackers can easily exfiltrate a full range of valuable assets, often before the breach has even been detected (see figure 1). Figure 1: Lateral movement inside the perimeter under the trust assumption The Zero Trust Response This is where network segmentation comes in. Using segmentation, network architects can construct a microperimeter around the protect surface, essentially forming a second line of defense. In some instances, virtual firewalls can automate security provisioning to simplify segmenting tasks. However it is accomplished, authorized users can access assets within the protect surface while all others are barred by default. Segmentation is bad news for attackers because, unlike in the days of assumed trust, simply penetrating the perimeter isn’t enough to gain access to sensitive information. Microperimeters, whether physical or virtual, prevent threats from moving laterally within the network, essentially negating much of the work that went into creating the initial breach (see figure 2). Figure 2: Limited movement inside the perimeter with Zero Trust and network segmentation Use Cases
Nuts and Bolts As the name implies, physical segmentation involves breaking down a larger network into a collection of smaller subnets. A physical or virtual firewall acts as the subnet gateway, controlling which traffic comes in and goes out. Physical segmentation is relatively straightforward to administer because the topology is fixed in the architecture. Logical segmentation creates subnets using one of two primary methods: virtual local area networks (VLANs) or network addressing schemes. VLAN-based approaches are fairly straightforward to implement because the VLAN tags automatically route traffic to the appropriate subnet. Network addressing schemes are equally effective but require more detailed understanding of networking theory. Logical segmentation is more flexible than physical segmentation because it requires no wiring or physical movement of components to accomplish. Automated provisioning can greatly simplify the configuration of subnets. Moving to a segmentation architecture provides an opportunity to simplify the management of firewall policies. An emerging best practice is to use a single consolidated policy for subnet access control as well as threat detection and mitigation, rather than performing these functions in different parts of the network. This approach reduces the attack surface and strengthens the organization’s security posture. Click here to learn more about network segmentation. Which device is used to connect two different networks?Routers are general-purpose devices that interconnect two or more heterogeneous networks. They are usually dedicated to special-purpose computers, with separate input and output network interfaces for each connected network.
Which device is used to segment a network?You can use a bridge, a switch, or a router to separate your network's devices into segments. Performance tuning is at once a science and an art. Knowing your options for grouping various devices to form a network is the science of network segmenting.
What is network traffic management?Management traffic is any service that makes direct contact to another asset (which becomes the “managed resource”), either to retrieve or interface with the configuration and status of hardware components, the core operating system, features of user interfaces to the OS, or the business application, sometimes taking ...
Which device is used to connect a network to the Internet?Router. A router is a hardware device that allows you to connect several computers and other devices to a single Internet connection, which is known as a home network.
|