Network Segmentation Definition
Network segmentation is the division of a network into multiple subnetworks—each with subnet-specific security policies and protocols—to attempt to prevent lateral movement. It’s one of the most widely used means of reducing a network's attack surface to combat cyberattacks.
Network Segmentation vs. Microsegmentation
Before we go on, let’s differentiate between network segmentation and microsegmentation.
Network segmentation is best used for north-south traffic, while microsegmentation adds a layer of protection for east-west traffic—server-to-server, app-to-server, web-to-server, and so on. A common analogy likens network segmentation to a castle’s moat and outer walls, whereas microsegmentation is the guards at the doors of each of the castle’s interior staterooms.
Why Use Network Segmentation?
Segmentation is a proactive mode of defense, offering key advantages over reactive security.
With reactive security, teams first investigate a compromise, and then do damage control. It’s cumbersome and expensive, and it can still leave you grappling with data loss, compliance issues, and damage to your public image.
It’s impossible to ignore: Organizations worldwide are still suffering data breaches. According to Risk Based Security, 4,145 publicly disclosed breaches exposed more than 22 billion records in 2021 alone.
That’s a clear indicator that instead of reacting to attacks, you should focus on prevention, addressing potential risks and vulnerabilities before they can be exploited. Network segmentation is among the most common ways to do this today.
Types of Network Segmentation
Traditionally, there have been two basic types of network segmentation:
- Physical segmentation uses discrete firewalls, wiring, switches, and internet connections to separate parts of a network. This is the more expensive, less scalable type.
- Virtual segmentation, also called logical segmentation, typically segments network traffic flows using virtual local area networks (VLANs), which can be protected by the same firewall.
Network Segmentation Examples
So, what does network segmentation actually do? Let’s look at a few example use cases:
- Stop lateral movement of external threats: Segmenting parts of your network inside the perimeter means that even if your perimeter is breached, all your data is not immediately under threat.
- Stop lateral movement of internal threats: Segmenting internal data by need for access (such as by department) reduces your risk of insider threats by making, for instance, financial data inaccessible to HR.
- Separate internal and guest networks: By keeping guests in a guest segment, separate from the rest of your network, you can continue to offer them convenient connectivity without putting your internal devices and data at risk.
- Protect regulated data and stay compliant: Storing sensitive data, such as payment card information, in a tightly access-restricted segment will better protect it from compromise and enable you to comply with data regulations.
Benefits of Network Segmentation
Whatever schema an organization uses, a segmented network has some clear advantages over a flat network with no hierarchy or subnets. These benefits include:
- Stronger cybersecurity for sensitive data: This benefit encompasses breach prevention (north-south movement), tighter access control, and security controls specific to each segment.
- Less difficulty meeting regulatory compliance requirements: Limiting who can access certain data and where it flows simplifies compliance attestation and audits for industry and government regulations like PCI DSS and GDPR.
- Simpler risk analysis and damage control: When cybercriminals can’t move freely around your entire network, it’s easier to pinpoint their techniques and identify weaknesses in your security posture.
- Safer endpoints and users: This goes both ways—end users and devices are safer on a segmented network where threats can’t easily spread to endpoints, and the segments themselves are safer from threats that begin at the endpoint.
- Reduced network congestion: Activity in one segment won’t throttle it in another part of the network. For instance, in a retail store, customers using guest Wi-Fi won’t slow down credit card transactions.
Network Segmentation Best Practices
To help you learn the right way to implement and maintain an effective network segmentation model, here are five network segmentation best practices to live by:
1. Don’t over-segment
Many organizations over-segment their networks when they first start out. Doing so can decrease your overall network visibility and make management even more difficult than before you began segmenting. However, it’s also important not to under-segment your network, as this keeps your attack surface broad and hurts your security posture.
2. Perform regular audits
Network segmentation is an excellent way to improve your network security, but it’s only effective when you continually check in to see that vulnerabilities are closed off, permissions are tight, and updates are installed. Most of all, auditing your segments ensures there are no exploitable gaps in coverage and that any network risks are mitigated—keeping you one step ahead of relentless bad actors.
3. Follow the principle of least privilege
Least-privileged access can make or break access management in general, and it’s no less crucial when it comes to network segmentation. By applying the principle of least privilege across all your network segments, you guarantee your users, network admins, and security team that access is only granted when necessary. This is why least-privileged access is fundamental for zero trust network access.
4. Limit third-party access
Granting access to third-party users already comes with high risk, so it’s important to grant such access only where it’s needed, especially if you’re granting it to a variety of network segments. Segmentation reduces overall risk to your network, but that doesn’t mean you should begin doling out permissions to third parties without considering how it could affect your network security posture.
5. Automate where you can
Segmenting your network grants your organization a bevy of valuable opportunities to automate. Besides the given benefits of automation in general—such as increased visibility, reduced MTTR, and improved security—automating network segmentation allows you to quickly identify and classify new assets and data, which is another segmentation best practice in itself.
Disadvantages of Traditional Segmentation
What we can’t overlook is that in today’s complex network architectures—distributed as they are across multiple clouds and data centers—the old firewall and VLAN models of segmentation have some major shortcomings.
Traditional firewalls have a key flaw that directly opposes segmentation: they create flat networks that allow easy lateral movement. Trying to compensate for this is so operationally burdensome and complex that it’s almost impossible. Even next-generation firewalls, with all their added capabilities, still put users on your network to access applications. VLANs have the same weakness.
A traditional approach leaves you dealing with:
- Excessive trust: Because traditional firewall-based segmentation is designed to prevent attacks from outside, it can leave you vulnerable to insider threats.
- Misconfigurations: VLANs are easy to misconfigure in today’s architectures, especially if you use third-party cloud providers and can’t change the infrastructure yourself.
- Work-intensive management: Every new app, device, or change means updating firewall rules, and even mundane activities like vulnerability scanning require more resources.
- Complex controls: Traditional methods lack fine-grained controls, making it complicated to define segmentation policy for remote workers, partners, customers, and so on.
- Scalability issues: To handle network growth, you need to create smaller segments or upgrade existing ones, resulting in higher costs to scale and maintain.
- Poor performance: Adding more network devices (e.g., firewalls, routers) has a compounding negative effect on your overall network performance.
ZTNA: A Better Way to Achieve Segmentation
As your operations increasingly rely on the scalability, flexibility, and reach of the cloud, many pure network security strategies (like traditional segmentation) become impractical. Instead, you need a model that takes your internal network, with all its risks and complexities, out of the equation.
New approaches have emerged anchored in zero trust network access (ZTNA), a framework based on the notion that no user or device is inherently trustworthy. Instead, access policies are built on the principle of least privilege, based on identity and context, such as device, location, application, and content.
ZTNA connects users directly to applications on a one-to-one basis, never to the network, eliminating lateral movement. This lets you achieve segmentation in a fundamentally different and more effective way that is impossible with legacy VPNs and firewalls.
Advantages of ZTNA Over Traditional Segmentation
Compared to traditional segmentation, ZTNA:
- Provides adaptive, identity-aware, precision access without network access. It eliminates implicit trust, replacing it with explicit identity-based trust.
- Requires no network connection, so your internal applications (IP addresses) are never exposed to the internet, reducing your attack surface and risk.
- Provides user-to-app-level segmentation through granular access policies enforced in the cloud, rather than requiring you to configure access policies and firewall rules.
- Improves flexibility, agility, and scalability while reducing the need for internal firewalls. ZTNA can be delivered as a cloud service or as managed software on-premises.
- Enables secure application access for unmanaged devices and external partners while keeping users off the network, minimizing the risk of malware proliferation.
Zscaler and Network Segmentation
Zscaler Private Access™ is the world’s most deployed ZTNA platform. Applying the principles of least privilege, it gives your users secure, direct connectivity to your private applications without placing them on your network.
Whether you’re in the planning stage or running a traditional segmentation model that’s showing its age, we can help you achieve mature segmentation with ZTNA. Here’s how to get started:
Replace your VPNs and firewalls with Zscaler Private Access to reduce your attack surface and eliminate lateral movement with user-to-app segmentation.
Implement app-to-app segmentation to bring ZTNA to your cloud workloads and applications in hybrid and multicloud environments (between clouds).
Finally, implement process-to-process/identity-based microsegmentation for communication within a cloud (east-west).
Ready to find out more? Visit our Zscaler Private Access page.