What Is Network Segmentation?
Network segmentation is the division of a network into subnetworks—each with subnet-specific security policies and protocols—to attempt to prevent lateral movement. It’s one of the most widely used means of reducing a network's attack surface to combat cyberattacks.
Before we continue, let’s differentiate between network segmentation and microsegmentation.
Network segmentation works best with north-south traffic, while microsegmentation adds a layer of protection for east-west traffic—server-to-server, app-to-server, web-to-server, and so on. In a common analogy, network segmentation is like a castle’s moat and outer walls, whereas microsegmentation is like the guards at the doors of the castle’s interior rooms.
Why Use Network Segmentation?
Network segmentation is proactive defense, not reactive, offering some key advantages. Reactive defense—performing investigation and damage control only after a breach—is usually expensive, and it can still leave you grappling with data loss, compliance issues, and reputational damage.
Proactive defense—that is, prevention—seeks to address potential risks and vulnerabilities before they can be exploited. Network segmentation is among the most common ways to do this today.
Types of Network Segmentation
Traditionally, there have been two basic types of network segmentation:
Physical segmentation uses discrete firewalls, wiring, switches, and internet connections to separate parts of a computer network. This is the more expensive, less scalable type.
Virtual segmentation, also called logical segmentation, typically segments network traffic flows using virtual local area networks (VLANs), which can be protected by the same firewall.
Network Segmentation Use Cases
So, what does network segmentation actually do? In short, it’s designed to help you:
Stop lateral movement of external threats: In a segmented network, a data breach in one segment is not an immediate threat to data in another segment.
Stop lateral movement of internal threats: Segmenting access by business need (e.g., making financial data inaccessible to HR) reduces your risk of insider attacks.
Separate internal and guest networks: Keeping guests in a separate segment lets you offer them connectivity without putting your internal devices and data at risk.
Protect regulated data and stay compliant: Storing sensitive data in an access-restricted segment will better protect it and help you comply with data regulations.
Benefits of Network Segmentation
Whatever schema an organization uses, a segmented network has some clear advantages over a flat network with no hierarchy or subnets. These include:
Stronger cybersecurity for sensitive data: This benefit encompasses breach prevention (north-south movement), tighter access control, and security controls specific to each segment.
Easier regulatory compliance: Limiting who can access certain data and where it flows simplifies compliance and audits for regulations like PCI DSS and GDPR.
Simpler risk analysis and damage control: When cybercriminals can’t move freely around your entire network, it’s easier to pinpoint their techniques and identify weaknesses in your security posture.
Safer endpoints and users: This goes both ways—end users and endpoints are safer when threats can’t easily spread across segments, and the segments themselves are safer from threats that begin on endpoints.
Reduced network congestion: Activity in one segment won’t throttle another part of the network. For instance, customers using guest Wi-Fi won’t slow down credit card transactions.
Network Segmentation Best Practices
To implement and maintain effective network segmentation, here are five network segmentation best practices to live by:
1. Don’t Over-Segment
Over-segmenting can decrease your overall network visibility and make management difficult, but under-segmenting keeps your attack surface broad and hurts your security posture.
2. Perform Regular Audits
Network segmentation will only improve your network security if you continually audit your segments for vulnerabilities, tight permissions, and updates. If you know there are no exploitable gaps in your coverage, you’ll be one step ahead of hackers.
3. Follow the Principle of Least Privilege
By applying the principle of least privilege across all your segments, you guarantee your users, network administrators, and security team that access is only granted when necessary. Least-privileged access is fundamental for zero trust network access.
4. Limit Third-Party Access
Granting third parties access is already risky, so it’s important to do so only where it’s needed, especially if you’re granting it to multiple segments. Carefully considering new permissions is key to maintaining good network security posture.
5. Automate Where You Can
Besides the benefits of automation in general (such as improved visibility, security, and MTTR), automating network segmentation allows you to quickly identify and classify new assets and data, which is another segmentation best practice in itself.
Disadvantages of Network Segmentation
In today’s complex network architectures, distributed across multiple cloud environments and data centers, the old models of segmentation (based on firewalls, VLANs, and network perimeters) have some major shortcomings.
Traditional firewalls have a key flaw that directly opposes segmentation: they create flat networks that allow easy lateral movement. Trying to compensate for this is incredibly operationally burdensome and complex. Even next-generation firewalls still put users on your network to access applications, and VLANs have the same weakness.
A traditional approach leaves you dealing with:
Excessive trust: Because traditional firewall-based segmentation is designed to prevent attacks from outside, it can leave you vulnerable to insider threats.
Misconfigurations: VLANs are easy to misconfigure in today’s architectures, especially if you use third-party cloud providers and can’t change the infrastructure yourself.
Work-intensive management: Every new app, device, or change means updating firewall rules, and even mundane activities like vulnerability scanning require more resources.
Complex controls: Traditional methods lack fine-grained controls, making it complicated to define segmentation policy for remote workers, partners, customers, and so on.
Scalability issues: To handle network growth, you need to create smaller segments or upgrade existing ones, resulting in higher costs to scale and maintain.
Poor performance: Adding more network devices (e.g., firewalls, routers) has a compounding negative effect on your overall network performance.
ZTNA: A Better Way to Achieve Segmentation
As you increasingly rely on the scalability, flexibility, and reach of the cloud, many pure network security strategies (like traditional segmentation) become impractical. Instead, you need a model that takes your internal network, with all its risks and complexities, out of the equation.
Zero trust network access (ZTNA) is a framework based on the notion that no user or device is inherently trustworthy. Instead, access policies are built on the principle of least privilege, based on identity and context, such as device, location, application, and content.
ZTNA connects users directly to applications on a one-to-one basis, never to the network, eliminating lateral movement. This lets you achieve segmentation in a fundamentally different and more effective way that is impossible with legacy VPNs and firewalls.
Advantages of ZTNA over Traditional Segmentation
Compared to traditional segmentation, ZTNA:
Provides adaptive, identity-aware, precision access without network access. It eliminates implicit trust, replacing it with explicit identity-based trust.
Requires no network connection, so your internal applications (and IP addresses) are never exposed to the internet, reducing your attack surface and risk.
Provides user-to-app-level segmentation through granular access policies enforced in the cloud, rather than requiring you to configure access policies and firewall rules.
Improves flexibility, agility, and scalability while reducing the need for internal firewalls. ZTNA can be delivered as a cloud service or as managed software on-premises.
Enables secure application access for unmanaged devices and external partners while keeping users off the network, minimizing the risk of malware proliferation.
Zscaler and Network Segmentation
Zscaler Private Access™ is the world’s most deployed ZTNA platform. Applying the principles of least privilege, it gives your users secure, direct connectivity to your private applications without placing them on your network.
Whether you’re in the planning stage or running a traditional segmentation model that’s showing its age, we can help you achieve mature segmentation with ZTNA. Here’s how to get started:
Replace your VPNs and firewalls with Zscaler Private Access to reduce your attack surface and eliminate lateral movement with user-to-app segmentation.
Implement app-to-app segmentation to bring ZTNA to your cloud workloads and applications in hybrid and multicloud environments.
Finally, implement process-to-process/identity-based microsegmentation for communication within a cloud.
Network segmentation divides a network into subnetworks with specific security policies and protocols, helping to prevent lateral movement and reduce the network's attack surface to combat cyberattacks.
What Is a Network Segment?
A network segment (less commonly called a security zone) is an isolated or separated part of a network. Segments can have their own security policies, access control lists (ACLs), and protocols, providing more granular control and protection.
What Is a Good Reason to Segment a Network?
One of the primary reasons to segment a network is to limit the potential scope of a security breach. Network segments keep threats isolated, preventing lateral movement and minimizing the attack surface.
What Is a Collision Domain?
A collision domain is a network segment where multiple devices share one data pathway. When two or more devices try to use the pathway simultaneously, the resulting “collisions” can slow down the network, and typically require dedicated management to avoid.