Segmentation has long been carried out by creating segments in networks with VLANs or subnets. Virtual local area networks (VLANs) create smaller network segments with all hosts connected virtually to each other as if they were in the same LAN. Subnets use IP addresses to partition a network into smaller subnets, connected by networking devices. These approaches not only allow for more efficient network performance, but also serve to contain threats from spreading beyond a particular VLAN or subnet.
There are two key challenges to these approaches. The first is the fact that networks must often be re-architected to accommodate segmentation needs. The second is the complexity of programming and managing the thousands of access control list (ACL) rules that live on network devices needed to create subnets.
Instead of using the network to enforce segmentation, firewalls are another option. Firewalls are deployed inside a network or data center to create internal zones to segment functional areas from each other in order to limit attack surfaces, thereby preventing threats from spreading beyond a zone. An example could be separating engineering applications from finance. Another common example is protecting sensitive areas where PCI data resides for example.
Network and security administrators are familiar with firewalls deployed at the perimeter. However, they tend to introduce considerable complexity when the same firewalls are used for internal segmentation.
This is due to the thousands of firewall rules that are needed to segment internal networks. Another consideration is the risk of firewall misconfiguration that can break an application and harm the business. Another drawback of using firewalls for segmentation is the considerable cost they impose since they are bought in pairs for multiple sites, often costing millions of dollars.
Segmentation with SDN:
Software-defined networking (SDN) is relied on for greater network automation and programmability through centralized controllers that are abstracted from the physical hardware of the network. Some network operators seek to coax segmentation from their SDN network overlay implementation by using it to create policies to funnel packets through a distributed set of firewalls.
A drawback here is the vast level of complexity that it requires for successful micro-segmentation, particularly when applications do not fit into network boundaries. SDN is focused on network policy rather than security visibility into workloads and application flows that other approaches address.
An alternative way to get to a segmented network is enforcement using the host workload, instead of subnets or firewalls. Each workload operating system in the data center or cloud contains a native stateful firewall, such as iptables in Linux or Windows Filtering Platform in Windows. This approach tends to use whitelist models that block all traffic except for what is permitted. Micro-segmentation is also sometimes referred to as host-based segmentation or security segmentation.
Host-based segmentation uses workload telemetry to create a map of cloud and on-premise compute environments and applications. This map is used to visualize what must be protected and to put automated segmentation policy in place. This approach uses human-readable labels versus IP addresses or firewall rules to create policy. An advantage is the ability to enforce segmentation down to the process level, more granular than just specific ports.
Those introduced to host-based segmentation require a period of adaptation. Most new users are familiar with firewalls and networking concepts, but find it necessary to get trained on a new way to create policy and enforce segmentation at the host.