Microsegmentation (network security)

Microsegmentation is a network security approach that enables security architects to construct network security zones boundaries per machine in data centers and cloud deployments in order to segregate and secure workloads independently.[1][2]

It is now also used on the client network as well as the data center network.

Types of microsegmentation

There are three main types of microsegmentation:

  • Native OS host-based firewall segmentation employs OS firewalls to regulate network traffic between network segments. Instead of using a router or network firewalls or deploying agents, each host firewall is used to perform both auditing and enforcement, preventing attackers from moving laterally between network machines. While Native OS host-based firewalls can implement many segmentation schemes, including microsegmentation, only recent innovations in the space have made implementation and management achievable at scale.[3]
  • Host-agent segmentation: This style of microsegmentation makes use of endpoint-based agents. By having a centralized manager with access to all data flows, the difficulty of detecting obscure protocols or encrypted communications is mitigated.[4] The use of host-agent technology is commonly acknowledged as a powerful method of microsegmentation.[4] Because infected devices act as hosts, a solid host strategy can prevent issues from manifesting in the first place. This software, however, must be installed on every host.[4]
  • Hypervisor segmentation: In this implementation of microsegmentation, all traffic passes through a hypervisor.[4] Since hypervisor-level traffic monitoring is possible, existing firewalls can be used, and rules can be migrated to new hypervisors as instances are spun up and spun down.[4] Hypervisor segmentation typically doesn't function with cloud environments, containers, or bare metal, which is a downside.[4]
  • Network segmentation: This approach builds on the current setup by using tried-and-true techniques like access-control list (ACLs) for network segmentation.[4]

Benefits

Microsegmentation allows defenders to thwart almost any attack methods by closing off attack vectors within internal networks so that the attackers are stopped in their tracks.[4]

Microsegmentation in internet of things (IoT) environments can help businesses gain command over the increasing volume of lateral communication taking place between devices, which is currently unmanaged by perimeter-focused security measures.[5]

Challenges

Despite its useful features, implementing and maintaining microsegmentation can be difficult.[4] The first deployment is always the most challenging.[4] Some applications may not be able to support microsegmentation, and the process of implementing microsegmentation may cause other problems.[4]

Defining policies that meet the requirements of every internal system is another potential roadblock. Internal conflicts may occur as policies and their ramifications are considered and defined, making this a difficult and time-consuming process for certain adopters.[4]

Network connection between high and low-sensitivity assets inside the same security boundary requires knowledge of which ports and protocols must be open and in which direction. Inadvertent network disruptions are a risk of sloppy implementation.[4]

Microsegmentation is widely compatible with environments running common operating systems including Linux, Windows, and MacOS. However, this is not the case for companies that rely on mainframes or other outdated forms of technology.[4]

To reap the benefits of microsegmentation despite its challenges, companies have developed solutions by using automation and self service.[6]

Service providers

References

This article is issued from Wikipedia. The text is licensed under Creative Commons - Attribution - Sharealike. Additional terms may apply for the media files.