Security

Network Segmentation

The practice of dividing a computer network into smaller, isolated subnetworks to improve security, performance, and compliance.

Also known as:Network IsolationMicrosegmentation

What is Network Segmentation?

Network segmentation is the practice of splitting a computer network into smaller parts (segments or subnets). Each segment operates as a separate network, limiting the spread of threats and enabling granular security controls.

Segmentation Types

Physical Segmentation

  • Separate hardware
  • Air gaps
  • Most secure, most costly

Logical Segmentation

  • VLANs
  • Shared infrastructure
  • Software-defined

Micro-Segmentation

  • Application-level
  • Zero trust approach
  • East-west traffic control

Benefits

Security

  • Limit lateral movement
  • Contain breaches
  • Reduce attack surface

Compliance

  • Isolate regulated data
  • Reduce audit scope
  • Meet requirements

Performance

  • Reduce congestion
  • Optimize traffic
  • Improve reliability

Implementation Approaches

VLANs

  • Layer 2 segmentation
  • Switch-based
  • Traditional approach

Subnets

  • Layer 3 segmentation
  • Router-based
  • IP addressing

Firewalls/ACLs

  • Access control
  • Traffic filtering
  • Policy enforcement

Software-Defined

  • SDN/microsegmentation
  • Dynamic policies
  • Workload-based

Segmentation Strategies

By Function

  • DMZ, internal, sensitive
  • Development vs. production

By Data Type

  • PCI cardholder data
  • Healthcare (PHI)
  • PII

By User Type

  • Employee, guest
  • Third-party access

Best Practices

  • Map data flows first
  • Start with critical assets
  • Monitor segment traffic
  • Regular rule review
  • Document architecture
Previous

Mutual TLS (mTLS)

Next

NIST 800-53