Microsegmentation (network security)

For a form of market segmentation, see Microsegmentation.

In network security, microsegmentation is a network security architecture that establishes security zone boundaries at the level of individual workloads within data centers and cloud environments, which allows workloads to be isolated and secured independently.[1][2] Although originally applied to data center networks, microsegmentation is also used in client network environments.

Types of microsegmentation

Native OS host-based firewall segmentation

It uses operating system firewalls to regulate network traffic between segments. Rather than relying on routers, network firewalls, or agents, each host firewall performs auditing and enforcement to limit lateral movement between machines.[3]

Host-agent segmentation

The host-agent segmentation approach relies on endpoint-based agents that are centrally managed and provide visibility into data flows, reducing the difficulty of identifying obscure or encrypted communications.[4] Host-based agent technology is widely recognized as an effective method for microsegmentation, as compromised devices operate as hosts and can be controlled directly. However, this approach requires software to be installed on every host.[4]

Hypervisor segmentation

Hypervisor segmentation is a microsegmentation implementation in which all traffic passes through the hypervisor.[4] It enables hypervisor-level traffic monitoring, allows existing firewalls to be used, and supports rule migration as instances are created or removed.[4]

Network segmentation

The network segmentation approach builds on existing infrastructure by using tried-and-true techniques such as access control lists (ACLs) for segmentation.[4]

Applications

Microsegmentation helps limit attack propagation by restricting internal network attack paths.[4] In Internet of Things (IoT) environments, microsegmentation helps organizations control lateral communication between devices, which is often unmanaged by perimeter-focused security measures.[5]

Challenges

Microsegmentation is generally compatible with environments running common operating systems such as Linux, Windows, and macOS, but support is limited for mainframes and other legacy systems.[4] During the initial deployment, some applications may not support microsegmentation, and it can result in operational issues.[4] Defining policies that meet the requirements of all internal systems can also be difficult. Policy development may involve internal trade-offs and extended coordination, making the process time-consuming for some organizations.[4]

References

  1. ^ Bednarz, Ann (January 30, 2018). "What is microsegmentation? How getting granular improves network security". Network World.
  2. ^ "1 Summary — NIST SP 1800-24 documentation".
  3. ^ Huang, Dijiang; Chowdhary, Ankur; Pisharody, Sandeep. Software-Defined Networking and Security. doi:10.1201/9781351210768-8.
  4. ^ a b c d e f g h i Edwards, John (April 16, 2020). "How microsegmentation can limit the damage that hackers do". Network World.
  5. ^ Violino, Bob (October 10, 2019). "Can microsegmentation help IoT security?". Network World.

Content Disclaimer

Informasi ini disarikan dari Wikipedia dan disajikan kembali untuk tujuan edukasi. Konten tersedia di bawah lisensi CC BY-SA 3.0. Kami tidak bertanggung jawab atas ketidakakuratan data yang bersumber dari kontribusi publik tersebut.

  1. The information displayed on this website is sourced in part or in whole from Wikipedia and has been adapted for the purpose of restating it. We strive to provide accurate and relevant information, however:
  2. There is no guarantee of absolute accuracy. Wikipedia is an open, collaborative project that can be edited by anyone, so information is subject to change.
  3. It is not intended to constitute professional advice. The content displayed is for informational and educational purposes only. For important decisions (e.g., medical, legal, or financial), please consult a professional.
  4. Content copyright. Wikipedia is licensed under the Creative Commons Attribution-ShareAlike License (CC BY-SA). This means that content may be reused with appropriate attribution and shared under a similar license.
  5. Responsible use. Any risk arising from the use of information from this website is entirely the responsibility of the user.