Cloud & Infrastructure Security

Network Segmentation

About 3 min read

Last updated: 2026-02-05

What Is Network Segmentation

Network segmentation is a security technique that divides a network into multiple smaller segments and controls communication between them. Its primary purpose is to prevent lateral movement - stopping an attacker who has compromised one system from spreading to other segments.

For example, placing web servers, application servers, and database servers in separate segments and allowing only necessary communication between them ensures that even if a web server is compromised, the attacker cannot directly access the database server.

Segmentation Implementation Methods

  • VLAN (Virtual LAN): Logically divides the network at Layer 2. Even on the same physical switch, communication between different VLANs must pass through a router or Layer 3 switch, enabling access control via ACLs
  • Subnet Division: Divides the IP address space into subnets and controls communication through routing and security groups. In cloud environments (AWS VPC, Azure VNet), subnets serve as the basic unit of segmentation
  • Firewall Zones: Defines trust zones (DMZ, internal, external) and controls traffic between zones with firewall rules. A traditional approach that remains effective for perimeter defense
  • Software-Defined Segmentation: Uses SDN controllers or cloud-native features (AWS Security Groups, Azure NSG) to dynamically apply segmentation policies. More flexible than hardware-based approaches and adapts to infrastructure changes

Microsegmentation and Zero Trust

While traditional segmentation divides at the network level with coarse granularity, microsegmentation controls access at the workload level (servers, containers, processes) with fine granularity.

It is a core element of zero trust architecture, technically implementing the principle of "never trust, even inside the network." Specifically, communication policies are defined for each workload, and all communication that is not explicitly permitted is blocked. Even within the same subnet, unnecessary communication between servers is denied.

SDN-Based Segmentation and Next-Generation Methods

SDN (Software-Defined Networking) separates the control plane from the data plane, enabling centralized management of network policies through software. Unlike traditional VLANs and ACLs that require configuration on individual devices, SDN allows dynamic application of segmentation policies across the entire network from a controller.

  • Service Mesh: In microservice architectures, service meshes like Istio and Linkerd implement microsegmentation at the application layer. Mutual TLS (mTLS) encrypts and authenticates all inter-service communication
  • Identity-Based Segmentation: Controls access based on workload identity rather than IP addresses. This maintains consistent policies even in dynamic environments where IP addresses change frequently (such as containers and serverless)

Implementation Examples and Effectiveness Measurement

The effectiveness of network segmentation can be measured from two perspectives: compliance requirement fulfillment and incident damage localization.

PCI DSS Compliance: Systems handling credit card information require PCI DSS to isolate the Cardholder Data Environment (CDE) on the network. Proper segmentation reduces the scope of PCI DSS audits, lowering both audit costs and the effort required for compliance.

Incident Damage Localization: When ransomware infects one segment, segmentation prevents it from spreading to other segments. Organizations that have implemented segmentation report significantly reduced damage scope and recovery time compared to those with flat networks.

To learn more about this topic, see Firewall Basics: Your First Line of Network Defense.

Common Misconceptions

Having a firewall makes network segmentation unnecessary
A firewall is one element of perimeter defense, but it cannot prevent lateral movement within a flat network. Firewalls and segmentation are complementary - the correct design uses firewalls to control communication between segments.
Finer segmentation always means better security
Excessive segmentation increases operational complexity and creates security holes through rule management errors. It is important to select appropriate granularity based on business requirements and risk, designing segmentation within a manageable scope.

Traditional Segmentation vs. Microsegmentation

Traditional Segmentation

Divides at the network level using VLANs and subnets. Controls boundaries with firewalls and routers. Simple to design and operate, but cannot control communication within the same segment.

Microsegmentation

Controls communication at the workload level. Applies policies via software. Can block unnecessary communication even within the same segment, but increases policy management complexity.

Share

Related Terms

Firewall A security mechanism placed at network boundaries that inspects and controls inc… Zero Trust Security A security model built on the principle of 'never trust, always verify,' requiri… IoT Device Security Security measures for the growing ecosystem of internet-connected devices includ… NAT (Network Address Translation) A technology that translates between private and public IP addresses. Widely use… VPN (Virtual Private Network) A technology that encrypts internet traffic and routes it through a server in an… Honeypot A deliberately deployed decoy system, service, or data resource designed to appe…

Related Articles

Firewall Basics: Your First Line of Network Defense Understand how firewalls work, the different types available, and practical network defense strategi… What Is Zero Trust Security: The 'Never Trust' Approach Learn how zero trust differs from traditional perimeter security, its core principles, and how to ap… What Is a Firewall - Types, How It Works, and Configuration Guide Learn about firewall types (packet filtering, stateful, NGFW), how they work, Windows/Mac configurat…
← Glossary