Published by Mike Capuano

With this blog we answer the question, what is network segmentation? In simple terms, network segmentation is defined as the practice of dividing a larger network into several smaller subnetworks that are each isolated from one another to provide enhanced security.

Terms that you might hear in addition to network segmentation are “microsegmentation” or “micro-segmentation”. What’s the difference between network segmentation versus microsegmentation? While slightly different, network segmentation and microsegmentation both focus on using high-level policy constructs to control the flow of traffic between network segments or application components based on granular security rules.

The Importance of Network Segmentation

Now that we know what network segmentation is, we can review the importance of network segmentation. Why has network segmentation become more important over the last few years? Well historically, security approaches have revolved around protecting the perimeter of the network with a firewall and other security tools like Intrusion Detection Systems (IDS) and Intrusion Prevention Systems (IPS). This would often be a pair of firewalls surrounding a demilitarized zone, which provides a segregated environment between trusted and untrusted zones. However, simply zoning an entire network as ‘trusted’ creates a flat network environment that requires only a single network intrusion for an adversary to gain widespread access.

The challenge is that savvy attackers often figure out how to penetrate these firewalls or hide malware in seemingly valid network packets flowing into the enterprise. Once inside the corporate network, the attack can wreak havoc by moving laterally without restriction and gain access to valuable assets, such as customers’ personal information, corporate financial records, and highly confidential intellectual property or be in a position to take down customer services in exchange for ransom.

Figure 1: Once the perimeter is penetrated, an attacker has free reign across the business entity. In this example the attacker gets inside the perimeter via an attack on a vulnerable IoT device. IoT can increase the attack surface of the enterprise.

In a blog by CrowdStrike on lateral movement they claim the following:

“Once an attacker secures administrative privileges and gains deeper access into a network, malicious lateral movement can be very difficult to detect because it can appear to be “normal” network traffic.”

Figure 2 Average attack timeframe – Courtesy of CrowdStrike

Thus, many organizations have begun to adopt a Zero Trust (coined by Forrester) strategy, which assumes nobody is trustworthy by default, even those already inside the network perimeter. Network segmentation is a key tool in implementing a Zero Trust strategy by separating out valuable data and assets into zones or segments that can be accessed only by users whose credentials can be verified. The perimeter around these network segments provides an additional layer of security to prevent or at least dramatically slow down an attacker from moving laterally inside the data center if they are able to make it past the perimeter defense. Network segmentation needs to be applied to both East-West traffic traveling inside the data center as well as North-South traffic exiting the data center.

Figure 3: In this scenario the attacker still manages to get inside the perimeter via an attack on a vulnerable IoT device, but they are not able to move laterally to access more valuable data and assets.

New Approaches to Network Segmentation

Historically network segmentation was achieved via simple physical or logical constructs, both very complex endeavors which have led to a very low implementation rate of network segmentation. The physical approach focuses on deploying multiple firewalls for internal networking – very expensive and complex with thousands of firewall rules that are needed to segment internal networks. Logical segmentation was done with virtual local area networks (VLANs). The challenge with VLANs is that they are locally significant and therefore networks must often be re-architected to accommodate segmentation needs and configuration is highly manual requiring hundreds of policies/ACLs programmed onto each network switch one-by-one.


Leveraging SDN-Automated Overlays

A more modern approach to network segmentation leverages an SDN-automated network overlay.  The network consists of physical switches referred to as the “underlay” as well as the network “overlay”, which is a software-based instantiation of the network consisting of VXLAN or GENEVE tunnels combined with distributed software-based switching and routing functions.

Typically, this overlay network is deployed as a fabric which means that it can be combined with software defined networking (SDN) to deliver centralized policy. What does that mean exactly? Well, instead of configuring lots of VLANs and policies on every switch one-by-one, the SDN controlled fabric now has global significance so that a VLAN or a policy can be deployed across all network switches with a single command yet with distributed enforcement. In other words, what network segmentation now becomes is something that is operationally scalable as it can be implemented with much less complexity and pain.


Implementing Modern Network Segmentation

There are two ways of building this SDN-automated overlay fabric:

  1. server-based tunnel termination (A.K.A. compute-based)
  2. switch-based tunnel termination.


Server-Based vs. Switch Based:

Effectively this is defined by where VXLAN Tunnel Endpoints (VTEPs) are hosted. In a server-based solution there is a networking stack terminating VXLAN tunnels running on each server node in the data center. The main advantage of the server-based solution is that East-West traffic segmentation and routing between segments can happen on a single host. In a switch-based overlay implementation, where tunnels are terminated on the switch, traffic that must be segmented needs to pass through the top of rack switch. However, on the other side of the equation, there are a number of significant disadvantages to server-based implementations.


Server-Based SDN Fabric Implementation

Some of the key issues with server-based SDN fabric implementations include:

Switch-Based SDN Fabric Solution Implementation

Contrast this to the switch-based SDN fabric solution for network segmentation:


Service Providers and Multi-tenancy

Network segmentation is not just for enterprise use, but also for service providers delivering services to multiple tenants. Combining network service constructs such as distributed VRFs at layer 3 or bridge domains at layer 2 as logical functions instantiated completely in software in the overlay riding on top of VXLAN transport provides the ability to segment by tenant and then further segment the network underneath each tenant. Policies can be applied fabric wide per tenant allowing certain subnets to rout to each other and to express membership in certain groups with robust security, e.g. for a particular network service for service chaining for example. Read more: network segmentation used for multi-tenancy.

Figure 4 Multi-tenant scenario using network segmentation


SDN and overlay fabrics create an abstraction from the underlying physical infrastructure and deploy centralized policy management with global significance but with distributed/local enforcement. This approach makes network segmentation operationally tenable and thus an essential tool to improve the security posture of enterprise and service providers. Switch-based SDN fabric implementations are a very cost-effective way to provide business-wide network segmentation while also bringing additional networking benefits including integrated network and application visibility, resource pooling, and, as aforementioned, SDN automation for all network tasks. Finally, a controllerless SDN solution used for segmentation provides the most cost-effective approach by eliminating costly controllers required at every location and can easily span multiple data center and campus locations.

To learn even more about what network segmentation is and how switch-based SDN fabrics can be used to deliver network segmentation click on our network and traffic segmentation solution or reach out to Pluribus Networks for demo.