CONFERENCE On Demand: Cyber AI & Automation Summit - Watch Now
Connect with us

Hi, what are you looking for?


Network Security

Using Network Segmentation to Protect the Modern Enterprise Network

Network Segmentation can be Complex, but the Basics are Simple. So what’s the best way to Implement Network Segmentation?

Network Segmentation can be Complex, but the Basics are Simple. So what’s the best way to Implement Network Segmentation?

Cloud computing, the consumerization of IT, mobilization, and the explosion of applications are driving us all to use technology in new ways. These trends and innovations make business more competitive, increase productivity and create new global market opportunities. They’ve also dramatically changed the modern enterprise network, pushing the boundaries with regard to throughput and speed. But while network infrastructure continues to evolve to meet the demands of these new requirements, security infrastructure to deliver safe and controlled services has not evolved at the same rate.

Network SegmentationSecurity teams are consistently forced to make trade-offs between what they can and cannot achieve when it comes to monitoring and control over new network services. With little to no visibility and input into new services being delivered, network security becomes, by default, an afterthought. If security continues to be relegated to the position of a bolt-on technology to networking this negative trend will only continue. Network segmentation can provide security teams with the foundation required to protect dynamically changing network infrastructure and services.

Network segmentation can be complex, but the basics are straightforward. Simply put, it is the process of logically grouping network assets, resources, and applications together into compartmentalized areas that have no trust of each other.

When looking to introduce network segmentation there are some key requirements to take into consideration:

• Gain visibility of traffic, users and assets

• Protect communications and resources on both inbound and outbound requests

• Implement granular controls on traffic, users and assets

• Set a default deny policy on all inter-segment connections

Advertisement. Scroll to continue reading.

So what is the best way to implement network segmentation to more securely deliver new services?

Any approach of network segmentation should follow the following four steps and focus on only a single segment at a time. Begin with areas that are simpler to segment away from the wider network, such as development or test areas. Pick the lowest hanging fruit first and learn lessons on the way to the more complex areas.

Step 1) Gain Visibility

If you don’t understand the traffic profile for a proposed segment with regard to inbound and outbound communications, then any access controls you implement will fail. You must understand how the network you want to segment is actually used. Expect to find a disconnect between what you may believe is occurring and what, in fact, is occurring.

Step 2) Protect Communications and Resources on Both Inbound and Outbound Requests

Security is your primary goal. If you have no ability to exert protection of resources within a segment your goal will not be met. Simple access controls between segments is not enough, you need the ability to rapidly remediate any detected threat.

Step 3) Implement Granular Controls on Traffic, Users and Assets

All data entering and leaving a segment should be controlled. You have already implemented protection (in the previous step), so you know that any communication that enters or leaves the segment has had a level of security protection applied to it. Now you can implement your organization’s communication policy with granular access controls. Even though you should have a good level of understanding of the communications that take place with the segment from the outside (achieved in step 1), these controls should be implemented in a two-step process: detective controls, followed by preventative controls. By beginning with a default-allow control you can establish a baseline for identifying and investigating unexpected traffic.

Step 4) Set a Default Deny on all Inter-Segment Communications

Now that you’ve achieved visibility, communications are protected, and you’ve implemented an access policy in a default-allow state, it’s time for the last step. Move to a default-deny security posture for all inter-segment traffic. Only when a default-deny policy is in place is the segment successfully separated from the rest of the network and able to operate as its own logical unit.

Implementing the first few segments in a large network will be a daunting task, but the long-term reward of limiting the scope of a compromise by compartmentalizing each segment and putting controls in place is well worth it.

Technology innovations that drive business value will continue to push network scope, scale and performance. We need to be prepared with an approach to security that gives us the visibility, understanding and control to protect our modern, dynamic networks.

Written By

Marc Solomon is Chief Marketing Officer at ThreatQuotient. He has a strong track record driving growth and building teams for fast growing security companies, resulting in several successful liquidity events. Prior to ThreatQuotient he served as VP of Security Marketing for Cisco following its $2.7 billion acquisition of Sourcefire. While at Sourcefire, Marc served as CMO and SVP of Products. He has also held leadership positions at Fiberlink MaaS360 (acquired by IBM), McAfee (acquired by Intel), Everdream (acquired by Dell), Deloitte Consulting and HP. Marc also serves as an Advisor to a number of technology companies.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join us as we delve into the transformative potential of AI, predictive ChatGPT-like tools and automation to detect and defend against cyberattacks.


As cybersecurity breaches and incidents escalate, the cyber insurance ecosystem is undergoing rapid and transformational change.


Expert Insights

Related Content

Identity & Access

Zero trust is not a replacement for identity and access management (IAM), but is the extension of IAM principles from people to everyone and...

Cybersecurity Funding

Network security provider Corsa Security last week announced that it has raised $10 million from Roadmap Capital. To date, the company has raised $50...

Malware & Threats

The NSA and FBI warn that a Chinese state-sponsored APT called BlackTech is hacking into network edge devices and using firmware implants to silently...

Network Security

Attack surface management is nothing short of a complete methodology for providing effective cybersecurity. It doesn’t seek to protect everything, but concentrates on areas...

Identity & Access

Hackers rarely hack in anymore. They log in using stolen, weak, default, or otherwise compromised credentials. That’s why it’s so critical to break the...


Websites of German airports, administration bodies and banks were hit by DDoS attacks attributed to Russian hacker group Killnet

Application Security

Fortinet on Monday issued an emergency patch to cover a severe vulnerability in its FortiOS SSL-VPN product, warning that hackers have already exploited the...

Network Security

NSA publishes guidance to help system administrators identify and mitigate cyber risks associated with transitioning to IPv6.