What is it?
Micro-Segmentation is a way to apply a granular security policy that protects and restricts access to devices in your network.
Isn’t that a Firewall?
You can think of it as a distributed host firewall that doesn’t sit on your host.
OK, so traditionally you have a firewall to restrict access in and out of your network, this hasn’t changed. Lets take an example, If you have a DMZ with several web servers, you could define multiple networks, utilizing one for each server. Each server would then have to pass through a central firewall to get anywhere, this would be possible but at a very high processing and admin cost so is generally avoided.
Instead it’s more common for companies to have a single DMZ with multiple web servers. The issue with this however, is that should one of the web servers be breached the intruder will then be able to attack other hosts within that DMZ with little or no restriction. Now you could enforce a host firewall policy on every server, but this could become painful to manage and maintain very quickly.
Micro-segmentation as a solution that provides east-west firewalling without the burden of deploying lots of firewalls or managing multiple rule sets on many devices. Instead electing to manage the traffic rules via a central managed policy. Some examples of vendors that offer Micro-segmentation solutions are noted below.
- VMware NSX
- Microsoft Hyper-V
- Cisco ACI