Using the network as an enforcement point for security policy is a concept that has been around for a long time and does not seem to be going anywhere. Since traffic is already traversing the network, it is a natural point to either allow or deny network packets. Also, with the importance of defense in depth, network segmentation can be a great compliment to security controls such as endpoint protection solutions, email security, and edge network firewalls. Network segmentation allows for control between devices and networks. With network segmentation, some sort of policy is being applied in the network to control traffic flows. The main idea here is to limit how hosts on a network are able to communicate. The goal of segmentation is to reduce risk. First, segmentation reduces the risk of privacy implications by ensuring specific devices and networks altogether are separate from others. Secondly, network segmentation can reduce the risk of a security breach. If a vulnerable host gets compromised, network segmentation can limit the impact of that breach by not allowing the compromised host to have free reign on the network. Within the concept of network segmentation, there are two main methods in which it can be implemented. How the security policy is deployed can be done to achieve either macrosegmentation or microsegmentation.
Macrosegmentation
Macrosegmentation deals with segmenting entire networks (or device types). If there are networks or devices that connect to the same physical infrastructure and should never communicate with each other, macrosegmentation can be used. Example use cases for macrosegmentation include multitenancy in a data center or service provider environments, and segmenting certain device types in a campus environment to keep them from communicating with other devices on the production network. How can this be implemented? An example would be for a seperate network to be put its own VLAN at Layer 2, then that VLAN map to an IP network that is in a separate virtual routing table (virtual routing and forwarding [VRF]). Macrosegmentation gives that full network separation at Layers 2 and 3 of the OSI model. While devices could be connected to the same switch, they would not be able to communicate at Layer 2 because they are in different VLANs, and they would not be able to route to each other at Layer 3 because they leverage different routing tables.
Microsegmentation
I think of microsegmentation as policy-based segmentation. Microsegmentation is used when devices are in the same routable network (and/or even the same VLAN), but we still want to control and limit traffic flows per a security policy. We are using some mechanism to enforce policy that limits what a device can communicate with on a network. An example of this would be an ACL being applied to either a switchport or wireless controller. The ACL would have statements to allow only what the device or user needs to complete specific, known tasks, and deny all else. To me, microsegmentation gets us closer to “zero trust” without having to implement multiple routing table instances.
One or the Other?
This macrosegmentation/microsegmentation scenario is not necessarily one in which you are outright picking one method over the other. You may be selecting one over the other in each situation, however, you could use both throughout your network based on each use case. For instance, there could be a device type or user group in which it they have no need or business case to communicate with anything else in the production network, so macrosegmentation is used to segment those devices into their own routing table. You could then even apply microsegmentation policies within that grouping of devices or users to limit communications within that group. There could also be a different device type, that does need communicate on the production network (main/global routing table), but only needs to talk to a specific subnet, or use a specific Layer 4 port. In this case, microsegmentation alone would be used. Layered security is important, and components like macrosegmentation and microsegmentation can be utilized separately or in conjuction to be a part of that layered approach.
Netication 