Network Segmentation

What is Network Segmentation?

Network segmentation is a security practice that divides a network into smaller subnetworks to improve security, reduce traffic congestion, and enhance performance.

Portrait of an engineer on a construction site.

Network segmentation explained
What are the different types of network segmentation?
What are the benefits of network segmentation?
What are the top use cases for network segmentation?
What is the difference between network segmentation and microsegmentation?
How does network segmentation enable Zero Trust?
Network segmentation and HPE Aruba Networking

Network segmentation explained

Network segmentation is a security practice of dividing a network into smaller subnetworks, with each dedicated to specific groups of devices, users, or resources. This practice strengthens cybersecurity by controlling traffic flow between subnetworks or segments, thereby containing any potential security breaches within a specific segment and helping to prevent lateral spread of threats. It also improves network performance by isolating critical resources from non-essential workloads.

Network segmentation enhances north-south security by reducing the attack surface and regulating traffic between different segments based on predefined policies. For example, in a large enterprise that provides network access to employees, contractors, and IoT devices, segmentation can enforce security policies on the basis of trust level of connecting devices, preventing IoT devices from accessing sensitive systems, such as financial or HR systems, while prioritizing network resources for employees working with critical resources.

Network segmentation showing different segments for different user and device groups.

TAP IMAGE TO ZOOM IN

What are the different types of network segmentation?

Two types of network segmentation cater to different security requirements:

Physical segmentation: Also known as perimeter-based segmentation, this method physically segments a network using firewalls, switches, and internet connections. Different device groups are plugged into separate switches. This type of segmentation is more secure but less scalable and cost effective.
Virtual segmentation: Also known as logical segmentation, this method segments physical networks into logically isolated virtual networks using technologies like VLANs (Virtual Local Area Networks). Virtually segmented networks behave like separate networks with different security policies. This type of segmentation is cost effective but becomes increasingly complex and resource intensive as the network expands.

What are the benefits of network segmentation?

Segmentation improves network security, efficiency, and management by:

Containing security breaches: Network segmentation enables regulated network access control in each subnetwork, limiting attack surfaces and keeping breaches from spreading to other subnetworks.
Improving regulatory compliance: Regional regulatory and industry-specific compliance frameworks like GDPR, PCI DSS, etc., mandate limiting user and device access to data. Network segmentation restricts device and user access by controlling what subnetworks they connect to. Network segmentation can also simplify compliance audits by limiting reviews only to affected subnetworks (e.g. financial data), as opposed to the entire network.
Making the network more efficient: Network segmentation decongests the network by separating essential and non-essential traffic. For example, guests and employees can connect to separate subnetworks so any bandwidth issues in the guest subnetwork doesn’t impact network performance for employees.
Focusing troubleshooting: Network segmentation helps IT and security teams narrow their scope and rapidly fix issues, only needing to focus on subnetworks where a network issue or security breach has occurred.

What are the top use cases for network segmentation?

Guest access: Network segmentation enables security teams to offer network access to guests at minimum risk. Whenever a user logs in as a guest, they are connected only to the guest subnetwork, offering internet connection but little to no access to the corporate network.
BYOD and IoT devices access: BYOD and IoT devices can be high security breach targets. Connecting them to an isolated subnetwork with strong access policies is a practical way to limit security breaches originating from these devices.
User group access: Different user groups need different levels of access. An engineering team shouldn’t have access to financial data or HR systems. By connecting different user groups to different subnetworks, security teams can limit which group accesses what, bridging any security gaps.
Network audit: Regulatory compliance requires critical information like financial data, credit card details, or personal information to be stored securely—necessitating tighter control and audits. Network segmentation limits access to critical information by putting the data in a separate subnetwork and securing it with strong security policies.

What is the difference between network segmentation and microsegmentation?

Network segmentation involves dividing a large network into smaller segments or subnetworks to improve network efficiency and security. Microsegmentation is further segmentation of subnetworks based on workloads or applications. Microsegmentation takes security to a more granular level and secures applications within different subnetworks using tighter security policies.

Network segmentation provides strong north-south traffic control whereas microsegmentation is generally used for controlling east-west traffic.

How does network segmentation enable Zero Trust?

Zero Trust works on the principle of the least privilege access. Network segmentation enables Zero Trust at the network level by restricting access to users and devices based on their type. Guests and contractors can be separated from employee segments and operational IoT device groups can be separated from financial systems.

Network segmentation adds an extra security layer around different resources and can help prevent security breaches from expanding to lateral segments.

Network segmentation and HPE Aruba Networking

HPE Aruba Networking offers a modern approach to network segmentation via its Dynamic Segmentation approach. Dynamic Segmentation utilizes policy-based access control across wired, wireless, and WAN infrastructure, ensuring that users and devices can only communicate with destinations consistent with their access permissions—foundational for Zero Trust and SASE frameworks.

HPE Aruba Networking supports two models of Dynamic Segmentation based on an organization’s overall network architecture and choice of overlay. Centralized and Distributed.

With the centralized Dynamic Segmentation, traffic is kept secure and separated using GRE tunnels between access points and HPE Aruba Networking gateways. Cloud Auth cloud-native network access control (NAC), HPE Aruba Networking ClearPass Policy Manager, and HPE Aruba Networking Central NetConductor provide role and access definition and management capabilities. Gateways function as ingress policy enforcement points via the HPE Aruba Networking Layer 7 Policy Enforcement Firewall (PEF).

Distributed Dynamic Segmentation uses an EVPN/VXLAN overlay, cloud-native NAC, and HPE Aruba Networking Central NetConductor cloud-native services. Policy is enforced inline via HPE Aruba Networking gateways and fabric-capable switches that interpret access control information carried in standards-based global policy identifiers (GPIDs).

HPE MyAccount

My Cart

Your cart is currently empty

Something went wrong

HPE Ecosystem

HPE GreenLake

HPE GreenLake

Solutions

Products

HPE GreenLake

Learn

Network Segmentation

What is Network Segmentation?

Network segmentation explained

What are the different types of network segmentation?

What are the benefits of network segmentation?

What are the top use cases for network segmentation?

What is the difference between network segmentation and microsegmentation?

How does network segmentation enable Zero Trust?

Network segmentation and HPE Aruba Networking

Related products, solutions or services

HPE Aruba Networking ClearPass

HPE Aruba Networking Dynamic Segmentation

HPE Aruba Networking Central NetConductor

Related topics

Dynamic segmentation

Zero trust

Network security

Network access control

Network firewall

Cloud security

Network Segmentation What is Network Segmentation?

Network segmentation explained

Related products, solutions or services

HPE Aruba Networking ClearPass

HPE Aruba Networking Dynamic Segmentation

HPE Aruba Networking Central NetConductor

Related topics

Dynamic segmentation

Zero trust

Network security

Network access control

Network firewall

Cloud security

Network Segmentation

What is Network Segmentation?