Segmentation on microsegment.io

The microsegmentation landscape in 2025

Thu, 17 Apr 2025 00:00:00 +0000

The Microsegmentation Landscape in 2025: Current State and Future Directions

Introduction

Microsegmentation has evolved significantly since its early days as a network security approach, becoming a cornerstone of modern zero trust security architectures. As we move through 2025, the microsegmentation landscape continues to mature with new technologies, integration capabilities, and use cases expanding beyond traditional data center environments. This overview examines the current state of microsegmentation, key trends, leading vendors, and future directions.

Mitre ATT&CK and Segmentation

Fri, 08 Nov 2019 00:00:00 +0000

When people think about their strategic IT security projects, they often think of the last incident they were affected of and try to mitigate that, often by using technology only.

This is a valid approach and probably is not so wrong, because we often see waves of incidents rolling in, the wannacry wave, other ransomware waves, certain exploit kits or malware waves. So it makes some sense to concentrate on those threats when they happen. Of course you should have done something long before it hit you or other people, but the nature of IT security is that this hardly ever happens.

The importance of outbound policy

Tue, 05 Nov 2019 00:00:00 +0000

Bill Cheswick, a pioneer in internet firewalls got, besides establishing what we today know as the perimeter firewall, famous for the below quote to describe his ideas on perimeter firewalls:

A sort of crunchy shell around a soft, chewy center.

The quote and metaphor is still used a lot by security professionals around the world, to describe the state of the internal network behind the perimeter firewall.

A crunchy shell in the 1990s was exactly the thing you needed to be more secure from the threats found at that time. A lot of it was attacks against servers, buffer and heap overflows on services directly exposed to the internet when not consumed directly from the internet. People could easily DoS or even better, hack, those services. Exposed sendmail servers been a huge target at that time. Everything was exposed and routed, it is hard to imagine today. The perimeter firewall did a great job and shielded the vulnerable services from the evil internet and helped to secure them from the outside world. The internet grew exponentially and threats changed quite significantly and we all know that most threats today focus on endpoints rather than datacenter services as a entry vector.

Implementing Sensible Network Segmentation

Fri, 18 Oct 2019 00:00:00 +0000

Packet Pushers Tech Bytes about Network Segmentation with Tufin

A new week, a new Tech Bytes Packet Pushers podcast. This time Tufin markets their policy management, which was a interesting show, but i have some comments.

i think it’s a valid point to say that automated firewall policy management can make a business more agile, especially considering how long the change process normally takes and how we do it today
the whole point about understanding the topology sounds like this is really very slow to implement
it’s hard to get any visibility from what i hear and how i understand the Tufin platform
Zoning or very wide segmentation is nice, but what you really want is to be able to do finer grained segmentation without modifying or rearchitecting the network
relying on hardware firewalls will never be able to free you from the constraints of those devices, especially throughput limits, the hardware cycle that will just happen every three or five years and the inability of a firewall to really be point to point and not zone to zone
i would assume that the integration of this is very hard, thanks god it is usually owned by just one team, but what about outsourcers and system integrators?

Ideas on Segmentation metrics (part three)

Wed, 02 Oct 2019 00:00:00 +0000

Please check out Part one and part two of this series

Continuing our series about metrics for segmentation, there are a couple more angles how you can measure the effectiveness of your segmentation.

Scaling up vs scaling out your security segmentation

Mon, 09 Sep 2019 00:00:00 +0000

If you follow discussion on running cloud native, monolithic or more traditional applications you may have stumbled over the terms “scale up“ and “scale out“. Don’t feel bad if you don’t know these, because they were formerly just “vertical scaling“ (scale up) and “horizontal scaling“ (scale out).

What is scale up?

Scale up means, if you have e.g. a server in your datacenter running your database, to make the database faster or have more concurrent client getting served, you would add more hardware to that server and just make it the biggest machine available.

Ideas on Segmentation metrics (part two)

Mon, 02 Sep 2019 00:00:00 +0000

Please check out Part one of this series of articles

Metric One: Do you have more than one segment?

This question is, of course, more of a rhetorical question, but there is a point about this one. Of course almost all companies have more than one segment. Most companies use VLANs extensively. We break out DMZs and internal data center LANs of course. Sometimes we use firewall interfaces between those VLANs or segments and treat them as zones.

Ideas on segmentation metrics (part one)

Thu, 22 Aug 2019 00:00:00 +0000

What you measure is what you get

If you are like me and live and breath IT or IT security, the above statement probably does not ring a bell and you don’t realize the source of this. It is from a person called Robert. S. Kaplan who developed something you may have heard of, the balanced scorecard.

I will not dig into economics, because we are not in business school, but the essence of the scorecard is that you need metrics on which you can measure success or failure to be successful or be able to reach your objectives.

A short history of segmentation

Mon, 19 Aug 2019 00:00:00 +0000

Let’s start this with quoting wikipedia on what network segmentation is according to a encyclopedia.

Network segmentation in computer networking is the act or practice of splitting a computer network into subnetworks, each being a network segment. Advantages of such splitting are primarily for boosting performance and improving security.

How did this start?

Some of the readers might actually be old enough to remember how local area networks started out in the early 90s.