Skip to content

Services, Wiki-Artikel, Blog-Beiträge und Glossar-Einträge durchsuchen

↑↓NavigierenEnterÖffnenESCSchließen
Netzwerksicherheit Glossary

Mikrosegmentierung

Microsegmentation divides networks into isolated segments at the workload level—providing greater granularity than traditional VLAN segmentation. Each application, VM, or container is assigned its own firewall rules. This makes it significantly more difficult for ransomware and lateral movement to spread, as compromised systems cannot establish direct connections to other workloads.

Microsegmentation is fine-grained network isolation at the workload level. While traditional segmentation (VLANs, firewalls) divides the network into large zones, microsegmentation controls communication between individual systems, applications, or containers. It is a central element of zero-trust architecture.

Microsegmentation vs. Traditional Segmentation

Comparison: VLAN vs. Microsegmentation

Traditional VLAN Segmentation:
  Client VLAN (10.0.10.0/24)
    → Workstation-01
    → Workstation-02
    → Workstation-03

  Server VLAN (10.0.20.0/24)
    → Web Server
    → App Server
    → DB Server
    → File Server

  Firewall: Client VLAN → Server VLAN: allowed (SMB, RDP, HTTP)
  Problem: Workstation-01 compromised → reaches ALL servers in the Server VLAN!

Micro-segmentation:
  Each VM has its own policy:
    Workstation-01 → allowed: File Server:445 (SMB), Web Server:443
                   → NOT allowed: DB Server, App Server directly
    Web Server     → allowed: App Server:8080
                   → NOT allowed: DB Server directly!
    App-Server     → allowed: DB-Server:5432
                   → NOT allowed: direct Internet access
    DB-Server      → allowed: incoming traffic from App-Server:5432
                   → NOT allowed: any outgoing traffic!

  Result: Compromised web server → CAN ONLY access app server via 8080
            No SMB, no RDP, no port scanning possible!

Implementation Technologies

Technical Microsegmentation:

1. Host-based firewall (easiest entry point):
   → Windows Defender Firewall: Configure rules per system
   → iptables/nftables (Linux): host-level firewall
   → Centralized management: SCCM, Ansible, Puppet
   → Scalability issue: 1,000 systems = managing 1,000 firewalls

2. Software-Defined Networking (SDN):
   VMware NSX:
     → Microsegmentation for VMware environments
     → "Distributed Firewall": Rules at the vNIC level
     → Centralized policy management for all VMs
     → Automatic segmentation of new VMs via tagging

   Illumio / Guardicore:
     → Agent-based: installed on every workload
     → Automatic application dependency mapping
     → Policy recommendations based on communication patterns
     → Good for cloud + on-premises + containers

3. Kubernetes Network Policies:
   apiVersion: networking.k8s.io/v1
   kind: NetworkPolicy
   metadata:
     name: allow-frontend-to-backend
   spec:
     podSelector:
       matchLabels:
         app: backend
     ingress:
     - from:
       - podSelector:
           matchLabels:
             app: frontend
       ports:
       - protocol: TCP
         port: 8080
     egress:
     - to:
       - podSelector:
           matchLabels:
             app: database
       ports:
       - protocol: TCP
         port: 5432

4. eBPF-based segmentation (Cilium):
   → Layer-7 policies: HTTP path, method, headers
   → Example: Backend only allows GET /api/products from the frontend
   → Extremely high performance: in the Linux kernel, no proxy
   → Kubernetes-native

Automatic policy design:
  Problem: How do I know what communication is normal?
  Solution: Discovery phase
    1. Microsegmentation tool in "Learn" mode
    2. Monitors normal traffic (2–4 weeks)
    3. Automatically generates recommended policies
    4. Admin reviews and activates
  → Tools: Illumio Illuminate, VMware NSX Intelligence

Use Cases and Priorities

Where microsegmentation is most critical:

Highest priority:
  1. Database servers:
     → Accessible only from the application server, on a specific port
     → No direct access from workstations!
     → No outbound traffic from the DB (no C2 callback!)

  2. Domain Controller / Active Directory:
     → Only LDAP (389/636), Kerberos (88), DNS (53) from known systems
     → No direct admin sessions from normal workstations
     → Jump host as the only path to DCs

  3. Backup Server:
     → Only incoming backup agent traffic (specific ports)
     → NO outbound traffic to the Internet
     → No access to backup from compromised workstations!
     → Ransomware cannot encrypt backups!

  4. Production Systems / OT:
     → Complete isolation from the office network
     → Only defined communication to HMI/SCADA

Medium priority:
  5. Development vs. production environment:
     → Developer PCs must not access production databases
  6. Cloud workloads:
     → Security Groups (AWS), NSGs (Azure) for microsegmentation

Measuring the security gain:
  → Blast radius of a compromised system: how many other systems are reachable?
  Before: 1 compromised server → 250 others directly reachable
  After: 1 compromised server → 5 others directly reachable (only app dependencies)
  → 98% reduction in blast radius!

AWARE7 Services on This Topic

Penetrationstest Netzwerk ISO 27001 Beratung
Back to Glossary Book a free consultation