Image: Michal Šteflovič/Adobe Stock
Learn how to segment a network using hardware or software into smaller, isolated segments or subnetworks to improve your network’s security.
Network segmentation is simply dividing a network into smaller, often isolated subnetworks. By doing this, companies can increase performance, have better visibility, increase cybersecurity postures and compliance, and better protect their networks.
Segmenting a network may sound like an overly complicated and highly technical project to embark on. However, in reality, with good practices and a step-by-step plan you can take on network segmentation without any problem. This guide will show you how.
There are two types of network segmentation approaches: physical segmentation, using physical devices such as routers and switches; and logical segmentation, which uses software. This guide will cover both, serving as a blueprint to guide you through the journey of network segmentation no matter which approach you choose to take.
The first thing you need to do is identify your assets and your data. This involves building an inventory and figuring out which assets and data are the most valuable. Ask yourself what is business-critical, but be thorough and include all your data and assets in your inventory.
This step is critical to determine how your network will be segmented. During this stage you can use data inventory software, risk assessment technologies, or vulnerability scanners.
Once you have a full visualization of your data and assets, you need to classify them according to sensitivity and importance. This will help you to determine how much protection they need and how they should be segmented.
Common ways to classify assets and data include:
Confidential and private data and assets are considered high-sensitivity data, while public data is usually considered low-risk.
Note that emails, company policies, and other related documents are mid-level data, while online public information such as social network data, websites, or postings are low-risk data.
You should consider any data or asset that, if affected, would disrupt or affect business operations, as highly sensitive. This includes everything from financial and customer data to supply chain information.
With the information from steps one and two, it is now time to create a network map. This map must include all the devices, users, and connections of your network and their relationships. It must also have a clear diagram of how data flows.
With this map, you will begin to have a clear idea of how you can subdivide your network avoiding pitfalls and mitigating any vulnerability.
If you want to automate this process you can use different solutions to create network maps. Top vendors include SolarWinds Network Topology Mapper, NetBrain, ManageEngine OpManager or the free open-source Spiceworks Network Mapping. These solutions offer features that allow you to map out data flows.
There are three main types of data traffic:
Northbound traffic includes all the data and assets going through your network flowing out of your system. This includes user-generated traffic or management administrative traffic. A user browsing the internet or your workers sending out emails are common examples of Northbound traffic.
East-west traffic is everything flowing within your infrastructure. This includes data and assets moving from data centers, servers, devices, and applications. This traffic can be broken down into inter-server — data in transit or transferring — and storage traffic.
East-west traffic can occupy a significant amount of bandwidth, be used for mid-risk and highly sensitive data, and congest a network. This is why segmenting east-west traffic is commonly a good practice.
Southbound traffic is network traffic that flows from a data center to the outside world. It is typically used to describe traffic that originates from within the data center — such as from servers, storage devices, and applications — and is sent to the internet or other networks.
Southbound traffic can also be grouped into two main categories: application traffic (generated by applications, such as web traffic, email, and file sharing) and management traffic (used to manage the data center, such as traffic from monitoring systems and security devices).
Southbound traffic can be a major source of security risks and is also usually segmented to strengthen security postures.
Your network map, low-mid-high labels, and traffic flows have already given you a definite view into which subnetworks you need to create. Now in this stage, you will decide which methods, techniques, physical concepts, or software you are going to use to segment your network.
Here is where you decide whether to use physical or logical segmentation, or both. Evaluate which is best for each subnetwork and design your segmentation plan.
Physical segmentation includes physical devices such as routers, switches, and air gaps.
Logical segmentation uses software to divide the network. While this is a more complex type of segmentation, recent solutions are making it easier for any company to use them.
Top vendors for logical network segmentation include Palo Alto Networks Prisma Cloud, Cisco ACI , VMware NSX, Juniper Networks Contrail, and Fortinet. Together they offer a wide range of software-driven networking and logical network segmentation solutions which include:
Consider your IT expertise, budget, security risks, and how important your data and assets are to best determine which technique and technology you will use to segment your network.
At this stage you should have everything you need to implement the plan you have designed. Make all the necessary changes to your infrastructure, configure your security and devices, and update your policies and procedures.
Make sure your IT team is fit for business and that communication channels are open to discuss progress, goals met, and possible problems that may arise to implement upgrades, adjust and optimize your network segmentation.
You can run small tests, for example, segmenting first one department or area of business and then moving on and scaling. Think big but take small wins. Test, gather feedback, and retest everything again.
Network segmentation is not a once-and-done deal. You have to constantly monitor the network, profile users and devices, gather data traffic flow information, check for bugs and vulnerabilities, and make upgrades to optimize the infrastructure.
At this stage, while humans in the loop are essential, you can also leverage the latest in network monitoring technologies which will help you automate most of the processes, especially those such as network information gathering and analytics, alerts and flags, and security and compliance policies and issues.
Yes, it is possible to physically segment a network. As mentioned above, networks can be segmented through physical means or through the use of software or a combination of both.
The steps to successfully physically segment a network are exactly the same as described above, except for a variation of step four, where software options would not be considered for use.
From extreme concepts like air gap — where devices, servers, or computers are completely disconnected from any other device or the internet — to the more standard use of physical switches, routers, or other network devices, there are many physical options to create subnetworks within a large network.
Physical network segmentation can protect critical systems, such as the corporate network, from unauthorized access, prevent the spread of malware or other malicious traffic, help meet compliance, and improve network performance by reducing congestion.
However, physical network segmentation may be more expensive than logical segmentation as hardware costs need to be considered. Additionally, logical segmentation software provides visualization tools and can integrate with other solutions and software also receives constant updates and support. Consider the importance of these factors for your company before deciding.
No matter what type of network segmentation approach you choose to use, always follow the steps listed above to make sure you have a robust, ordered, and clear network segmentation strategy.
Make sure security and privacy are included from the very beginning of your plan. Once deployed, continually monitor and optimize your subnetworks and keep an eye on new technologies that could help you increase performance and reduce costs.
For help establishing a securely segmented network, here’s our guide to the best network segmentation software available today.
Ray is a Content and Communications Specialist with more than 15 years of experience. He currently works at Publicize and as a contributing writer for TechRepublic, eSecurityPlanet, and ServerWatch in addition to Enterprise Networking Planet. His work has also been published in Microsoft, Venture Beat, Forbes, Entrepreneur, The Sunday Mail, FinTech Times, Spiceworks, Dice Insights, Horasis, the Nature Conservancy, and other leading publications.
Enterprise Networking Planet aims to educate and assist IT administrators in building strong network infrastructures for their enterprise companies. Enterprise Networking Planet contributors write about relevant and useful topics on the cutting edge of enterprise networking based on years of personal experience in the field.
Property of TechnologyAdvice. © 2025 TechnologyAdvice. All Rights Reserved
Advertiser Disclosure: Some of the products that appear on this site are from companies from which TechnologyAdvice receives compensation. This compensation may impact how and where products appear on this site including, for example, the order in which they appear. TechnologyAdvice does not include all companies or all types of products available in the marketplace.
