Skip to main content


October 23, 2014

In my previous blog post, I discussed the importance of segmentation and network design. Moving along in the series brings us to micro-segmentation. This concept goes beyond just segmenting past the traditional network segments, to actually segmenting hosts from each other on the same or different networks. 

Traditionally, micro-segmentation has been done with the help of host-based firewalls. Host-based firewalls have been around since the beginning of firewalls in one form or another. The main benefit of a host-based firewall is the ability to granularly control access to and from a host.

Host-based firewalls also have some serious drawbacks , including provisioning, management, cost and performance. Perhaps the most serious issue with the host-based firewall approach is that if an attacker manages to get access to the server, the first task is to disable the firewall. The protection is then gone, giving the attacker full access to and from the target host. 

The combination of drawbacks with host-based firewalls has led to slow adoption in data centers. Data centers, which normally only protect north-south traffic and not east-west traffic, are where most organization’s critical data lives, and where the need for micro-segmentation is the greatest. 
The solution to this problem is the software-defined data center (SDDC), which is the virtualization of network functions known as network functions virtualization (NFV), and the dynamic network configuration known as software-defined networking (SDN). The SDDC combines the SDN and the NFV to provide a dynamic, automated and secure network that is scalable and easily managed.

SDN provides the micro-segmentation for the data center, allowing each virtualized host to operate within its own network domain. The NFV allows for network services, such as next-generation firewalls, to be inserted into the network process chain automatically when a new virtual host is provisioned. With the help of virtual asset tags, or labels, a virtualized host can be provided as a predefined security policy based on the asset type of the host. Keep in mind that database, web and email servers all need different types of access. All the policies are outside the actual host, so in case of a compromise, the attacker cannot disable the network functions, including the firewall assigned to the host.

It is even possible to add automated quarantines when a host fails a security scan or malicious activity is detected. The server administrator removes the host from the available server pool and puts it in quarantine to remediate almost instantaneously.

SDDC is the future of networking and security, and is required to build a scalable, secure and manageable data center, whether in the cloud or on premise in a traditional data center.

Related Blogs

November 06, 2017

Using Micro-Segmentation to Protect Your Data – Part 1

As software-defined networking (SDN) technologies have become more prevalent and organizational perimeters have become blurred, micro-segmentation is ...

See Details

February 13, 2018

Using Micro-Segmentation to Protect Your Data – Part 2

While micro-segmentation, software-defined networking (SDN) and software-defined data center (SDDC) technology providers VMWare, Cisco and Amazon Web ...

See Details

January 25, 2017

Escape and Evasion Egressing Restricted Networks

A command kill chain consists of payload delivery, code execution on a target system, and establishing a command and control (C2) channel outside of a...

See Details

How Can We Help?

Let us know what you need, and we will have an Optiv professional contact you shortly.

Privacy Policy

Stay in the Know

For all the latest cybersecurity and Optiv news, subscribe to our blog and connect with us on Social.


Join our Email List

We take your privacy seriously and promise never to share your email with anyone.

Stay Connected

Find cybersecurity Events in your area.