Network Microsegmentation: Beyond VLANs for Zero Trust Security

VLANs (Virtual Local Area Networks) create broadcast domains that logically group devices on a switch. Traffic between VLANs must pass through a Layer 3 device — a router or Layer 3 switch — where access control lists (ACLs) can permit or deny flows. This model works reasonably well for separating broad trust zones: corporate users in one VLAN, servers in another, guest Wi-Fi in a third. However, within each VLAN, devices can communicate freely. If a workstation in VLAN 10 is compromised, the attacker can scan and exploit every other device on the same VLAN without ever crossing a security boundary.

This limitation becomes acute in modern environments. Virtualised data centres may host hundreds of VMs on the same hypervisor, all on the same VLAN. Cloud workloads share virtual networks with other tenants' services. Flat or loosely segmented networks provide a massive attack surface for lateral movement — the technique used in almost every major breach, from ransomware to advanced persistent threats. The security industry's response is microsegmentation: applying firewall-like policies at the individual workload level rather than at the VLAN boundary.

Microsegmentation is a security technique that creates granular, policy-driven security zones around individual workloads or small groups of workloads. Instead of a single firewall rule saying "VLAN 20 can talk to VLAN 30 on port 443", microsegmentation policies specify that "Web Server A can communicate with Database Server B on port 3306, and nothing else". This reduces the attack surface to the absolute minimum required for the application to function. Even if an attacker compromises Web Server A, they cannot reach the backup server, the domain controller, or any other workload that the policy does not explicitly permit.

Microsegmentation operates primarily on east-west traffic — communication between workloads within the data centre or cloud — as opposed to north-south traffic that crosses the perimeter firewall. Traditional firewalls are excellent at inspecting north-south flows, but they rarely see east-west traffic because it never leaves the server or virtual network. Microsegmentation fills this gap by embedding policy enforcement directly into the hypervisor, the host OS, or the container orchestration platform.

There are several approaches to implementing microsegmentation, each suited to different environments. Network-based microsegmentation uses features built into network infrastructure — Cisco TrustSec with Security Group Tags (SGTs), or Aruba Dynamic Segmentation — to apply policies at the switch port level based on identity tags rather than IP addresses. This approach leverages existing hardware but depends on the entire switching fabric supporting the vendor's segmentation framework.

Hypervisor-based microsegmentation uses distributed firewalls embedded in the virtualisation layer. VMware NSX is the most well-known example — its distributed firewall applies stateful rules at the vNIC of every virtual machine, meaning traffic between two VMs on the same host is inspected without ever hitting a physical network device. This is extremely powerful for virtualised data centres but requires VMware NSX licensing and operational expertise.

Agent-based microsegmentation deploys lightweight software agents on each workload — physical servers, VMs, and containers alike. Products like Illumio, Guardicore (now part of Akamai), and Zscaler Workload Segmentation use this model. The agent intercepts network connections at the OS level and enforces policies centrally managed via a cloud or on-premises console. The advantage is platform independence — the same agent works on bare-metal Linux, Windows VMs, and Kubernetes pods, making it the most flexible approach for heterogeneous environments.

Microsegmentation is a foundational pillar of Zero Trust Architecture. The zero trust principle of "never trust, always verify" applies not just to user identity but to network access between workloads. In a zero trust model, every communication flow must be explicitly authorised by policy. Microsegmentation enforces this principle at the network layer, ensuring that even authenticated and authorised workloads can only communicate with the specific services they need. This dramatically reduces the blast radius of any compromise — a breached web server cannot pivot to a finance database if no policy permits that flow.

The Australian Cyber Security Centre (ACSC) and the Essential Eight framework emphasise network segmentation as a key mitigation strategy. While the Essential Eight does not prescribe microsegmentation by name, its guidance on "restricting administrative privileges" and "application control" aligns naturally with microsegmentation policies that limit admin access paths and enforce application-level allow-lists. For Australian businesses pursuing ISO 27001 certification or compliance with the Security of Critical Infrastructure Act (SOCI), microsegmentation provides demonstrable, auditable segmentation controls that satisfy regulatory requirements.

Microsegmentation projects succeed when they start with visibility before enforcement. The first step is to map all communication flows between workloads — which servers talk to which, on what ports, and how frequently. Agent-based tools excel here, automatically generating application dependency maps that visualise the relationships between web tiers, application tiers, databases, and infrastructure services like DNS and Active Directory. Without this visibility, writing microsegmentation policies is guesswork, and overly restrictive policies will break applications.

Once you have a clear map, identify your highest-value assets — the crown jewels that would cause the most damage if compromised. Common targets include Active Directory domain controllers, database servers holding customer records, financial systems, and backup infrastructure. Start by ring-fencing these assets with microsegmentation policies that allow only the known, legitimate communication flows. Deploy the policies in monitor/alert mode first, watching for any blocked flows that indicate a missing rule, before switching to enforcement mode. This phased approach minimises the risk of disrupting production workloads.

The biggest challenge in microsegmentation is policy management at scale. A data centre with 500 workloads could theoretically require thousands of individual rules. The solution is to use label-based policies rather than IP-based rules. Instead of writing a rule for each IP pair, you label workloads by role (web, app, database), environment (production, staging, development), and application (CRM, ERP, email). Policies then reference labels: "web servers in the CRM application can reach app servers in the CRM application on port 8080". When new servers are deployed and labelled, the policy applies automatically without any rule changes.

Another challenge is legacy applications that use dynamic ports, broadcast-based discovery, or undocumented communication flows. These require careful observation during the discovery phase and may need broader policy exceptions until they can be modernised. Similarly, organisational resistance can slow adoption — application owners may fear that microsegmentation will break their systems. Demonstrating the monitor mode capability, where policies are evaluated but not enforced, helps build trust. Showing application owners a visual map of their communication flows is often an eye-opening experience that generates buy-in for the project.