← Lessons

quiz vs the machine

Platinum1800

Networking

Microsegmentation

Fine grained walls that contain lateral movement.

5 min read · advanced · beat Platinum to climb

Shrinking The Blast Radius

Traditional networks use a few large zones. Once inside a zone, a compromised host can often reach many others, called lateral movement. Microsegmentation divides the network into many small segments, sometimes down to a single workload, so a breach is boxed in.

How It Is Enforced

Microsegmentation applies policy close to each workload rather than only at a central firewall.

  • Each workload carries rules about exactly which peers and ports it may talk to.
  • Policies often use identity or labels, such as the role of a service, rather than just IP addresses.
  • A database may accept connections only from its application tier and nothing else.

Because enforcement is distributed, traffic between two internal hosts is checked even though it never crosses the perimeter.

Default Deny

The power comes from flipping the default.

  • East to west traffic is denied unless explicitly permitted.
  • An attacker who lands on one host finds most paths already closed.
  • This sharply limits how far an intrusion can spread.

The Cost

The benefit demands discipline.

  • You must understand and map the real communication patterns of applications.
  • Overly tight rules break legitimate flows, while loose ones erase the benefit.
  • Good labeling and automation are essential to keep policies maintainable.

Key idea

Microsegmentation enforces fine grained default deny policies near each workload, often by identity, so a compromised host cannot move laterally and the blast radius of a breach stays small.

Check yourself

Answer to earn rating on the learn ladder.

1. What problem does microsegmentation primarily limit?

2. What default posture gives microsegmentation its strength?

3. Why are identity or labels preferred over IP addresses for rules?