Home » Network Segmentation: Micro-Segmentation, Macro-Segmentation, Firewall Zones, SGT และ Zero Trust
Network Segmentation: Micro-Segmentation, Macro-Segmentation, Firewall Zones, SGT และ Zero Trust
Network Segmentation: Micro-Segmentation, Macro-Segmentation, Firewall Zones, SGT และ Zero Trust
Network Segmentation แบ่ง network เป็นส่วนย่อยเพื่อ security, performance และ compliance Micro-Segmentation ควบคุม traffic ระดับ workload/application, Macro-Segmentation แบ่ง network เป็น zones ใหญ่, Firewall Zones กำหนด trust boundaries, SGT (Scalable Group Tags) ใช้ identity-based segmentation และ Zero Trust ใช้หลัก “never trust, always verify” ทุก segment
Flat networks (ไม่มี segmentation) เป็น ฝันร้ายด้าน security: attacker เจาะได้ 1 จุด → lateral movement ไปทุกที่ในเครือข่าย Target breach (2013), NotPetya (2017), SolarWinds (2020) ล้วนใช้ lateral movement Network segmentation ลด blast radius: ถ้า attacker เจาะ HR VLAN → ไปไม่ถึง Finance server เพราะ firewall/ACL กั้น
Macro vs Micro Segmentation
| Feature |
Macro-Segmentation |
Micro-Segmentation |
| Scope |
Network zones (VLANs, subnets, firewall zones) |
Individual workloads, VMs, containers, applications |
| Granularity |
Coarse (zone-to-zone policies) |
Fine-grained (app-to-app, process-level) |
| Implementation |
VLANs, firewalls, ACLs, routing |
Host-based firewall, NSX, SGT, identity-based |
| Complexity |
Low-Medium (traditional networking) |
High (requires visibility + policy engine) |
| Lateral Movement |
Prevents between zones (not within zone) |
Prevents between individual workloads (even in same zone) |
| Example |
HR VLAN ↔ Finance VLAN blocked by firewall |
Web server → only talk to app server on port 8080 |
Firewall Zones
| Zone |
Trust Level |
Contains |
Policy |
| Inside (Trust) |
High |
Internal users, servers, workstations |
Allow outbound, restrict inbound |
| Outside (Untrust) |
None |
Internet, external networks |
Block all inbound except explicit allow |
| DMZ |
Medium |
Public-facing servers (web, email, DNS) |
Allow specific inbound (HTTP/HTTPS), restrict to inside |
| Management |
Highest |
Network devices, management interfaces |
Very restrictive — only admin access |
| Guest |
None |
Guest WiFi, visitor devices |
Internet only — no access to internal |
| IoT |
Low |
Cameras, sensors, printers, building management |
Isolated — only specific cloud/server access |
VLAN-Based Segmentation
| VLAN |
Purpose |
Inter-VLAN Policy |
| Data VLAN (10-50) |
User workstations per department |
Route through firewall/L3 with ACLs |
| Voice VLAN (100-150) |
IP phones — QoS priority |
Allow to voice gateway/CUCM only |
| Server VLAN (200-250) |
Internal servers (AD, file, DB) |
Allow from specific client VLANs only |
| Management VLAN (999) |
Switch/router management interfaces |
Allow from admin workstations only |
| Guest VLAN (666) |
Guest/visitor access |
Internet only — completely isolated |
| IoT VLAN (700-750) |
IoT devices, cameras, sensors |
Cloud access only — no lateral |
SGT (Scalable Group Tags) / TrustSec
| Feature |
รายละเอียด |
| คืออะไร |
Cisco TrustSec: tag ทุก packet ด้วย SGT (16-bit) ตาม identity → enforce policy based on tags |
| How |
User authenticates (802.1X) → ISE assigns SGT → switch tags all packets → SGT-based ACLs (SGACL) |
| SGACL |
Policy matrix: source SGT → destination SGT → permit/deny (e.g., Employee → Server = permit HTTPS) |
| Advantage |
Policy follows user/device — ไม่ขึ้นกับ IP/VLAN/location → scalable, flexible |
| Propagation |
Inline tagging (hardware) หรือ SXP (SGT Exchange Protocol) สำหรับ devices ที่ไม่รองรับ inline |
| Scale |
65,536 SGTs possible — typically 50-200 groups in enterprise |
Micro-Segmentation Tools
| Tool |
Approach |
Best For |
| VMware NSX |
Distributed firewall at vNIC level — per-VM policies |
VMware environments, data center |
| Cisco TrustSec/SGT |
Identity-based tagging — SGACL enforcement |
Cisco campus/DC environments |
| Illumio |
Agent-based — host firewall policies, visibility maps |
Multi-cloud, hybrid (agent on every workload) |
| Guardicore (Akamai) |
Agent-based — process-level segmentation |
Bare metal, legacy, cloud |
| Zscaler |
Cloud-based — ZTNA (zero trust network access) |
Remote users, cloud-first organizations |
| Azure NSG/ASG |
Network Security Groups + Application Security Groups |
Azure cloud workloads |
| AWS Security Groups |
Instance-level firewall rules (stateful) |
AWS cloud workloads |
Zero Trust Segmentation
| Principle |
Implementation |
| Verify Identity |
Every user/device authenticated before access — 802.1X, MFA, certificate |
| Least Privilege |
Only access what’s needed — micro-segmentation policies per application |
| Assume Breach |
Design as if attacker inside — segment everything, monitor lateral movement |
| Continuous Monitoring |
NDR (Network Detection & Response), flow analysis, behavioral analytics |
| Context-Aware |
Policy based on: who (identity) + what (device posture) + where (location) + when (time) |
ทิ้งท้าย: Segmentation = Reduce Blast Radius of Every Attack
Network Segmentation Macro: VLANs, firewall zones, ACLs — coarse (zone-to-zone), traditional, lower complexity Micro: per-workload/app policies — fine-grained, prevents lateral movement within zones Firewall Zones: inside (trust), outside (untrust), DMZ, management, guest, IoT — define trust boundaries SGT/TrustSec: identity-based tags (16-bit) → SGACL policy matrix → policy follows user not IP/VLAN Tools: NSX (VMware), TrustSec (Cisco), Illumio/Guardicore (agent), cloud NSG/SG Zero Trust: verify identity + least privilege + assume breach + continuous monitoring + context-aware Key: macro-segmentation is minimum (VLANs + firewall) → micro-segmentation is goal (per-workload) → Zero Trust is the journey
อ่านเพิ่มเติมเกี่ยวกับ Network Access Control 802.1X NAC Zero Trust และ Network Security Architecture Defense in Depth ที่ siamlancard.com หรือจาก icafeforex.com และ siam2r.com
