Macro-segmentation is another term for traditional network segmentation. The goal of macro-segmentation is to break up a network into multiple discrete chunks to support business needs. One example of a common use of macro-segmentation is the isolation of development and production environments. Applications currently under development are likely to contain exploitable vulnerabilities or other issues, making them a potential threat to enterprise security or the functionality of the rest of the network. Segmenting the development network off from the production network enables untrusted applications to be tested without posing a risk to the organization’s network stability and ability to operate.
Macro-segmentation is often implemented as an overlay on an organization’s physical network infrastructure. This is accomplished using a combination of firewalls and virtual local area networks (VLANs).
A VLAN is a virtualized network that defines how traffic should be routed over the physical network. This means that, if two systems are on different VLANs, it may not be possible for traffic to be routed directly between them. Instead, the VLANs are configured so that all traffic between VLANs must first pass through a firewall. This makes it possible for the firewall to enforce boundaries between VLANs – i.e. block any traffic that attempts to cross a VLAN boundary without authorization – and perform security inspection and enforcement of access control policies.
Macro-segmentation and micro-segmentation are both methods of dividing an organization’s network into sections and can provide a number of benefits. However, macro-segmentation and micro-segmentation policies are very different:
Macro-segmentation transforms an organization’s network from a monolith to a collection of discrete subnets. This provides a number of advantages to an organization:
Macro-segmentation uses internal network firewalls to define VLANs and perform content inspection of traffic flowing across VLAN boundaries. This provides a number of different advantages to an organization, and is likely a critical component of a company’s data security and regulatory compliance strategy.
However, organizations must also consider the usability of their network infrastructure when designing and implementing a strategy for deploying macro-segmentation within their networks. If all internal network traffic crossing segment boundaries will be forced to pass through internal network firewalls, then organizations need firewalls with high throughput and robust, security inspection capabilities in order to maximize both network performance and security.
Check Point’s security solutions enable organizations to implement effective macro-segmentation through their entire network infrastructure. Check Point next-generation firewalls (NGFWs) provide robust security and high throughput for on-premises infrastructure, while Check Point CloudGuard provides cloud-native visibility and security solutions for an organization’s cloud-based deployments. To see these solutions in action, request demos of Check Point NGFW and CloudGuard Infrastructure as a Service (IaaS) solutions.