.svg)
Microsegmentation Guide
Types of Microsegmentation: 5 Approaches to Granular Network Security
Microsegmentation comes in five primary types: agent-based, agentless, identity-based, network-based, and host-based. Each approach enforces granular security policies at different layers of the infrastructure, and the right choice depends on your environment, your device mix, and how much operational overhead your team can absorb. Understanding the differences between these types of microsegmentation is not academic. It is the difference between a deployment that actually works in production and one that stalls in a proof of concept.
Choosing the Right Approach
Five distinct approaches to microsegmentation exist, each with different deployment models, infrastructure requirements, and trade-offs. Choosing the wrong type wastes budget and leaves gaps. Agent-based, agentless, identity-based, network-based, and host-based microsegmentation each solve different problems. Understanding the strengths and limitations of each approach is the first step to securing your environment.
Compare All 5 Microsegmentation Types
Industry Insight
"The most effective microsegmentation deployments use identity-based approaches that work without agents and without network redesign."
Market Guide for Microsegmentation, 2025
The Numbers
Choosing the wrong microsegmentation approach wastes budget and delays security outcomes. Understanding the five types helps you match the right technology to your environment and operational constraints.
5
Distinct microsegmentation approaches to evaluate
70%
Of agent-based projects stall due to deployment complexity
3x
Faster deployment with agentless vs agent-based approaches
25%
Of large enterprises using microsegmentation by 2026 (Gartner)
Approach
Why the Type of Microsegmentation You Choose Matters
Not all microsegmentation is created equal. I have seen organizations invest months deploying an agent-based solution only to realize that 40% of their devices (IoT sensors, medical equipment, industrial PLCs) cannot run agents. That is not a minor gap. That is the attack surface your adversary is going to find.
The type of microsegmentation you select determines three things:
Approach
1. Agent-Based Microsegmentation
Agent-based microsegmentation installs lightweight software agents directly on endpoints (servers, virtual machines, workstations, and containers). These agents hook into the operating system's networking stack, often using mechanisms like Windows Filtering Platform or kernel-level APIs, to monitor process-to-process communication and enforce policy in real time.
Approach
2. Agentless Microsegmentation
Agentless microsegmentation enforces segmentation policies through the network infrastructure itself, without installing software on endpoints. Instead of deploying agents on every device, agentless solutions use existing switches, routers, or cloud-native APIs as enforcement points.
Approach
3. Identity-Based Microsegmentation
Identity-based microsegmentation represents the most significant evolution in how segmentation policies are defined and enforced. Rather than relying on IP addresses, VLANs, or static firewall rules, identity-based approaches use contextual attributes (device type, user role, device posture, business function, location) to determine what each asset can communicate with.
Approach
4. Network-Based Microsegmentation
Network-based microsegmentation uses traditional networking constructs (VLANs, subnets, ACLs, and firewall rules) to create segmented zones within the network. It is the approach most familiar to network engineers and the one that most organizations already have some version of in place.
Approach
5. Host-Based Microsegmentation
Host-based microsegmentation uses the built-in firewall capabilities of operating systems (iptables/nftables on Linux, Windows Firewall, macOS pf) to enforce segmentation policies directly on individual endpoints. It is microsegmentation without deploying third-party agents, instead leveraging what the OS already provides.
Stop East-West Attacks, Microsegment Your Networks
Resources
Elisity Microsegmentation: Accelerate Zero Trust Security in Weeks, Not Years
Types of Microsegmentation FAQ
The five main types of microsegmentation are agent-based, agentless, identity-based, network-based, and host-based. Each approach differs in how policies are enforced, where visibility is gathered, and what operational overhead is required. Agent-based installs software on endpoints for process-level visibility. Agentless uses network infrastructure as the enforcement point. Identity-based uses contextual attributes like device type and user role instead of IP addresses. Network-based uses traditional VLANs, ACLs, and firewalls. Host-based uses OS-native firewalls. Many organizations deploy a combination of these approaches to cover different parts of their environment.
Agent-based microsegmentation installs software on each endpoint to monitor and enforce policy at the host level, providing deep process-level visibility but requiring deployment and maintenance on every device. Agentless microsegmentation enforces policy through network infrastructure such as switches and routers, or through cloud-native APIs, without touching endpoints. The practical implication is that agentless approaches deploy faster and work with devices that cannot run agents, like IoT and OT equipment, while agent-based approaches provide deeper visibility on devices that support them.
Agentless and identity-based microsegmentation are the most practical choices for IoT and OT environments. These devices typically run proprietary or embedded operating systems that cannot support third-party software agents. Identity-based approaches are particularly effective because they classify devices by what they are (an infusion pump, a PLC, a security camera) and enforce policy based on that identity, regardless of IP address or network location. This is critical in environments with thousands of diverse device types that change IP addresses frequently.
Network-based microsegmentation relies on IP addresses, VLANs, and firewall rules to control traffic between segments. Identity-based microsegmentation uses contextual attributes such as device identity, user role, device posture, and business function to determine access. The key advantage of identity-based approaches is that policies follow the asset regardless of where it connects on the network, eliminating the brittleness of IP-dependent rules that break every time the network changes.
Yes, and many organizations do. A common hybrid approach uses identity-based, agentless microsegmentation as the primary platform for comprehensive coverage across all device types, then layers agent-based microsegmentation on critical servers where process-level visibility adds value. Host-based firewall rules can serve as an additional defense-in-depth layer on managed endpoints. Gartner projects that organizations using multiple microsegmentation strategies will grow from under 5% to 25% by 2027.
Host-based microsegmentation uses built-in operating system firewalls (iptables on Linux, Windows Firewall, macOS pf) to enforce segmentation policies directly on individual hosts. While it leverages existing OS capabilities without additional software licensing costs, it requires managing firewall rules across potentially thousands of endpoints and does not work with devices that lack configurable host firewalls, like IoT sensors, OT controllers, and legacy embedded systems.
Resources
Continue Exploring Microsegmentation
The Complete Guide to Microsegmentation — Our comprehensive pillar hub
How to Implement Microsegmentation — Step-by-step deployment guide
Microsegmentation vs Network Segmentation — Key differences explained
Ready to Implement the Right Microsegmentation Approach?
