Your network knows who is every user (SD-WAN Microsegmentation)
Apply network and security policies by user, role and context across your entire SD-WAN infrastructure. Granular traffic control with no dependency on specific LAN equipment and no changes to your existing network hardware.
Granular security without technical barriers
Microsegmentation built into SD-WAN allows network access to be controlled by user identity and role, overcoming the limitations of traditional segmentation based on VLANs, subnets or IP addresses:
- Network and security policies based on user identity and role, not on IP addresses.
- Compatible with any LAN/WLAN infrastructure without replacing existing hardware.
- Integration with multi-vendor NAC systems for dynamic role detection.
- Role-based north-south policies for traffic between sites and to the outside.
- Built-in artificial intelligence (AI) for anomaly detection and policy optimization.
Beyond traditional segmentation
Today’s corporate networks face a paradox: the more distributed and diverse the infrastructure, the harder it becomes to control who accesses what. Traditional segmentation based on VLANs and subnets was designed for a static world where users stayed in fixed locations and connected devices were predictable. That world no longer exists.
The proliferation of IoT devices, hybrid work and the coexistence of multi-vendor equipment on the LAN have made the classic segmentation model unworkable. Organizations are finding that maintaining hundreds of VLANs and IP-based access lists is operationally unsustainable and, worse still, ineffective against today’s threats. Even north-south traffic (between sites or to the outside), which is the main flow in distributed networks, is managed with generic policies that do not distinguish between user types or roles. And east-west traffic (between devices within the same network) is left virtually uncontrolled, exposed to attackers’ lateral movement.
Microsegmentation emerges as the answer to these limitations, taking access control to the most granular level possible: the user and their role within the organization. This approach aligns directly with Zero Trust architectures, where access is granted based on verified identity, not on network location.
However, the microsegmentation solutions available on the market typically demand requirements that are hard to meet: LAN equipment from a specific vendor, software agents on every endpoint or full redeployments of the existing infrastructure. For organizations with heterogeneous networks and multiple sites, these demands are an obstacle that holds back the adoption of a technology they recognize as necessary.
Key Benefits of SD-WAN Microsegmentation
Identity-based security, not IP- based
Network policies are applied based on the user and their role within the organization, not on their IP address or physical location. A user keeps the same restrictions and permissions regardless of the site they connect from.
Open integration with NAC systems
The system integrates with the leading network access control systems on the market, dynamically retrieving the user identity, role and assigned IP. This multi-vendor integration lets you leverage your existing NAC investment.
LAN vendor independence
Microsegmentation operates at the SD-WAN layer, requiring no LAN equipment from a specific vendor. It works on any existing switch and access point infrastructure, avoiding a forced refresh of network hardware.
Threat containment across the entire network
All inter-site traffic is subject to policies differentiated by the role of the user or device that originates it: no communication is taken as trusted. And where a scenario calls for it, local traffic can also be controlled by routing it through the SD-WAN gateway.
Understanding microsegmentation in SD-WAN networks
Microsegmentation is an evolution of traditional network segmentation that shifts access decisions away from static parameters (VLANs, subnets, IP addresses) and towards the identity of the user or device that generates the traffic. Instead of asking “what subnet is this communication coming from?”, microsegmentation asks “who is the originator and what role do they have?”. This paradigm shift is a cornerstone of Zero Trust architectures.
From static segmentation to dynamic identity
Traditional segmentation groups devices into network segments defined by technical criteria: switch ports, VLANs or IP ranges. This model worked when users and devices were predictable. Today, with hybrid work, the proliferation of IoT devices and multi-site networks, keeping this static segmentation in place is costly and fragile. A user moving between sites or a device that is relocated can end up outside the intended policies.
Microsegmentation solves this problem by tying policies to the user or device, not to their location on the network. An employee in the finance department gets the same access restrictions whether they connect from headquarters, from a branch office or from a remote location. An IoT device (a camera, a sensor, a point-of-sale terminal, etc.) is classified and isolated by its nature, not by the port it plugs into.
What can a microsegmentation solution do?
A microsegmentation solution applied to distributed networks makes it possible to:
- Differentiate policies by role: north-south traffic between sites is handled differently depending on who generates it. A corporate user, an IoT device and a payment terminal access different resources under different rules, even though they share the same network infrastructure.
- Contain the impact of an intrusion: if a device is compromised, microsegmentation policies limit its ability to communicate, making it harder for an attacker to move laterally to other resources in the organization.
- Simplify regulatory compliance: regulations such as PCI-DSS and HIPAA require systems handling sensitive data to be isolated. Microsegmentation lets you demonstrate this isolation in a centralized and auditable way, without relying on manual configurations on every switch at every site.
- Operate over existing infrastructure: modern microsegmentation solutions can integrate with already-deployed NAC systems and run on LAN equipment from any vendor, avoiding a forced refresh of network hardware.
- Extend control to local traffic: in addition to inter-site traffic, policies can be applied to east-west traffic within the same site when the scenario calls for it, broadening the reach of microsegmentation.
The key point is that these capabilities are managed centrally, with policies defined once and applied consistently across all sites, regardless of their size, location or equipment.
SD-WAN Microsegmentation: Teldat Products & Solutions
Teldat SD-WAN Microsegmentation Solution
Teldat integrates microsegmentation as a native capability of its SD-WAN solution, managed from the Cloud Net Manager (CNM) platform. Identity-based policies are applied over the existing LAN infrastructure, with no third-party solutions to deploy and no network hardware refresh required.
CNM management platform
Microsegmentation is configured and operated from the CNM modules:
- SD-WAN Controller: manages the microsegmentation data model, the integration with NAC systems and the distribution of roles and policies to each site.
- Analyzer: provides monitoring dashboards with real-time visibility of the user-IP-role association at every node in the network.
- Manager: device lifecycle management and zero-touch provisioning (ZTP) of the routers that enforce the policies.
A true SD-WAN as the foundation for microsegmentation
Teldat’s microsegmentation builds on the architecture of a true SD-WAN: a controller with complete topological visibility of the network and a centralized data model. This architecture lets you configure how identity information is distributed to match the organization’s needs: either each gateway receives only the data for its local users and roles (maximum memory efficiency), or the information is distributed to all gateways together with the policies that reference it (enabling policies based on the destination’s identity). In both modes the distribution is selective, avoiding the massive propagation to every gateway that, in other solutions, drives table updates, heavy memory consumption and operational degradation as the deployment grows.
Open integration with NAC
be.SD-WAN Controller dynamically retrieves the identity and role of each user or device from the customer’s NAC system, integrating with the leading NACs on the market (Forescout, Cisco ISE, Teldat beActive and others). Policies are enforced at the SD-WAN gateway based on role, both for north-south traffic between sites and, optionally, for local east-west traffic routed through the gateway. All of this on any LAN/WLAN infrastructure, with no specific equipment required.
Compatibility with TrustSec domains
Teldat SD-WAN gateways recognize SGT tags and propagate them across the overlay. This makes it possible to interconnect TrustSec domains between sites and apply east-west policies between users located at different sites, with no changes required to the existing infrastructure.
Applied Artificial Intelligence (AI)
Integrating microsegmentation into the Teldat ecosystem makes it possible to take advantage of the platform’s AI capabilities. Analyzing user and device behavior enriches segmentation decisions: anomaly detection, identification of devices that deviate from their usual behavior and policy optimization recommendations based on real network usage. Key differentiators:
- True SD-WAN architecture: a controller with a data model and topological visibility that distributes identity information selectively, enabling policies based on source or destination identity without saturating gateway memory.
- Universal compatibility: runs on any LAN/WLAN infrastructure regardless of the switch and access point vendor.
- North-south and east-west control: role-based policies for inter-site traffic, with the option of extending control to local traffic by routing it through the gateway.
- Built-in AI: the Artificial Intelligence capabilities of the Teldat ecosystem continuously improve segmentation effectiveness.
- Unified management: microsegmentation is administered from the same management platform as the rest of the SD-WAN functions, with no additional tools.
Microsegmentation SD-WAN – Use Cases
IoT segmentation across distributed sites
Granular access control for IoT devices, cameras and sensors in branch networks with heterogeneous LAN infrastructure.
Controlled access for third parties
Differentiated access policies for vendors, subcontractors and external staff who connect from any of the organization’s sites.
Massive scaling without overloading the network
Microsegmentation deployment across hundreds of sites without overloading device memory or saturating the network with massive policy propagation.
IoT segmentation across distributed sites
Granular access control for IoT devices, cameras and sensors in branch networks with heterogeneous LAN infrastructure.
Challenge
Organizations with branch networks face a growing variety of connected devices: surveillance cameras, IoT sensors, printers, IP phones and point-of-sale terminals share the same network with corporate user equipment. Traditional VLAN-based segmentation becomes hard to manage at scale, especially when each site has switches from different vendors and models.
Without microsegmentation, a compromised IoT device can become an entry point for an attacker’s lateral movement towards critical corporate resources. The challenge multiplies when the organization runs hundreds of sites where standardizing LAN equipment is unfeasible for operational or financial reasons, and where network administration resources at each location are limited or non-existent.
Solution
SD-WAN microsegmentation automatically assigns a role to each device type based on the information provided by the NAC: cameras, sensors, printers and user equipment receive differentiated policies. Traffic for each role is isolated with no need to create additional VLANs or configure ACLs on the local switches.
The controller distributes to each branch router only the policies that apply to the device types present at its site. Centralized monitoring makes it possible to verify in real time that each device is correctly classified and segmented, with full visibility from the management platform.
Why Teldat?
Teldat applies microsegmentation from the SD-WAN router, without requiring switches from a specific vendor. Integration with multiple NACs on the market allows IoT devices to be classified dynamically, while keeping the existing LAN infrastructure in place and lowering the cost of segmentation.
Controlled access for third parties
Differentiated access policies for vendors, subcontractors and external staff who connect from any of the organization’s sites.
Challenge
In practice, most organizations end up granting these users the same access as an internal employee, because implementing site-by-site specific restrictions is operationally unfeasible with traditional segmentation. The result is an enlarged attack surface: third-party credentials with excessive access are a common intrusion vector, and the organization has no visibility into what resources they are actually accessing.
Solution
The centralized management platform provides full visibility of third-party connections: which site they access from, which resources they reach and during which hours. This traceability streamlines security audits and makes it possible to revoke or modify access immediately in response to any incident.
Why Teldat?
Teldat’s integration with multiple NAC systems makes it possible to automatically identify external users and assign them the appropriate role. The policy is enforced from the SD-WAN router at any site, with no intervention from the local team and no additional equipment.
Massive scaling without overloading the network
Microsegmentation deployment across hundreds of sites without overloading device memory or saturating the network with massive policy propagation.
Challenge
Solution
The solution relies on an SD-WAN controller with a centralized data model and full topological visibility of the network. The controller knows which users, roles and policies are relevant to each site and delivers to each gateway only the information that applies to its local context. Changes are propagated selectively, exclusively to the affected nodes, with no unnecessary mass updates. This allows microsegmentation to scale to hundreds of sites while keeping gateway memory consumption and network control traffic low, ensuring stable operation over the long term.
Why Teldat?
Read our latest Blog Posts
Understanding the technology behind heat pipes
Heat pipes transfer heat on electronic devices & industrial applications, using the heat transition principle, to transfer to heat sinks within a cooling system. Heat pipes have clear advantages over other heat dissipation methods. What are heat pipes? Heat pipes...
The importance of sequencing power domains in electronics
There is a clear trend in the electronics industry for integration, allowing for more compact and efficient designs. More and more, electronics manufacturers are making their chips smaller, including more components within their chips and extending the feature range....
Improving device reliability and redundancy
In a previous article we looked at how to mathematically calculate the reliability of electronic equipment. That is, the probability of it working correctly for a given period of time. This is best characterised by the Mean Time Between Failure (MTBF), or its...
