The Three Basic Micro-Segmentation Deployment Models

Micro-segmentation is a powerful strategy for reducing the cyber-risk associated with critical assets and resources. For an introduction to micro-segmentation, see our resource page, Micro-Segmentation, Explained.

Generally speaking, there are three major types of micro-segmentation, each corresponding to one of the possible security insertion points:

  • Agent-based, which inserts security at the OS level to protect applications
  • Hypervisor-based, which inserts security at the hypervisor level and protects VMs
  • Agentless, which inserts security outside the machine, at the network level

Of these, Zentera supports agent-based and agentless models.  The three options are illustrated in the diagram below.


The Three Basic Types of Micro-Segmentation


Comparing Micro-Segmentation Methods

Each deployment method has its own strengths; while agent-based deployment works well for many application scenarios, other scenarios may call for an agentless approach. The table below compares the different models, outlining their applicability.


Application Agent Hypervisor Agentless Notes
Bare Metal -  
Cloud -  
Container - Agent model supports sidecar; agentless model protects only at the pod level
IoT Varies  -  
Supported by CoIP Access Platform -  


Of these, the agent is the most versatile model; because it is closest to the workload it also has more detailed information and can implement a richer set of security features. The agent-based model is completely independent of infrastructure, and can be deployed across a wide range of cloud and datacenter infrastructure stacks without coupling to them.

The next is the agentless "gatekeeper"-based approach.  The gatekeeper approach deploys an appliance (typically physical) inline with the workload being protected, and is recommended for workloads where the agent cannot be used – for example, OT environments. As agentless micro-segmentation is deployed outside of the VM or server, it can work with any type of workload; deployment can be as simple as plugging and unplugging Ethernet cables to insert threat detection and filtering in front of a critical workload, such as a database server, an application server, machines on a factory floor, or critical infrastructure.

The most limited approach is hypervisor-based micro-segmentation, because it is highly dependent on the hypervisor. A solution designed for a VMware datacenter cannot be ported to AWS, as customers have no access to the AWS hypervisor; similarly, hypervisor approaches cannot work for bare metal servers or IoT devices. For this reason, hypervisor-based micro-segmentation is a relatively less popular approach for industry.


Selecting a Micro-Segmentation Method

Zentera recommends that any application that can support an agent should use it; once installed, administrators have full control over the micro-segmentation settings of the server, and can begin to apply micro-segmentation policies to lock down the attack surface.

For services that are too critical to allow agent installation, Zentera offers the gatekeeper approach. This allows administrators to rapidly insert security functions transparently, without touching critical servers.  For more detail on Zentera's gatekeeper models, review the product page for our Micro-Segmentation Gatekeeper.

msg-blue-background featured imageThe Micro-Segmentation Gatekeeper