Zero Trust Device Segmentation
Understanding Protection Solutions
Zscaler Zero Trust Device Segmentation offers several solutions tailored to meet the unique security and isolation requirements of highly sensitive or regulated organizations. The three solutions, Airgap, Airgap-Lite, and Airgap+, address varying levels of network isolation and functionality needs.
When you add or edit an asset, you can choose one of these solutions in the Protection drop-down menu. To learn more, see Managing Your Assets.
- Airgap
- Behavior: Assigns a /32 network mask to endpoints, effectively creating a secure "network of one." Each device is treated as an isolated entity, preventing direct communication between devices on the same subnet.
- Use Case: Ideal for environments that require complete isolation between endpoints, ensuring all traffic routes through the Device Segmentation gateway for inspection and enforcement.
- Challenge: Some systems might not support /32 masks due to hardware or software limitations.
- Airgap-Lite
- Behavior: Uses the same subnet mask as the one the DHCP server provides, which simplifies integration in environments where endpoints need to communicate directly without routing all traffic through the gateway.
- Use Case: Suitable for systems or networks where /32 masks are not supported, and full isolation is not a strict requirement.
- Trade-Off: Reduces isolation compared to Airgap.
- Airgap+
- Behavior: Implements micro-subnets by supporting subnet masks between /27 and /30. Devices within the same micro-subnet can communicate directly without routing through the Device Segmentation gateway. Traffic between different micro-subnets or external destinations is routed through the gateway for inspection and enforcement.
- Use Case: Provides a balance between complete isolation and full subnet communication, which is ideal for environments needing some level of local communication while still enforcing Device Segmentation policies for external traffic.
- Trade-Off: Increased complexity compared to Airgap-Lite.
- Requirements:
- Device Segmentation gateway must operate in server mode for the associated VLAN(s).
- Available starting with Airgap OS 7.7.6.