How segmented is my network?

This paper introduces "segmentedness," a statistically principled metric defined as the fraction of disallowed node-pair communications, and provides a normalized estimator with a 95% confidence interval that requires only 97 uniformly sampled node pairs to accurately measure network segmentation across various models and real-world datasets.

The Gist

Imagine your company's computer network is a giant, bustling office building.

The Problem: The "Open Plan" Nightmare
In a poorly secured network, the building is one giant "open plan" office. If a thief (a hacker) breaks into the mailroom, they can walk straight into the CEO's office, the payroll department, and the server room without hitting a single locked door. In cybersecurity, this is called a "flat" network. It's easy to move around (lateral movement), which is great for productivity but terrible for security.

To fix this, companies build walls, install locks, and create separate zones (segmentation). But here's the catch: How do you know if your walls are actually working?

Currently, security teams guess. They look at blueprints, ask experts, or check a few firewalls. It's like trying to guess how many rooms are in a mansion just by looking at the front door. There's no ruler to measure "how segmented" the building really is.

The Solution: A New "Security Ruler"
This paper introduces a simple, math-based ruler called "Segmentedness."

Instead of trying to map every single hallway and door (which is impossible in a huge building), the authors propose a clever shortcut: Random Sampling.

The Analogy: The "Blindfolded Walk"

Imagine you want to know how many doors in a massive building are locked. You can't check every single one. So, you put on a blindfold, pick two random rooms, and try to walk from one to the other.

• If you get stuck: The door is locked (or the path is blocked). That's a "good" sign for security.
• If you walk right through: The path is open. That's a "bad" sign.

You repeat this random walk 97 times.

• If you get stuck 30 times out of 97, your building is 30% "segmented."
• If you get stuck 80 times, it's 80% segmented.

The Magic Number: 97
The most surprising part of this paper is the math. The authors prove that you don't need to check millions of doors. Whether your network has 1,000 computers or 100,000 computers, you only need to test 97 random pairs to get a very accurate answer (within a 10% margin of error, 95% of the time).

It's like tasting a spoonful of soup to know if the whole pot is salty. You don't need to drink the whole pot.

Why This Matters (In Plain English)

1. No More Guessing: Instead of saying, "I think we are pretty secure," a CISO can say, "Our network is 65% segmented, and we are 95% sure of that number."
2. Tracking Progress: If you build a new firewall today, you can measure the score next month. Did the number go up? Great! Did it go down? You have a leak.
3. Mergers and Acquisitions: When two companies merge, their networks get smashed together. This ruler tells you instantly if the new combined network became too "flat" and dangerous.
4. Zero Trust: "Zero Trust" is a buzzword meaning "trust no one." This metric gives you a scorecard to prove you are actually doing it.

The "Gotchas" (Limitations)

The paper is honest about where this ruler might fail:

• The "Ghost" Problem: If your list of computers (inventory) is outdated, you might be testing the wrong rooms.
• The "Silent" Problem: Just because a door looks locked doesn't mean a hacker can't pick the lock. This metric measures the policy (the lock), not the strength of the lock.
• The "One-Way" Street: The math assumes doors work both ways. If your network has one-way traffic (like a server sending data to a client but not vice versa), the math gets a little tricky.

The Bottom Line

This paper gives security teams a simple, statistical flashlight. Instead of wandering in the dark trying to figure out if their network is safe, they can now shine a light on a random sample of connections and get a clear, numerical answer: "How segmented is my network?"

It turns a complex, scary security problem into a simple math problem that anyone can solve with a spreadsheet and a few random tests.

Technical Summary

Here is a detailed technical summary of the paper "How segmented is my network?" by Rohit Dube.

1. Problem Statement

Network segmentation is a cornerstone of modern cybersecurity (e.g., Zero Trust Architecture) designed to limit lateral movement and contain breaches. However, security practitioners currently lack a quantitative, repeatable metric to measure how effectively a network is segmented.

• Current State: Assessments are qualitative, relying on architecture diagrams, expert judgment, or high-level maturity models (e.g., NIST, CISA).
• The Gap: Organizations cannot objectively compare segmentation across business units, validate the impact of architectural changes, or justify security investments. Existing graph-based metrics (like modularity or Fiedler values) focus on structural arrangement rather than the overall permissiveness of communication, and many prior works rely on specific threat models or binary "segmented/not segmented" classifications.
• Objective: To define and estimate a single, interpretable scalar metric for "segmentedness" that is independent of network size and specific threat models.

2. Methodology

A. Formal Definition: Segmentedness

The authors model a network as an undirected simple graph $G = (V, E)$, where nodes are end systems and edges represent policy-permitted communication.

• Flatness ($F$): Defined as the edge density of the graph—the fraction of all possible node pairs that are allowed to communicate.
  $$F(G) = \frac{|E|}{\binom{n}{2}}$$
• Segmentedness ($S$): Defined as the complement of flatness. It represents the fraction of potential communications disallowed by policy.
  $$S(G) = 1 - F(G)$$
• Properties: The metric is normalized (0 to 1), scale-invariant (independent of $n$), and structurally neutral (depends only on the count of allowed edges, not their arrangement).

B. Estimation Strategy

Since enumerating all $\binom{n}{2}$ connections in large enterprise networks is infeasible, the paper proposes a randomized sampling approach:

1. Sampling: Randomly select $M$ unordered pairs of distinct nodes from the network.
2. Connectivity Testing: For each pair, perform a battery of tests (ICMP, TCP, UDP) to determine if communication is permitted. A pair is "connected" if any test succeeds.
3. Estimator: The empirical flatness $\hat{F}$ is the proportion of connected pairs in the sample. The segmentedness estimate is $\hat{S} = 1 - \hat{F}$.

C. Statistical Guarantees

• Confidence Intervals: Using the Central Limit Theorem, the authors derive a Wald confidence interval for the estimate.
• Sample Size Calculation: To achieve a 95% confidence interval with a margin of error ($\epsilon$) of $\pm 0.1$, the required sample size $M$ is derived from the worst-case variance ($p=0.5$):
  $$M \geq \frac{z_{\alpha/2}^2}{4\epsilon^2}$$
  For a 95% CI ($z \approx 1.96$) and $\epsilon = 0.1$, $M = 97$ sampled pairs are sufficient. Crucially, this number is independent of the total network size ($n$).
• Bayesian Extension: For highly segmented networks where the sample yields zero connections ($k=0$), the standard Wald interval collapses to zero width. The authors propose a Beta-Binomial Bayesian model with a conservative prior (assuming at least 1% baseline connectivity) to provide a non-zero upper bound on flatness, avoiding false certainty.

3. Key Contributions

1. First Scalar Metric: Introduces "segmentedness" as the first statistically principled scalar metric for network isolation, defined strictly by edge density.
2. Size-Independent Sampling: Demonstrates that accurate estimation requires a fixed, small sample size ($M=97$) regardless of whether the network has 1,000 or 100,000 nodes.
3. Practical Deployment Framework: Provides a complete methodology including:
   • A connectivity test suite (ICMP/TCP/UDP).
   • Statistical formulas for confidence intervals.
   • A Bayesian fallback for sparse networks.
   • A step-by-step deployment guide (Appendix B).
4. Validation: Rigorous evaluation across synthetic models (Erdős–Rényi, Stochastic Block Models) and real-world enterprise data (Cisco Secure Workload dataset).

4. Results

• Unbiased Estimation: Monte Carlo simulations on Erdős–Rényi graphs showed the estimator is unbiased and stable across varying connectivity levels.
• Robustness to Structure: In Stochastic Block Models (simulating segmented enterprise environments with communities), the estimator remained accurate, and the 95% confidence intervals maintained correct coverage (approx. 0.95).
• Real-World Validation: Applied to five dense graphs from the Cisco Secure Workload dataset, the estimator's mean results closely matched the true edge density, and the true values fell within the calculated 95% confidence intervals.
• Sample Size Efficiency: Confirmed that 97 samples are sufficient for a $\pm 0.1$ margin of error, making frequent (e.g., quarterly) measurements feasible even for massive networks.

5. Significance and Applications

This work bridges the gap between qualitative security frameworks and quantitative measurement. Its significance lies in enabling:

• Baseline Tracking: Organizations can establish a baseline segmentedness score and track improvements or regressions over time (e.g., detecting policy drift).
• Zero Trust Assessment: Provides a quantitative proxy for the difficulty of lateral movement. As segmentedness increases, the number of reachable paths for an attacker decreases.
• Merger & Acquisition (M&A) Integration: Allows security teams to quantify the security impact of merging networks, ensuring consolidation does not inadvertently create a "flat" (insecure) network.
• Benchmarking: Lays the groundwork for industry-specific benchmarks (e.g., financial services vs. education) based on empirical data.

Limitations: The metric assumes symmetric policies, treats connectivity as binary (ignoring port/protocol granularity), and focuses on internal segmentation rather than perimeter security. It also relies on the assumption that asset inventories are complete for uniform sampling.

Conclusion: The paper provides a practical, mathematically sound tool for security practitioners to answer the fundamental question, "How segmented is my network?" using fewer than 100 data points, transforming network segmentation from a qualitative concept into a measurable engineering discipline.