Skip to main content


Sandboxing and network segmentation

In computer security, sandboxing and network segmentation are security mechanisms to limit access to software-, computer- or network functions and systems. It fits in a limited- or zero-trust management philosophy. By separating running programs, systems and networks, the impact of system failures can be limited, software vulnerabilities have less impact and limited connections hinder malware from spreading.

Sandboxing is often used to execute untested or untrusted programs or code, possibly from unverified or untrusted third parties, without risking harm to the host machine or operating system. A sandbox typically provides a tightly controlled set of resources for guest programs to run in, such as storage and memory scratch space. It is frequently used to test unverified programmes that may contain a virus or other malicious code. Network access, the ability to inspect the host system or read from input devices are usually disallowed or heavily restricted. In the sense of providing a highly controlled environment, sandboxes may be seen as a specific example of virtualisation.

Network segmentation is similar in goals but on the system or network level. Micro-segmentation is a method of creating zones in data centres and cloud environments to isolate workloads from one another and secure them individually. It is used to reduce the network attack surface, improve breach containment (prevent lateral movement of threats) and strengthen regulatory compliance.

Related Keywords: paste bins, code snippets, authorised access, network segregation, firewalls, Virtual Local Area Networks (VLANs), Software-Defined Networking (SDN)