Network Segmentation

A flat network is a building with no interior walls. Every system can talk to every other system. If an attacker compromises one machine, they can walk anywhere—from a receptionist's workstation to the database holding your customer records. Malware spreads like fire through an open floor plan.

Network segmentation adds walls, doors, and locks. You divide the network into smaller sub-networks, each functioning independently. A compromised workstation in the sales segment can't reach the finance servers. Ransomware in the development environment can't touch production. The attacker broke in, but they're stuck in one room.

Why Attackers Hate Segmentation

The technical term is "limiting lateral movement," but the reality is simpler: segmentation makes the attacker's job tedious.

Without segmentation, compromising any system gives you a foothold to explore everything. With segmentation, each boundary is another obstacle. The attacker has to find new vulnerabilities, steal new credentials, evade new monitoring—for every segment they want to reach.

Most attackers aren't targeting your organization specifically. They're opportunists looking for easy wins. Segmentation turns easy wins into hard slogs. Many will move on to softer targets.

For the persistent attackers who stay, segmentation buys you time. Each boundary crossing creates noise—failed connection attempts, authentication requests, traffic patterns that don't match normal behavior. Time to detect. Time to respond. Time to contain.

VLANs: The Traditional Approach

Virtual LANs have been the standard segmentation tool for decades. They create logical boundaries within physical networks—systems on VLAN 10 can talk to each other but are isolated from systems on VLAN 20, even if they're plugged into the same switch.

To cross VLAN boundaries, traffic must pass through a router or Layer 3 switch. That's where you place your controls—firewall rules, access policies, logging. The VLAN boundary becomes a checkpoint.

VLANs work. They're well-understood, supported by standard equipment, and provide reasonable security for many environments. But they have limits.

VLAN hopping attacks can sometimes bypass the isolation. Traffic within a VLAN is visible to all members—no encryption by default. Misconfiguration can accidentally bridge VLANs, and suddenly your carefully planned boundaries don't exist. VLANs are coarse-grained; you might end up with dozens of segments when you really need hundreds.

Microsegmentation: Every Workload Is an Island

Microsegmentation takes the concept to its logical extreme. Instead of a few dozen segments, you create hundreds or thousands—potentially isolating individual applications or workloads.

A web application can only talk to its specific database. That database can only accept connections from that specific application. The monitoring agent can only report to the monitoring server. Every communication path is explicitly defined; everything else is blocked.

This is typically implemented through software-defined networking, next-generation firewalls with identity-aware policies, or cloud security groups. The granularity is extraordinary.

The result: even if an attacker compromises a workload, they're trapped. They can't pivot to adjacent systems because there's no assumed trust, no implicit network access. Every hop requires breaking through another boundary.

Segmentation Strategies

How you divide your network depends on what you're protecting and why.

By function: User workstations in one segment, web servers in another, application servers in a third, databases in a fourth. Traffic flows in predictable directions—web servers reach application servers, application servers reach databases, but databases never initiate connections outward. Management infrastructure sits in isolated segments accessible only to administrators.

By sensitivity: Systems handling payment card data get strict isolation (PCI DSS requires it). Healthcare systems protecting patient information get their own boundaries (HIPAA demands it). Trade secrets, financial records, intellectual property—each gets protection proportional to its value.

By trust level: Security zones group segments with similar risk profiles. The Internet zone has the strictest controls. The DMZ hosts public-facing services with limited internal access. Internal zones allow more permissive communication. Management zones are locked down tight.

Most organizations combine approaches. You might segment by function within each security zone, with additional isolation for the most sensitive data.

The Hard Parts

Segmentation makes your life harder. That's not a bug—it's the point. Making the attacker's life harder requires accepting some friction yourself.

Implementation demands mapping. Before you draw boundaries, you need to know what exists and what talks to what. Discovery takes time. Documentation is tedious. You'll find systems nobody knew about and communication patterns that surprise you.

Troubleshooting gets complex. When something breaks, you have to determine whether it's a real problem or your security controls working correctly. "Why can't the application reach the database?" might mean a bug, or it might mean your firewall is doing exactly what it should.

Applications assume flat networks. Legacy software often expects to reach anything it wants. Segmenting your network means discovering which applications break and deciding whether to modify the application, adjust the policy, or accept the risk.

Policies drift. Networks change. New systems appear. Old ones disappear. Communication patterns evolve. The segmentation architecture you designed three years ago might not match today's reality. Ongoing management is real work.

None of this is reason to skip segmentation. It's reason to plan carefully, implement incrementally, and commit to maintenance.

Access Control Is the Point

Segmentation without access control is theater. Drawing boundaries means nothing if anyone can cross them.

The firewall rules between segments are where security actually happens. Default deny: block everything except what's explicitly permitted. Least privilege: allow only the minimum necessary communication. Log everything: inter-segment traffic tells you what's normal and reveals what's not.

This is where microsegmentation shines. Traditional segmentation might mean a few dozen firewall rules between VLANs. Microsegmentation means thousands of precise policies, each allowing exactly one communication path.

Software-Defined Segmentation

Modern approaches decouple segmentation from physical infrastructure. Software-defined networking separates the control plane (deciding where traffic goes) from the data plane (actually forwarding it). Centralized controllers define policies; network devices enforce them.

This enables dynamic segmentation that adapts to context. Policies can consider user identity, device posture, time of day, detected threats. A contractor's laptop gets different access than an employee's. A device that fails security checks gets quarantined automatically.

Cloud environments live on software-defined segmentation. Security groups, network policies, virtual private clouds—all providing granular control without physical constraints. You define what can talk to what; the cloud enforces it.

What Good Looks Like

Effective segmentation isn't about perfection. It's about raising the cost of attack.

Start with your crown jewels. What data or systems would hurt most if compromised? Isolate those first. Add boundaries incrementally, prioritizing by risk.

Test your boundaries. Can a workstation in segment A actually reach a server in segment B? Verify that your policies work, not just that they exist.

Monitor inter-segment traffic. Baseline normal patterns. Alert on anomalies. A workstation that suddenly tries to reach the database segment is worth investigating.

Accept that some applications will break. Have a process for evaluating exceptions: is the risk of allowing this traffic less than the cost of fixing the application?

Document everything. Future you (or your replacement) needs to understand why these boundaries exist and what traffic is allowed.