Network Segmentation Guide

Every ransomware incident report I have read in the past two years contains the same depressing paragraph: "The attacker moved laterally across the flat network and gained access to critical systems within hours." Flat networks are the open-plan offices of cybersecurity - everything is visible, nothing is contained, and one bad actor ruins it for everyone.

Network segmentation is the antidote. It is not a new concept, but it remains one of the most underimplemented controls in enterprise IT. The principle is straightforward: divide your network into isolated segments so that a breach in one area cannot cascade across the entire organisation. The execution, however, requires careful planning.

This guide walks through the practical realities of network segmentation - what works, what does not, and how to build a segmentation strategy that aligns with modern zero trust principles.

---

Why Flat Networks Are Indefensible

A flat network is one where every device can communicate with every other device without restriction. It is the default state of most networks that have grown organically over years. A laptop in marketing can ping the database server in finance. A printer in reception can reach the domain controller.

Attackers exploit this aggressively. Once they compromise a single endpoint - typically through phishing or a vulnerable application - they perform reconnaissance across the entire network. They discover file shares, admin consoles, and backup systems. They harvest credentials and escalate privileges. The whole process can take less than a day on a flat network.

Segmentation changes the equation. If an attacker compromises a workstation in the guest Wi-Fi segment, they hit a wall when they try to reach production servers. Each wall costs them time, forces them to make noise, and gives your security team a chance to detect and respond.

Macro vs Microsegmentation

Network segmentation exists on a spectrum. At one end, you have macrosegmentation - the traditional approach using VLANs, subnets, and internal firewalls to create broad zones. At the other end, microsegmentation applies granular policies down to individual workloads or applications.

Macrosegmentation

Macrosegmentation divides the network into large zones based on function or trust level. A typical enterprise might have zones for corporate users, servers, DMZ, guest access, IoT devices, and management infrastructure. Traffic between zones is controlled by firewall rules.

This approach is well understood and supported by existing infrastructure. Most organisations already have VLANs in place. The challenge is that firewall rule sets between zones become unwieldy over time. Rules accumulate, nobody removes old ones, and eventually you have thousands of rules that nobody fully understands. I have seen organisations with firewall rule sets so bloated that the security team was afraid to touch them in case something broke.

When macrosegmentation works well:

• Separating fundamentally different network functions (corporate vs guest vs IoT)
• Isolating legacy systems that cannot support modern security controls
• Meeting compliance requirements that mandate network separation (PCI DSS, for example)
• Providing a first layer of containment while you build towards microsegmentation

Microsegmentation

Microsegmentation moves the security boundary closer to the workload itself. Rather than controlling traffic between broad zones, you define policies for individual applications, services, or even containers. East-west traffic within a zone is now subject to policy enforcement.

Modern microsegmentation is typically software-defined. Tools like VMware NSX, Illumio, or Guardicore (now part of Akamai) create virtual boundaries that are independent of the physical network topology. This means you can segment a three-tier application so that the web tier can only talk to the application tier on specific ports, and the application tier can only reach the database on its designated port.

The advantage is precision. The disadvantage is complexity. Microsegmentation requires a thorough understanding of your application traffic flows. If you do not know what talks to what, you will either break applications or create overly permissive policies that defeat the purpose.

Building a Segmentation Strategy

A segmentation project is not a weekend task. It requires methodical planning across several phases.

Phase 1 - Map Your Environment

You cannot segment what you do not understand. Start with a comprehensive discovery exercise:

• Asset inventory - identify every device, server, and service on the network
• Traffic flow analysis - understand what communicates with what, on which ports, and how frequently
• Application dependency mapping - document the relationships between application components
• Crown jewel identification - determine which systems hold your most sensitive data and critical business functions

Most organisations are surprised by what they find. Shadow IT devices, forgotten test servers, and undocumented application dependencies are common discoveries. This mapping exercise alone provides significant security value.

Phase 2 - Define Your Zones

Based on your discovery, design a zone architecture. Common segments include:

• User endpoints - corporate workstations and laptops
• Server infrastructure - production, staging, and development environments (separated)
• Database tier - isolated with strict access controls
• Management plane - out-of-band management interfaces, jump boxes, and admin tools
• IoT and OT - cameras, sensors, building management systems
• Guest and BYOD - untrusted devices with internet access only
• DMZ - public-facing services

The key principle is that each zone should have a clear purpose and a defined trust level. Traffic between zones should be explicitly permitted, not implicitly allowed.

Phase 3 - Implement in Stages

Do not attempt to segment everything at once. Start with the highest-value, lowest-risk changes:

1. Isolate IoT devices - these are often the easiest to segment and the most dangerous when left on the corporate network. Most IoT devices need internet access and a management interface, nothing more.
2. Separate guest from corporate - if you have not done this already, it should be your first priority.
3. Protect crown jewels - build strict segments around your most critical databases and applications.
4. Segment production from development - prevent development environments from becoming a backdoor into production.
5. Implement management plane isolation - ensure that admin interfaces and management tools are only accessible from dedicated jump boxes or privileged access workstations.

Each stage should include a monitoring period where you observe traffic patterns and adjust rules before enforcing them.

Phase 4 - Monitor and Maintain

Segmentation is not a set-and-forget control. Networks change constantly. New applications are deployed, old ones are decommissioned, and business requirements evolve. Your segmentation strategy must keep pace.

Implement continuous monitoring for:

• Traffic that violates segmentation policies (blocked connections may indicate misconfiguration or compromise)
• New devices appearing in segments where they should not exist
• Rule bloat in firewall policies
• Drift from the documented architecture

Schedule quarterly reviews of your segmentation architecture. Remove stale rules, validate that zones still reflect the current environment, and assess whether new segments are needed.

Aligning Segmentation With Zero Trust

Network segmentation is a foundational element of zero trust architecture. In a zero trust model, no network location is inherently trusted. Segmentation provides the structural boundaries, while identity verification and continuous authentication provide the access controls within those boundaries.

The alignment works both ways. Zero trust principles inform your segmentation design by shifting the focus from network location to identity and context. A user in the corporate segment should not automatically have access to sensitive systems simply because they are on the "trusted" network. They should still authenticate, present valid credentials, and meet posture requirements.

Combine segmentation with identity-first security and privileged access management to create defence in depth. Segmentation limits lateral movement. Identity controls limit who can access what. PAM controls limit what administrators can do. Together, they create multiple barriers that an attacker must overcome.

Common Mistakes to Avoid

Over-segmenting too early. If you create fifty segments before you understand your traffic flows, you will spend months troubleshooting broken applications. Start broad, then refine.

Neglecting east-west monitoring. Many organisations monitor north-south traffic (in and out of the network) but ignore east-west traffic (within the network). Attackers exploit this blind spot ruthlessly. Your segmentation strategy must include visibility into lateral traffic.

Treating segmentation as a project, not a programme. Segmentation degrades over time if it is not actively maintained. Build maintenance into your operational processes from day one.

Forgetting about non-network segmentation. Network segmentation is one layer. Application-level segmentation, data-level segmentation, and identity segmentation are equally important. Do not rely on network controls alone.

Ignoring the human element. The best segmentation architecture in the world will fail if your team creates exceptions for convenience. Establish a formal exception process with time-limited approvals and regular reviews.

Practical Takeaways

Network segmentation is not glamorous. It does not make for exciting conference talks or impressive demos. But it is one of the most effective controls you can implement to reduce the blast radius of a breach.

Start with what you have. Most organisations already have VLANs and firewalls that can provide basic segmentation with some reconfiguration. You do not need to buy new tools to make meaningful progress. Map your environment, identify your crown jewels, and build walls around the things that matter most.

The goal is not a perfectly segmented network on day one. The goal is continuous improvement - each quarter, your segmentation should be a little tighter, your visibility a little better, and your attack surface a little smaller. That is how you build resilience.