Network Segmentation Fundamentals
Why flat networks are dangerous, how segmentation limits blast radius, and practical approaches to segmenting your environment.
Last updated Apr 7, 2026Current
Continue your mission
Why flat networks are dangerous, how segmentation limits blast radius, and practical approaches to segmenting your environment.
Network segmentation divides a computer network into smaller, isolated subnetworks (segments or zones). Each segment has its own security controls and access policies. Traffic between segments passes through firewalls or access control lists that enforce rules about what communication is permitted.
The alternative, a flat network, allows any device to communicate directly with any other device. On a flat network, an attacker who compromises a single workstation can immediately reach domain controllers, databases, backup servers, and every other asset. Segmentation limits this lateral movement.
The primary benefit is blast radius reduction. When an attacker gains a foothold in one segment, segmentation prevents them from freely moving to more valuable targets. If your point-of-sale systems are on a separate segment from your corporate workstations, compromising an employee laptop does not automatically give access to cardholder data.
Segmentation also simplifies compliance. PCI DSS, for example, requires that the cardholder data environment (CDE) be isolated from the rest of the network. Proper segmentation reduces the scope of your PCI assessment to only the systems that touch cardholder data, rather than your entire infrastructure.
VLANs (Virtual LANs) are the most common segmentation technique. VLANs create logical network boundaries on the same physical switch infrastructure. Devices on different VLANs cannot communicate without routing through a gateway where firewall rules can be applied.
Firewall zones group network segments by trust level. A typical three-zone architecture includes an external zone (internet), a DMZ (publicly accessible servers like web and email), and an internal zone (corporate resources). Traffic policies between zones are strictly controlled.
Microsegmentation takes segmentation to the workload level. Instead of segmenting by network location, microsegmentation applies policies to individual workloads, containers, or virtual machines. If two VMs are on the same VLAN but have different security requirements, microsegmentation enforces different policies for each. Tools like VMware NSX, Illumio, and Guardicore enable this approach.
Software-defined networking (SDN) separates the network control plane from the data plane, making segmentation policies programmable and dynamic. SDN can enforce segmentation that adapts based on user identity, device posture, or threat intelligence.
Start by identifying your most critical assets and the data flows they require. Map which systems need to communicate with each other and on which ports. Group systems by function and sensitivity level.
Common segments include: user workstations, servers (further divided by function), databases, management and monitoring infrastructure, IoT and OT devices, guest Wi-Fi, and development/test environments.
Apply the principle of least privilege to inter-segment traffic. Only allow the specific ports and protocols that legitimate communication requires. Block everything else and log denied traffic.
Over-segmenting can be as problematic as under-segmenting. If you create too many segments with too many exceptions, the complexity becomes unmanageable and rules start getting loosened out of frustration.
Failing to segment management traffic is another common gap. If your management VLAN (used for SSH, RDP, and administration consoles) is accessible from the general corporate network, attackers can pivot to administrative interfaces after compromising any workstation.
Test your segmentation regularly. Run internal scans from each segment to verify that only expected communication paths are open. Penetration testers should specifically validate that segmentation controls hold up under adversarial conditions.
CDA Theater missions that address topics covered in this article.
Cryptographic technique that encrypts data while preserving its original format and length, enabling protection without breaking legacy system compatibility.
Guide to HTTP/2 security covering binary framing, HPACK compression attacks, rapid reset vulnerability, stream multiplexing risks, and mitigation strategies.
Explanation of Certificate Transparency framework, covering log servers, Signed Certificate Timestamps, monitoring capabilities, and detection of fraudulent certificates.
Written by CDA Wiki Team
Found an issue? Help improve this article.