# Network Segmentation
Network segmentation is the practice of dividing a network into isolated segments with controlled access between them. Each segment contains a defined set of systems and data, and traffic between segments passes through enforcement points (firewalls, access control lists, software-defined networking policies) that restrict movement to authorized paths only.
The purpose is blast radius reduction. In a flat (unsegmented) network, an attacker who compromises a single endpoint can reach every other system on the network. In a segmented network, the attacker is contained within the segment they compromised. Reaching other segments requires passing through enforcement points that can detect, restrict, and block unauthorized lateral movement.
Segmentation is one of the oldest principles in network security (VLANs have existed since the 1990s), but the implementation has evolved dramatically. Traditional segmentation used VLANs and firewall zones to create coarse-grained boundaries: DMZ, internal network, production, development. Modern micro-segmentation uses software-defined networking to create fine-grained boundaries around individual workloads, applications, and data stores, enforcing policy at the application layer rather than the network layer.
The evolution from VLANs to micro-segmentation mirrors the broader shift from perimeter-based security to zero trust architecture. VLANs segment the network. Micro-segmentation segments the workloads. Zero trust eliminates the assumption that anything inside any segment is trusted by default.
Traditional segmentation divides the network into zones using VLANs (Virtual Local Area Networks) with firewall rules controlling traffic between zones:
DMZ (Demilitarized Zone). Internet-facing servers (web servers, email gateways, DNS) are placed in a DMZ segment that sits between the external firewall (facing the internet) and the internal firewall (facing the corporate network). The DMZ can receive inbound internet traffic but has restricted access to internal systems.
Internal network zones. The internal network is divided into zones by function: corporate (user workstations), server (production servers), development (non-production systems), management (network management, IT administration), and restricted (high-security systems such as financial databases, HR systems, PCI cardholder data environment).
Inter-zone firewall rules. Firewall rules define what traffic is permitted between zones. Corporate users can access the server zone on specific application ports. The development zone cannot access the production server zone directly. The management zone can access all zones for administration but only from specific management workstations with elevated credentials.
Traditional segmentation is effective at reducing blast radius at the zone level. An attacker who compromises a workstation in the corporate zone cannot directly reach the database in the restricted zone because the firewall blocks the traffic. The attacker must find a path: compromise a system in the server zone that has authorized access to the restricted zone, then pivot through that system.
The limitation: traditional segmentation is coarse-grained. Every system within a zone can communicate freely with every other system in that zone. If the attacker compromises one production server, they can reach every other production server in the same VLAN without crossing a firewall boundary. Within a zone, the network is flat.
Micro-segmentation solves the intra-zone problem by enforcing access policies at the individual workload level. Instead of defining zones (all production servers in one VLAN), micro-segmentation defines policies per application or per workload: the web server can communicate with the application server on port 8443. The application server can communicate with the database on port 5432. The web server cannot communicate with the database directly. The database cannot initiate outbound connections.
Micro-segmentation is implemented through software-defined networking (SDN) platforms: VMware NSX, Illumio, Guardicore (now Akamai), Cisco ACI, and cloud-native security groups (AWS Security Groups, Azure NSGs, GCP Firewall Rules). These platforms enforce policy at the hypervisor, host agent, or cloud infrastructure layer, independent of the physical network topology.
The result: even within a single "production" environment, each application is isolated from every other application. An attacker who compromises the web server can communicate with the application server (because that is an authorized path) but cannot communicate with the HR database, the financial system, or the email server. Each lateral movement attempt hits a policy enforcement point.
Zero trust architecture incorporates micro-segmentation as a core principle. NIST SP 800-207 describes micro-segmentation as one of the primary enforcement patterns for zero trust: the network does not provide implicit trust to any device, and access to every resource is mediated by policy.
In a zero trust model, segmentation is not just network-level isolation. It is combined with identity verification (every access request is authenticated), device health assessment (the requesting device meets security requirements), and continuous monitoring (the access is logged and analyzed for anomalies). The segmentation provides the structural isolation. The zero trust policy engine provides the dynamic access control.
Organizations implement segmentation at varying levels of granularity:
Zone-based segmentation. The minimum viable approach. Separate the DMZ, corporate, server, development, and management zones. Apply firewall rules between zones. This is table-stakes security that most organizations should have implemented but some still lack.
Application-tier segmentation. Segment by application tier: web tier, application tier, data tier. Restrict communication to the expected application flow (web communicates with app, app communicates with database, database does not communicate with web). This prevents common attack patterns where database compromise enables direct web server access.
Compliance-driven segmentation. Isolate regulated data environments from the general corporate network. PCI DSS requires the cardholder data environment (CDE) to be segmented from the rest of the network. HIPAA requires network controls around systems handling protected health information (PHI). Compliance-driven segmentation reduces the scope of regulatory audits (only the segmented environment is in scope) and limits the blast radius if a breach occurs outside the regulated segment.
Full micro-segmentation. Per-workload policies that restrict every communication path to explicitly authorized traffic. This is the most effective segmentation strategy and the most operationally intensive to implement and maintain. Full micro-segmentation requires detailed application communication mapping (which systems talk to which, on what ports, in what direction) and ongoing policy maintenance as applications change.
Most successful attacks do not achieve their objective from the initial foothold. The attacker compromises one system (typically a user workstation through phishing), then moves laterally through the network to reach higher-value targets: domain controllers, database servers, file shares, backup systems. Lateral movement is the phase where a single compromised endpoint becomes a full network compromise.
Segmentation disrupts lateral movement by requiring the attacker to cross enforcement boundaries. Each boundary is a detection opportunity (the firewall logs the attempt) and a restriction (the policy may block the traffic). In a well-segmented environment, lateral movement is slow, noisy, and often unsuccessful.
The SolarWinds compromise demonstrated the cost of insufficient segmentation. The attackers moved laterally from the initial SolarWinds Orion foothold through the internal network to reach high-value targets (email systems, identity infrastructure, sensitive data stores) with minimal resistance because the internal network provided broad connectivity between segments.
Ransomware's destructive power is proportional to the number of systems it can reach. In a flat network, ransomware that compromises one endpoint can encrypt every reachable file share, server, and backup repository. In a segmented network, the ransomware is contained within the compromised segment. It can encrypt systems in that segment but cannot cross the enforcement boundary to reach systems in other segments.
This containment does not prevent the initial infection. It limits the blast radius. An organization that segments its backup infrastructure from its production network ensures that ransomware encrypting production cannot also encrypt the backups, preserving the recovery capability that makes the ransom demand irrelevant.
Segmentation directly reduces compliance audit scope. An organization processing payment cards on a segmented network only needs to certify PCI DSS compliance for the cardholder data environment segment, not the entire network. Without segmentation, the entire network is in scope, multiplying the audit effort, cost, and remediation burden.
The same principle applies to HIPAA, CMMC, and other framework-specific environments. Segmentation constrains the compliance boundary, which reduces cost and focuses security investment on the systems that require it.
Network segmentation sits at the intersection of SPH (Security Posture and Hygiene), VSD (Vulnerability and Surface Defense), and IAT (Identity Access and Trust) in the Planetary Defense Model.
SPH owns the operational maintenance of segmentation infrastructure. Firewall rules, VLAN configurations, micro-segmentation policies, and security group definitions are configuration elements that must be maintained, monitored for drift, and validated regularly. A segmentation policy that was correct six months ago may have accumulated exceptions, emergency changes, and workarounds that erode its effectiveness. APC (Autonomous Posture Command) monitors segmentation configuration for drift and triggers remediation when exceptions accumulate beyond acceptable thresholds.
VSD benefits from segmentation as a surface reduction mechanism. Segmentation reduces the internal attack surface that an adversary can reach from any given foothold. CSR (Continuous Surface Reduction) applies: the fewer systems reachable from any single point, the smaller the effective attack surface for lateral movement.
IAT governs the access policies that segmentation enforces. In a zero trust model, segmentation is the structural layer and identity verification is the dynamic layer. ZPA (Zero Possession Architecture) principles apply: every access request across a segment boundary is verified, scoped to minimum privilege, and continuously validated.
The terrain metaphor is precise. Segmentation is the defensive terrain engineering that creates chokepoints, cleared fields of fire, and isolated defensive positions. A flat network is an open plain: the attacker can move freely in any direction. A segmented network is a fortified landscape: ridgelines, walls, controlled passes, and observation posts that channel movement and create detection opportunities.
Three TOP missions connect to segmentation:
Word count: 1,892