VLAN-based segmentation divides networks by Layer 2 (switches) into logical broadcast domains; VLANs are inexpensive but security depends on proper configuration and VLAN hopping prevention
What is network segmentation
Network segmentation is the practice of dividing a network into logical zones or segments (subnets, VLANs, security groups) with restricted communication between segments. Access between segments is controlled by firewalls that enforce policies defining which traffic is allowed. Segmentation limits lateral movement—if an attacker compromises one segment, they cannot freely access other segments. Microsegmentation is a more granular version that creates security zones around individual applications or workloads.
Why it matters
Most enterprise breaches involve lateral movement after initial compromise. An attacker gains access to a workstation through phishing, then moves laterally to domain controllers, databases, and sensitive servers. Without segmentation, a single compromised system grants access to the entire network. With segmentation, the attacker must overcome additional firewalls and access controls, slowing them down and creating detection opportunities. For CISOs, network segmentation is foundational to defense in depth. It protects crown jewels (databases, file servers, authentication systems) by isolating them in restricted segments. Segmentation also simplifies compliance—regulatory frameworks (PCI DSS, HIPAA, NIS2) require network isolation for sensitive data. Modern segmentation must account for hybrid architectures (on-premises, cloud, containers), not just traditional VLANs. Zero Trust architecture extends segmentation principles to application-level access controls.
Key points
Firewall-based segmentation uses dedicated firewalls or appliances to control traffic between segments (DMZ, internal zones, restricted zones); provides stronger control but higher operational complexity
Microsegmentation applies segmentation at application or workload level, creating zero-trust zones where even systems in the same segment require explicit access approval
Database segmentation isolates databases in restricted segments accessible only by approved applications; prevents direct database access from workstations or unauthorized systems
Segmentation policies must be documented, tested, and monitored; overly permissive policies (allowing 'any to any' within segments) negate segmentation benefits
Segmentation containing a breach
A financial services company segments its network into: DMZ (public-facing web servers), internal zone (office workstations), database zone (isolated), and admin zone (domain controllers). An attacker sends a phishing email to an accountant whose workstation is in the internal zone. The accountant clicks a link, and the attacker gains code execution. The attacker attempts to move laterally to the database zone to access customer financial records. The firewall between internal and database zones denies the connection—microsegmentation restricts database access to only approved application servers. The attacker cannot access domain controllers in the admin zone either; they're isolated behind another firewall requiring specific credentials and MFA. The attacker's movement is blocked, detected, and reported. Containment happened within minutes because segmentation prevented rapid lateral movement. Without segmentation, the attacker would have accessed both zones, compromised credentials, and exfiltrated data before detection.
Common mistakes
- Treating segmentation as network-only: application-level access controls (database authentication, API authorization) are equally important; a compromised user with high database privileges negates network segmentation
- Creating overly complex segmentation policies that are not documented or monitored: security teams then create overly permissive temporary rules to reduce friction, gradually degrading segmentation effectiveness
- Segmenting only production; development and staging environments need similar segmentation to prevent lateral movement if development systems are compromised
Related terms
Frequently asked questions
What is the difference between network segmentation and microsegmentation?
Network segmentation divides a network into large zones (DMZ, internal, database, admin) with firewalls controlling traffic between zones. Microsegmentation divides the network into small zones around individual applications or workloads, with strict access policies at the application level. For example, traditional segmentation might separate all databases into one zone; microsegmentation would isolate each database and specify exactly which applications can connect to it. Microsegmentation is more granular and powerful but operationally complex; it's typically implemented using software-defined networking, application-centric security, or zero-trust architectures.
How do we implement segmentation in cloud environments?
Cloud segmentation uses cloud-native security groups (AWS Security Groups, Azure Network Security Groups) and network access control lists (NACLs). Cloud providers offer subnet-level isolation and fine-grained firewall rules based on source/destination IP, ports, and protocols. For microsegmentation in cloud, use application-layer controls (API gateways, service meshes like Istio) and identity-based access (IAM policies). Hybrid environments (on-premises + cloud) require careful planning to extend segmentation policies across infrastructure. Cloud-native segmentation is more flexible than on-premises but requires different tools and expertise.
Does segmentation prevent ransomware?
Segmentation significantly reduces ransomware impact by containing spread to a single segment. If ransomware compromises a workstation in the internal zone, network segmentation prevents spread to file servers or domain controllers in restricted zones. However, segmentation doesn't prevent the initial compromise or encryption of files within the compromised segment. True ransomware defense combines segmentation with immutable backups, rapid detection and response, and endpoint protection. Segmentation buys time and contains damage, but it's one component of comprehensive ransomware defense.
How do we balance segmentation security with operational convenience?
Segmentation security and operational convenience are often in tension. Overly restrictive policies reduce functionality; overly permissive policies negate security. Best practice: define segmentation based on business context (what data is sensitive, what systems are critical), implement firewall rules that enforce those policies, document all rules, regularly audit policies for unnecessary permissions, and use automation to manage policies at scale. Security awareness training helps teams understand why segmentation exists and reduces ad-hoc requests to bypass controls. Tools like network access control (NAC) and zero-trust access can improve both security and usability.