VLAN-based segmentation divides networks at Layer 2 into logical broadcast domains; VLANs are inexpensive but security depends on proper configuration and VLAN hopping prevention.
What is network segmentation
Network segmentation is the practice of dividing a network into logical zones or segments (subnets, VLANs, security groups) with restricted communication between segments. Access between segments is controlled by firewalls that enforce policies defining which traffic is allowed. Segmentation limits lateral movement—if an attacker compromises one segment, they cannot freely access other segments. Microsegmentation is a more granular version that creates security zones around individual applications or workloads.
Why it matters
Most enterprise breaches involve lateral movement after initial compromise. An attacker gains access to a workstation through phishing, then moves laterally to domain controllers, databases, and sensitive servers. Without segmentation, a single compromised system grants access to the entire network. With segmentation, the attacker must overcome additional firewalls and access controls, slowing them down and creating detection opportunities. For CISOs, network segmentation is foundational to defense in depth. It protects crown jewels (databases, file servers, authentication systems) by isolating them in restricted segments. Segmentation also simplifies compliance—regulatory frameworks (PCI DSS, HIPAA, NIS2) require network isolation for sensitive data. Modern segmentation must account for hybrid architectures (on-premises, cloud, containers), not just traditional VLANs. Zero Trust architecture extends segmentation principles to application-level access controls.
Key points
Firewall-based segmentation uses dedicated firewalls to control traffic between zones (DMZ, internal, restricted); stronger control, higher operational complexity.
Microsegmentation applies policies at application or workload level, creating zero-trust zones where systems in the same broader segment still require explicit access approval.
Database segmentation isolates databases in restricted zones accessible only by approved applications; prevents direct database access from workstations or unauthorised systems.
Segmentation is the natural substrate for Zero Trust: without separating what matters first, verifying every access request becomes operationally unrealistic.
Segmentation policies must be documented, tested and monitored; permissive 'any to any' rules inside segments quietly negate the benefits of the design.
Segmentation containing a breach
A financial services company segments its network into DMZ (public-facing web servers), internal zone (office workstations), database zone (isolated) and admin zone (domain controllers). An attacker sends a phishing email to an accountant whose workstation sits in the internal zone. The accountant clicks a link and the attacker gains code execution. They attempt to move laterally to the database zone to reach customer financial records.
The firewall between internal and database zones denies the connection—microsegmentation restricts database access to a short list of approved application servers. The attacker cannot reach the admin zone either; domain controllers sit behind another firewall requiring specific credentials and MFA. The attempt is blocked, detected and reported, and containment takes minutes. Without segmentation, the same initial compromise would have cascaded through the environment, exposing compromised credentials and enabling exfiltration long before detection.
Common mistakes
- Treating segmentation as network-only: application-level access controls (database authentication, API authorization) are equally important; a compromised user with high database privileges negates network segmentation.
- Creating overly complex segmentation policies that are not documented or monitored: security teams then craft permissive temporary rules to reduce friction, gradually degrading effectiveness.
- Segmenting only production; development and staging environments need similar segmentation to prevent lateral movement if development systems are compromised.
- Forgetting east-west traffic. Many organisations harden the perimeter but leave internal server-to-server communication wide open—exactly where modern attackers operate.
- Rolling out without a rollback plan. Aggressive policies applied in one cut can break critical services; iterate by zone with controlled windows and monitor blocked traffic before enforcing.
Related terms
Frequently asked questions
What is the difference between network segmentation and microsegmentation?
Network segmentation divides a network into large zones (DMZ, internal, database, admin) with firewalls controlling traffic between zones. Microsegmentation divides the network into small zones around individual applications or workloads, with strict access policies at the application level. For example, traditional segmentation might separate all databases into one zone; microsegmentation would isolate each database and specify exactly which applications can connect to it. Microsegmentation is more granular and powerful but operationally complex; it's typically implemented using software-defined networking, application-centric security, or zero-trust architectures.
How do we implement segmentation in cloud environments?
Cloud segmentation uses cloud-native security groups and network access control lists (NACLs). Cloud providers offer subnet-level isolation and fine-grained firewall rules based on source/destination IP, ports, and protocols. For microsegmentation in cloud, use application-layer controls (API gateways, service meshes) and identity-based access (IAM policies). Hybrid environments (on-premises + cloud) require careful planning to extend segmentation policies across infrastructure. Cloud-native segmentation is more flexible than on-premises but requires different tools and expertise.
Does segmentation prevent ransomware?
Segmentation significantly reduces ransomware impact by containing spread to a single segment. If ransomware compromises a workstation in the internal zone, network segmentation prevents spread to file servers or domain controllers in restricted zones. However, segmentation doesn't prevent the initial compromise or encryption of files within the compromised segment. True ransomware defense combines segmentation with immutable backups, rapid detection and response, and endpoint protection. Segmentation buys time and contains damage, but it's one component of comprehensive ransomware defense.
How do we balance segmentation security with operational convenience?
Segmentation security and operational convenience are often in tension. Overly restrictive policies reduce functionality; overly permissive policies negate security. Best practice: define segmentation based on business context (what data is sensitive, what systems are critical), implement firewall rules that enforce those policies, document all rules, regularly audit policies for unnecessary permissions, and use automation to manage policies at scale. Security awareness training helps teams understand why segmentation exists and reduces ad-hoc requests to bypass controls. Tools like network access control (NAC) and zero-trust access can improve both security and usability.