Network Segmentation

Network segmentation divides a network into isolated zones so that an attacker who compromises one segment cannot automatically move freely to other parts of the network. It is a central defence-in-depth measure that significantly reduces the blast radius of an attack.

Back to Dictionary

Why network segmentation?

A flat, unsegmented network gives an attacker who has compromised one system free movement to all other systems on the network (lateral movement). Ransomware exploits precisely this to spread rapidly and encrypt all accessible resources.

Network segmentation limits this movement by establishing controlled boundaries where traffic must pass through and be verified. It reduces the attack surface and minimises the scope of damage in the event of a breach.

VLANs and physical segmentation

VLAN (Virtual Local Area Network) is the most widely used segmentation technique. It divides a physical network into logical network segments, where traffic between segments is controlled by routers and firewalls. Typical segments include: user networks, server networks, guest networks, IoT/OT networks and management networks.

DMZ

A DMZ (Demilitarised Zone) is a network segment that hosts internet-facing services (web servers, email servers, VPN concentrators). The DMZ is isolated from the internal network, so a compromised internet-facing system cannot directly attack internal resources.

Segment by risk and criticality: The most effective segmentation strategy is based on data classification and system criticality. Systems with sensitive data or critical functions are isolated in separate segments with stricter access rules.

Micro-segmentation

Micro-segmentation is a more granular approach, typically implemented in cloud and virtualisation environments. Rather than relying on network boundaries, traffic is controlled at the individual application or workload level. It is a central component of Zero Trust architecture and works alongside logging and access control to provide comprehensive protection.

Frequently Asked Questions about Network Segmentation

What is network segmentation?

Network segmentation is the practice of dividing a network into isolated zones or segments to limit an attacker's ability to move laterally and to reduce the blast radius of a security breach.

What is a VLAN?

A VLAN (Virtual Local Area Network) divides a physical network into logical segments. Traffic between VLANs is controlled by routers and firewalls, enabling segmentation without separate physical infrastructure.

What is a DMZ?

A DMZ (Demilitarised Zone) is a network segment that hosts internet-facing services, isolated from the internal network so that a compromised public-facing system cannot directly reach internal resources.

What is micro-segmentation?

Micro-segmentation is a granular segmentation approach that controls traffic at the individual application or workload level, typically in cloud and virtualisation environments. It is a key component of Zero Trust architecture.

Why does network segmentation matter for compliance?

Network segmentation is referenced in ISO 27001, NIS2 and CIS Controls as a key security measure. It limits the spread of attacks, protects sensitive data and supports the principle of least privilege at the network level.