A flat network is an all-you-can-eat buffet for anyone who gets past the perimeter. One compromised workstation, and the attacker can reach the domain controller, the database server, the backup system, and the CEO’s file share — all without crossing a single firewall. Lateral movement is the technique that turns a minor foothold into a catastrophic breach, and flat networks hand it to attackers for free.
Network segmentation is the architectural answer. Divide the network into trust zones. Put firewalls between them. Enforce rules about what can talk to what. When a workstation gets compromised — and eventually one will — segmentation is the difference between losing one machine and losing the entire environment. It’s not glamorous. It’s plumbing. But it’s plumbing that stops floods.
DO / DON’T
DO:
- Segment by function and trust level — Workstations, servers, management interfaces, IoT devices, and guest networks should live in separate segments.
- Firewall between segments — Segmentation without enforcement is just VLANs with extra steps. Put a firewall (or ACL at minimum) between every segment.
- Document your network topology — If you can’t draw it, you can’t secure it. Maintain current diagrams.
- Monitor east-west traffic — Most monitoring watches north-south (in/out). Attackers move east-west (internal). Watch both.
- Start with your most critical assets — Isolate crown jewels first, then expand segmentation outward.
- Test segmentation regularly — Verify that segments are actually enforced. Scan from one segment to confirm you can’t reach what you shouldn’t.
DON’T:
- Don’t operate a flat network — Every device on the same subnet with no internal firewalling is the most common architectural failure in breached organizations.
- Don’t put management interfaces on the production network — iLO, iDRAC, switch management, hypervisor management — these belong on an isolated management VLAN.
- Don’t allow unrestricted outbound traffic — Egress filtering catches command-and-control traffic, data exfiltration, and reverse shells.
- Don’t rely on VLANs alone for security — VLANs provide logical separation, not security enforcement. Without ACLs or firewalls between them, VLANs are a speed bump, not a wall.
- Don’t forget about DNS — DNS is the most common covert channel. Monitor and filter DNS traffic.
Trust Zone Design
Defining Trust Zones
A trust zone is a group of systems with similar security requirements and trust levels. Traffic within a zone flows relatively freely; traffic between zones passes through an enforcement point.
Common trust zones for most organizations:
| Zone | Contents | Trust Level |
|---|---|---|
| DMZ | Public-facing web servers, load balancers, reverse proxies | Low — internet-facing, assume compromised |
| Application | Application servers, middleware, APIs | Medium — processes requests from DMZ |
| Data | Databases, file servers, data warehouses | High — stores sensitive data |
| Management | Admin interfaces, jump boxes, monitoring, SIEM | Highest — controls everything else |
| Workstation | Employee desktops, laptops | Medium-Low — most common initial compromise vector |
| IoT/OT | Printers, cameras, HVAC, industrial control systems | Lowest — unpatched, unmanaged, often insecure by design |
| Guest | Guest Wi-Fi, contractor devices | Untrusted — internet access only, no internal access |
The principle: higher-trust zones should never be directly reachable from lower-trust zones without passing through an inspection point. A workstation should never connect directly to a database. It connects to an application in the application zone, which connects to the database on its behalf.
VLAN Implementation
VLAN Design
VLANs (Virtual LANs) provide the logical separation layer. Each trust zone maps to one or more VLANs with distinct IP subnets.
Subnet planning:
- Use RFC 1918 private address space (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16)
- Assign each VLAN a distinct subnet that’s easy to identify in firewall rules and logs
- Example scheme: 10.1.x.x for servers, 10.2.x.x for workstations, 10.3.x.x for management, 10.4.x.x for IoT, 10.5.x.x for DMZ
- Size subnets appropriately — don’t put 10 devices on a /16
VLAN configuration best practices:
- Disable unused ports — Unpatched, unused switch ports are an open invitation.
- Disable VLAN trunking on access ports — DTP (Dynamic Trunking Protocol) on access ports allows VLAN hopping attacks. Set access ports to
switchport mode accessexplicitly. - Use a dedicated native VLAN — Don’t use VLAN 1 as the native VLAN. Create a dedicated, unused VLAN as the native VLAN on trunk ports. NIST SP 800-153 and CIS Benchmarks for network devices cover these configurations.
- Prune VLANs on trunks — Only allow VLANs that need to traverse each trunk link. Don’t trunk all VLANs everywhere.
Inter-VLAN Routing and Firewalling
The enforcement happens at the routing layer. Options:
- Layer 3 switch ACLs — Access control lists on the routing interface between VLANs. Good for basic segmentation (allow/deny by IP and port). Limited inspection capability.
- Internal firewall — A next-generation firewall between segments provides deep packet inspection, application-layer filtering, and logging. More overhead, more visibility.
- Microsegmentation — Software-defined networking tools (VMware NSX, Cisco ACI, Illumio) enforce policies at the individual workload level, not just the subnet level. Powerful but complex to implement.
At minimum, every inter-VLAN path should have an ACL that enforces default deny with explicit allow rules for documented traffic flows. This alone stops the majority of lateral movement.
Firewall Placement and Rules
Internal Firewall Architecture
Don’t just put a firewall at the internet edge. Internal firewalls between trust zones are where segmentation becomes security.
Placement:
- Between DMZ and internal networks (mandatory)
- Between workstation segments and server segments
- Between application and data tiers
- Between management networks and everything else
- Between IoT/OT and corporate networks
Rule Design
- Default deny — Start with deny all, then add explicit allow rules for each documented traffic flow.
- Least privilege — Allow only the specific ports and protocols needed. “Allow TCP 443 from app-server-01 to db-server-01” is a rule. “Allow any from 10.1.0.0/16 to 10.2.0.0/16” is a liability.
- Rule documentation — Every rule should have a comment explaining why it exists, who requested it, and when it was last reviewed.
- Regular review — Audit firewall rules quarterly. Remove rules for decommissioned services. Tighten rules that are broader than necessary. NIST SP 800-41 Rev. 1 provides firewall policy guidance.
- Log denied traffic — Denied connection attempts are intelligence. They reveal misconfigured applications (legitimate traffic hitting deny rules) and attacker reconnaissance (scanning and probing).
Monitoring East-West Traffic
Most organizations have solid north-south monitoring — firewalls, IDS/IPS, and web application firewalls inspect traffic entering and leaving the network. East-west traffic — traffic moving laterally between internal systems — is where attackers live after initial compromise, and it’s where most organizations are blind.
How to Monitor East-West Traffic
- Network flow data — NetFlow, sFlow, or IPFIX from switches and routers provides metadata about internal traffic patterns (source, destination, port, volume) without full packet capture overhead. Export flow data to your SIEM.
- Internal IDS/IPS — Deploy intrusion detection sensors on inter-VLAN trunk links or span ports to inspect traffic between segments.
- NDR (Network Detection and Response) — Tools like Zeek (formerly Bro), Suricata, or commercial NDR platforms analyze network traffic for anomalous patterns: unusual protocols, unexpected connections between systems, DNS tunneling, and data exfiltration indicators.
- DNS monitoring — Monitor internal DNS queries. An internal server making DNS queries for domains associated with command-and-control infrastructure is a red flag. CISA’s DNS security guidance covers protective DNS configuration.
What to Alert On
- Workstations connecting directly to database ports
- Management protocol traffic (SSH, RDP, WinRM) originating from non-management VLANs
- Large data transfers between segments during off-hours
- SMB traffic crossing segment boundaries (ransomware lateral movement signature)
- DNS queries to newly registered domains or known malicious domains
- Any traffic from the IoT/OT zone attempting to reach internal servers
Network Documentation
What to Document
You can’t defend what you can’t see, and you can’t troubleshoot what you can’t draw. Maintain these documents:
- Network topology diagram — Physical and logical. Every switch, router, firewall, and their interconnections. Label VLANs, subnets, and trust zones.
- IP address management (IPAM) — Every assigned IP, its purpose, and its owner. Spreadsheets work for small networks; dedicated IPAM tools (NetBox, phpIPAM) for larger ones.
- Firewall rule documentation — Every rule with its justification, requester, and review date.
- Data flow diagrams — How data moves between systems and zones. Critical for both security and compliance.
- Change log — Every network change, who made it, when, and why.
Review and update documentation with every change. A network diagram from last year is a historical document, not a security tool. NIST SP 800-53 Rev. 5 control SC-7 (Boundary Protection) specifically calls for documented network architectures and enforced traffic flow policies.
If It Already Happened
If an attacker has already moved laterally through your network during a breach:
- Contain first — Isolate compromised segments from the rest of the network. Pull the trunk links if you have to. Containment stops the bleeding.
- Map the lateral movement path — Use logs, flow data, and forensic artifacts to trace every system the attacker touched. Every hop is a segmentation failure that needs to be fixed.
- Rebuild segmentation around the breach path — The attacker just showed you where your architecture fails. Build firewalls and ACLs along every path they traversed.
- Assume persistence — Attackers who move laterally often plant backdoors on multiple systems. Scan every system in the compromised path.
- Report through CISA and relevant regulatory channels. The lateral movement evidence informs your remediation plan and regulatory response.
Network segmentation is infrastructure work. It’s thankless, it’s tedious, and it’s the single most effective architectural control against lateral movement. Start by drawing your current network. Identify what’s flat. Pick your most critical asset — the database, the domain controller, the backup server — and isolate it into its own segment with firewall rules. That’s your first win. Then do the next one.