One compromised machine. That’s all it takes on a flat network. One phished employee, one unpatched workstation, one rogue device on the WiFi — and the attacker is inside, with a direct path to every other system on the network. No firewalls between them. No access controls. No chokepoints. Just one big, flat highway from the receptionist’s laptop to the domain controller to the database server to the backup tapes. That’s not a network. That’s a gift-wrapped buffet for the usual suspects.
The TLDR
Network segmentation divides a network into isolated zones, each with its own access controls and security policies. The goal: limit what an attacker can reach after the initial compromise. VLANs, firewalls, DMZs, and micro-segmentation create boundaries that force lateral movement through controlled chokepoints. The Target breach (2013) is the textbook case — an HVAC vendor’s compromised credentials gave attackers a path from a building management system to the point-of-sale network because the network was functionally flat. Segmentation wouldn’t have prevented the initial compromise. It would have prevented the $300 million aftermath.
The Reality
Most networks are flatter than they should be. Not because architects don’t know better, but because segmentation is operationally expensive. Every boundary you create is a rule you have to maintain, a potential troubleshooting headache, and a change request someone will eventually push to remove “because it’s blocking something.” So the default becomes “everything can talk to everything,” and the security team gets told to make it work with monitoring alone.
The Target breach is the case study that should be tattooed on every network engineer’s forearm. Attackers compromised Fazio Mechanical, a third-party HVAC vendor, and used those credentials to access Target’s network. From there, they moved laterally — from the vendor portal to the corporate network to the point-of-sale systems — because there were no meaningful segmentation boundaries between those environments. 40 million credit card numbers and 70 million customer records later, Target paid $292 million in costs and settlements.
MITRE ATT&CK TA0008 (Lateral Movement) documents the techniques attackers use to move through a network after initial access: pass-the-hash, remote services, internal spearphishing, exploitation of remote services. Every one of these techniques is easier on a flat network and harder when the attacker has to cross segmentation boundaries with different credentials, protocols, and monitoring at each crossing.
How It Works
VLANs — The Starting Point
Virtual LANs (VLANs) are the most basic segmentation unit. A VLAN is a logical broadcast domain — devices on the same VLAN can communicate directly, but traffic between VLANs must pass through a router or Layer 3 switch. This is where you apply access control lists (ACLs) and firewall rules.
A typical VLAN architecture might look like:
VLAN 10 — Workstations
VLAN 20 — Servers
VLAN 30 — VoIP
VLAN 40 — Guest WiFi
VLAN 50 — IoT / Building Systems
VLAN 100 — Management
Each VLAN is isolated at Layer 2. Inter-VLAN traffic passes through a firewall or router where rules determine what can talk to what. Workstations can reach application servers but not database servers directly. Guest WiFi can reach the internet but nothing internal. IoT devices are isolated from everything except their management interface.
The critical mistake: creating VLANs but allowing all inter-VLAN traffic. A VLAN without access controls is just an organizational label, not a security boundary. The ACLs between VLANs are where the actual security happens.
Firewall Zones and DMZs
Firewalls enforce the boundaries between network zones. The classic architecture defines three zones:
- External (Untrusted) — the internet
- DMZ (Semi-Trusted) — public-facing services (web servers, email gateways, DNS)
- Internal (Trusted) — everything else
The DMZ is a buffer zone. Web servers in the DMZ can receive traffic from the internet but can only make specific, controlled connections to internal application servers. If a web server is compromised, the attacker is stuck in the DMZ — they can’t directly reach the database server, the Active Directory domain controller, or the file shares. They have to find another way through, and that takes time, creates noise, and gives defenders a chance to detect and respond.
Modern architectures add more zones: a management zone for infrastructure devices, a data zone for databases, a development zone isolated from production. Each additional zone reduces the blast radius of a compromise.
North-South vs East-West Traffic
Traditional security focused on north-south traffic — traffic entering and leaving the network through the perimeter firewall. That made sense when the perimeter was the primary boundary. But most modern attacks don’t come through the front door — they come through phishing, supply chain compromise, or VPN credential theft. Once inside, the attacker moves east-west — laterally between systems within the network.
This is the fundamental problem with perimeter-only security. All the investment in the front door means nothing if the interior is wide open. CISA’s network segmentation guidance emphasizes that internal segmentation — controlling east-west traffic — is where the real defensive value lives.
Micro-Segmentation
Micro-segmentation takes the concept to its logical extreme: every workload, every container, every virtual machine gets its own security policy. Instead of segmenting by network zone, you segment by identity and function.
In a micro-segmented environment, a web server can talk to its specific application server on its specific port, and nothing else. Even if the web server and a database server are on the same VLAN, the micro-segmentation policy prevents communication between them unless explicitly allowed.
NIST SP 800-125B covers secure virtual network configuration, and micro-segmentation is the practical realization of those principles. Software-defined networking (SDN) and tools like VMware NSX, Cisco ACI, and cloud-native security groups make micro-segmentation operationally feasible in ways that weren’t possible with physical firewalls alone.
Software-Defined Networking (SDN)
SDN separates the network control plane (the decision-making about where traffic goes) from the data plane (the actual forwarding of packets). This means segmentation policies can be defined centrally and pushed to every switch, router, and hypervisor in the environment simultaneously.
The advantage: consistency and agility. When security policy changes, it changes everywhere at once. The disadvantage: the SDN controller becomes a high-value target. Compromise the controller, and you can rewrite the segmentation rules for the entire network.
How It Gets Exploited
VLAN Hopping
Attackers can escape a VLAN through two techniques: switch spoofing (the attacker’s device pretends to be a trunk port and negotiates access to all VLANs) and double tagging (encapsulating traffic with two VLAN tags so it crosses a trunk link and reaches a target VLAN). Mitigations: disable auto-trunking (DTP) on all access ports, set the native VLAN to an unused VLAN, and explicitly configure trunk ports.
Lateral Movement After Initial Access
Once inside any network segment, attackers use techniques documented in MITRE ATT&CK TA0008 to move laterally: pass-the-hash and pass-the-ticket for credential reuse, Remote Desktop Protocol, SSH, WMI, PowerShell remoting, and exploitation of internal services. Each segmentation boundary they hit requires new credentials, new techniques, and generates new detection opportunities.
Firewall Rule Creep
Over time, “temporary” firewall rules accumulate. A developer needs access to a production database for debugging — the rule is added and never removed. An application needs a wide port range — the rule allows all ports. Eventually, the segmentation exists in name only, riddled with exceptions that provide the paths attackers need. Regular firewall rule audits aren’t optional — they’re how you maintain the integrity of your segmentation.
Pivoting Through Dual-Homed Systems
A system with network interfaces in two zones (dual-homed) can serve as a bridge. If an attacker compromises it, they can route traffic between zones that the firewall was supposed to keep separate. Dual-homed systems should be eliminated where possible, and where they’re necessary, they should be hardened, monitored, and treated as high-value targets.
What You Can Do
Start with an asset inventory and data flow map. You can’t segment what you don’t understand. Identify where your critical data lives, what systems access it, and what communication paths are required. Everything else should be blocked.
Implement VLANs with ACLs as the baseline. Even basic VLAN segmentation with inter-VLAN firewall rules dramatically reduces the blast radius. Separate workstations from servers, IoT from everything, guest networks from production, and management interfaces from all of the above.
Isolate your management plane. Network management interfaces (switch consoles, firewall admin panels, hypervisor management, IPMI/iDRAC/iLO) should be on a dedicated management VLAN accessible only from specific jump boxes. If an attacker reaches your management plane, they own your infrastructure.
Audit firewall rules quarterly. Review every allow rule. Remove anything that’s no longer needed. Challenge anything that’s overly broad. Document the business justification for every rule. This is tedious work that prevents catastrophic breaches.
Monitor east-west traffic. Deploy network detection tools that can see internal traffic patterns. Sudden spikes in SMB, RDP, or SSH connections between systems that don’t normally communicate are indicators of lateral movement. CISA recommends internal network monitoring as a core defensive capability.