Network segmentation is the practice of splitting a single network into multiple isolated sub-networks (segments or zones). Each segment has its own access controls, and traffic between segments is explicitly permitted or denied by firewalls, routers, or access control lists (ACLs). The goal is to limit the blast radius of a security incident.
Why Segmentation Matters
Without segmentation, a flat network allows any compromised device to communicate freely with every other device. A ransomware infection on one workstation can spread laterally to file servers, domain controllers, and critical infrastructure within seconds. Segmentation forces attackers to break through additional barriers for every lateral move.
Common Segmentation Approaches
| Method | How It Works | Best For |
|---|---|---|
| VLANs | Logically separate traffic on the same physical switch | Office LANs, separating IoT from corporate devices |
| Subnets | Assign different IP ranges to each zone; route between them | Layer 3 separation with firewall rules |
| DMZ | Public-facing servers in a zone between two firewalls | Web servers, mail servers, public APIs |
| Zero Trust | Verify every request regardless of network location | Cloud environments, remote workforces |
| Microsegmentation | Workload-level policies in software-defined networks | Data centers, Kubernetes clusters |
Typical Segments in an Enterprise Network
- Corporate LAN — employee workstations and internal tools
- Server zone — internal servers with stricter access controls
- DMZ — internet-facing services (web, email, VPN gateway)
- IoT zone — smart devices that need internet access but not access to corporate resources
- Guest Wi-Fi — internet-only access, no LAN access
- Management network — out-of-band access to switches, routers, and server management interfaces
Segmentation and Compliance
Network segmentation is required or strongly recommended by major security frameworks: PCI-DSS mandates isolating cardholder data environments; HIPAA requires protecting health data from unauthorized access; NIST SP 800-53 includes network segmentation as a baseline control. Proper segmentation significantly reduces the scope of compliance audits.
People Also Ask
- What is a DMZ in networking?
- A DMZ (demilitarized zone) is a network segment that sits between the public internet and the internal network, protected by firewalls on both sides. Public-facing servers (web, email, VPN) are placed in the DMZ so that if one is compromised, the attacker still faces a second firewall before reaching the internal network. The term is borrowed from the military concept of a buffer zone between opposing forces.
- How does segmentation stop ransomware?
- Ransomware spreads by moving laterally through the network using shared drives, remote desktop, and administrative protocols like SMB and RDP. Segmentation blocks this lateral movement — a device in the workstation zone cannot directly reach the backup server zone unless explicitly allowed. Network monitoring at segment boundaries also makes lateral movement visible to defenders much sooner than in a flat network.
Related: Botnets | Ransomware | Packet sniffing