A flat network, one where every device can reach every other device, is an attacker’s ideal environment. Once they’re in, they’re everywhere. Segmentation changes that. It breaks the network into zones with controlled boundaries, so that compromising one part doesn’t automatically mean compromising the rest.
Segmentation is also about least privilege — not just for users, but for machines and network traffic. A workstation doesn’t need to communicate with a database server. A web server doesn’t need to receive routing protocol messages. Restricting what can talk to what is the same principle applied at the network layer.
Why It Matters Beyond the Obvious
Most people understand segmentation as a way to isolate sensitive data — put the database on a separate network, restrict who can reach it. That’s correct, but segmentation protects more than data. It protects the infrastructure itself.
Routing protocols like OSPF and BGP are the mechanisms routers use to learn about the network and exchange path information. If an attacker can reach the segment where routing protocol messages traverse, they can attempt to poison the routing table — injecting false routes, redirecting traffic, or forming unauthorized adjacencies with your routers. Separating the management and control plane traffic from user traffic is segmentation applied to the infrastructure layer.
Similarly, protocols like CDP (Cisco Discovery Protocol) disclose information about neighboring devices — device type, software version, interface details. That’s useful for network management and useful for an attacker mapping your environment. Segmentation limits which systems can see that traffic at all.
The principle of least privilege applies to network traffic the same way it applies to user accounts. A system should only be able to communicate with what it needs to function. Everything else should be denied by default. ACLs and firewall rules are the enforcement mechanism — segmentation is the design that makes them meaningful.
How to Segment
VLANs
Virtual LANs are the most common on-premises segmentation mechanism. A VLAN logically separates traffic on a shared physical infrastructure — devices on VLAN 10 can’t communicate with devices on VLAN 20 unless traffic is explicitly routed between them, typically through a firewall or router where ACLs can be applied. VLANs are fast to implement and widely supported, but they require discipline — misconfigured trunk ports or missing ACLs can collapse the separation entirely.
IPsec
IPsec creates encrypted tunnels between endpoints or networks, separating traffic at the cryptographic layer rather than the physical or logical one. A site-to-site IPsec VPN between two offices creates a private logical segment over a public network — traffic inside the tunnel is isolated from everything outside it. IPsec can also be used within a network to protect sensitive traffic flows, ensuring that even if an attacker gains access to the same physical segment, they can’t read the traffic traversing the tunnel.
SDN and Microsegmentation
Software-defined networking and microsegmentation take the concept further by applying policy at the workload level rather than the network level. Instead of segmenting by subnet or VLAN, policies are attached to individual workloads — a specific server, container, or virtual machine. Traffic between two systems in the same subnet can be controlled and filtered. This is particularly relevant in virtualized and cloud environments where the traditional network boundary doesn’t map cleanly to the infrastructure.
Defense in Depth — The Trust Gradient
Segmentation is most effective when it reflects a model of trust: the further from the internet an asset sits, the more trusted it is, and the more restricted the access to it should be. Risk decreases as you move inward. Controls should increase correspondingly.
A system in the DMZ that needs to query a database in the private tier doesn’t connect directly. It must traverse the middle tier — a proxy, authentication gateway, or application layer — where the request can be inspected and controlled before being permitted onward. This forces every cross-boundary communication through a chokepoint you control, limiting what an attacker who compromises the DMZ can reach.
Segmentation in the Cloud
Cloud environments don’t have physical network boundaries, but the principles translate directly. The mechanisms are different — the architecture is the same.
Separate VPCs for Separation of Duties
In AWS, separate VPCs for different functions — production, development, shared services — enforce separation of duties at the network level. Combined with AWS Organizations and Service Control Policies (SCPs), you can restrict what services can be used in each account entirely, preventing a compromised development environment from being used to access production resources. SCPs function similarly to Group Policy Objects in Active Directory — they can be applied at the root or organizational unit level to restrict what accounts within that scope can do, regardless of what IAM policies say.
Security Groups and Network Firewalls
Security groups function as instance-level firewalls, controlling inbound and outbound traffic per resource. The key distinction from traditional ACLs is that security groups are stateful — return traffic is automatically permitted. Referencing a security group as a source rather than a CIDR range enforces identity-based access: only resources holding that group membership can communicate, regardless of IP address. AWS Network Firewall adds a layer above security groups for deep packet inspection and more granular traffic filtering across a VPC.
VPNs in the Cloud
Site-to-site VPNs between on-premises environments and cloud VPCs extend the segmentation model across the hybrid boundary. Traffic between the two environments traverses an encrypted tunnel, logically separated from public internet traffic. The cloud VPC becomes an extension of the internal network, subject to the same segmentation controls — which is also why it’s important to design the cloud network architecture deliberately rather than treating it as a flat extension of the corporate network.
Segmentation creates zones. ACLs and firewall rules are what enforce the boundaries between them. A VLAN without an ACL at the boundary is a label, not a control. A VPC without security group rules is a container with open walls. Segmentation and access control are inseparable — one without the other is incomplete.
Segmentation alone is only one third of a complete control. Wherever you place a segment boundary, you also want detective controls: logging traffic flows, capturing denied connections, monitoring for anomalous lateral movement. And corrective controls: automated responses through API triggers, security orchestration tools, or runbooks that isolate a compromised segment when something is detected. Segmentation without visibility is a wall with no cameras. Segmentation without a response plan is a wall with no door to close.
The goal is not to prevent a breach. You will be breached. The goal is to ensure that when it happens, it doesn’t become a catastrophe.
