Does network segmentation require replacing existing infrastructure?

Not necessarily. VLANs can be configured on existing managed switches, and firewall rules can be applied on existing next-generation firewalls. Most segmentation improvements are configuration changes rather than hardware replacements. That said, organizations with very old unmanaged switches or flat Layer 2 networks may need to upgrade switching infrastructure before meaningful segmentation is possible. Start with a network diagram and inventory before assuming a hardware refresh is required.

What is the difference between a VLAN and network segmentation?

A VLAN is one technique used to implement network segmentation. VLANs create logical Layer 2 separation on shared switching infrastructure. Network segmentation is the broader practice of isolating network zones — which may also use subnetting, firewalls, physical separation, and microsegmentation. A VLAN without firewall enforcement between it and other VLANs provides administrative separation but limited security value. Effective segmentation uses VLANs together with firewall policy enforcement at zone boundaries.

How does segmentation reduce PCI DSS compliance scope?

PCI DSS applies to all systems that store, process, or transmit cardholder data AND to any system that can communicate with those systems without restriction. If your entire network is flat, PCI DSS scope could encompass hundreds or thousands of systems. By placing payment systems in a strictly segmented cardholder data environment (CDE) with firewall controls limiting inbound and outbound traffic to only business-necessary flows, organizations can exclude all other network segments from PCI scope — dramatically reducing the number of systems that must be assessed and controlled.

Can attackers bypass VLANs?

Yes, under certain conditions. VLAN hopping attacks exploit misconfigurations in trunk port negotiation (using protocols like DTP) or double-tagging of 802.1Q frames to send traffic to a VLAN the attacker is not authorized to access. Mitigations include disabling DTP on all access ports, setting native VLANs to an unused VLAN ID, and relying on firewall enforcement rather than VLAN membership alone as the security boundary. VLANs are a useful administrative tool but should not be the sole security control between sensitive segments.

What is microsegmentation and when do I need it?

Microsegmentation applies access control policies at the individual workload or application level, controlling east-west traffic between servers, containers, and services within the same data center or cloud environment. Traditional segmentation controls traffic at network zone boundaries (north-south) but allows relatively free communication within zones. You need microsegmentation when your threat model includes lateral movement between servers in the same zone — for example, preventing a compromised web server from connecting to a database server on the same subnet. It is most commonly implemented using software-defined networking platforms like VMware NSX or dedicated microsegmentation products like Illumio.

← Cybersecurity Studio

Engineering·10 min read·June 23, 2026

🔒 Network Segmentation: What It Is, Why It Matters, and How to Implement It

Learn how network segmentation limits breach blast radius, the techniques used to implement it, and compliance requirements for PCI DSS, HIPAA, and NIST.

What Is Network Segmentation?

Network segmentation is the practice of dividing a computer network into smaller, isolated subnetworks — called segments or zones — so that traffic between them is controlled, restricted, or blocked entirely. Each segment operates as a contained environment: devices within a segment can communicate freely with each other, but traffic crossing segment boundaries must pass through an enforcing control point such as a firewall, access control list (ACL), or policy engine.

The security value is straightforward: if an attacker compromises one segment, they cannot freely move to others. The breach is contained to its point of origin, buying defenders time to detect and respond before critical systems are reached.

Why Segmentation Matters: Lateral Movement and Blast Radius

Most damaging cyberattacks — ransomware outbreaks, advanced persistent threat (APT) campaigns, and insider incidents — rely on lateral movement: once an initial foothold is established (typically through phishing or exploiting a perimeter vulnerability), the attacker moves through the internal network toward high-value targets such as domain controllers, databases, and backup systems.

On a flat network — one where all devices can communicate with all other devices — lateral movement is trivially easy. An attacker who compromises a single workstation can scan the entire internal address space, exploit unpatched services, and reach financial systems or industrial controls without crossing any enforcement boundary.

Segmentation limits the blast radius: the maximum damage an attacker can cause from any given starting point. Ransomware that lands in an isolated guest wireless segment cannot encrypt servers in a segmented production environment if no route exists between them.

Flat Network vs. Segmented Network

A flat network places all devices — workstations, servers, printers, IP cameras, HVAC controllers, and everything else — on a single broadcast domain or a small number of subnets with no filtering between them. Flat networks are operationally simple but create enormous attack surface.

A segmented network places device groups into separate zones based on function, trust level, data sensitivity, or regulatory requirement. Traffic between zones is explicitly permitted or denied based on policy. The default is deny: if there is no business justification for two zones to communicate, they do not.

Key Segmentation Techniques

VLANs (Virtual LANs)

VLANs provide logical separation at Layer 2 of the OSI model. Managed switches assign ports or tagged frames to specific VLANs, creating separate broadcast domains on the same physical infrastructure. VLANs are inexpensive and widely supported, making them the most common first step in segmentation. However, VLANs alone do not enforce security — a misconfigured trunk port or a VLAN hopping attack can bypass them. VLANs must be combined with Layer 3 firewall enforcement between VLANs to provide meaningful security segmentation.

Subnetting

Subnetting divides an IP address space into smaller ranges, creating IP-level isolation. Routers only forward traffic between subnets, so subnet boundaries are natural points to apply firewall rules and ACLs. Subnetting and VLANs are complementary: VLANs create Layer 2 domains, subnets create Layer 3 routing domains, and firewalls enforce policy at the boundary between them.

Firewalls and ACLs

Firewalls and access control lists are the enforcement mechanism that makes segmentation meaningful. A stateful firewall between network zones inspects traffic, enforces allow/deny rules, and logs inter-zone communications. ACLs on routers and Layer 3 switches provide lightweight packet filtering based on source/destination IP and port. Without firewall enforcement, VLANs and subnets are administrative conveniences, not security controls.

DMZ (Demilitarized Zone)

A DMZ is a dedicated network segment for internet-facing services — web servers, email gateways, DNS resolvers, API endpoints — that must be accessible from the public internet but should not have direct access to internal systems. The DMZ sits between two firewall interfaces: the outer interface facing the internet permits inbound traffic to DMZ services; the inner interface to the internal LAN permits only specific, necessary traffic from DMZ to internal systems (such as database queries). Compromising a DMZ server does not grant access to the internal network because the inner firewall enforces that boundary.

Microsegmentation

Microsegmentation extends segmentation to the workload level, controlling east-west traffic (server-to-server, container-to-container) within the data center or cloud environment. Traditional segmentation controls north-south traffic (into and out of a segment); microsegmentation adds granular control within segments. Platforms such as VMware NSX and Illumio apply policy based on workload identity rather than IP address, so policy follows workloads as they move between hosts or cloud regions. Microsegmentation is a foundational component of zero trust network architecture.

Common Segmentation Zones

Most organizations structure their network into several standard zones, each with defined trust levels and inter-zone policies:

User network: Employee workstations and personal devices. High-risk zone due to phishing exposure and removable media.
Server network: Internal application servers, file shares, and directory services. Should be accessible from user network only for specific services (e.g., file server on port 445) — not via broad access.
DMZ: Internet-facing services as described above.
Guest WiFi: Isolated segment for visitor devices with internet access only — no route to internal networks.
Management / Out-of-Band network: Dedicated segment for administrative access to network devices, servers, and security tools. Strictly controlled; no user workstations.
OT/ICS network: Industrial control systems, PLCs, DCS, and SCADA systems. Should be air-gapped or minimally connected with a data diode or unidirectional gateway.
PCI DSS Cardholder Data Environment (CDE): Systems that store, process, or transmit payment card data. Strictly segmented and subject to PCI DSS controls.

OT/IT Segmentation and the Purdue Model

Operational Technology (OT) environments — power generation, manufacturing, water treatment — require particularly strict segmentation from corporate IT networks. The Purdue Enterprise Reference Architecture provides a hierarchical model with defined levels:

Level 0: Physical process (sensors, actuators).
Level 1: Intelligent devices (PLCs, RTUs).
Level 2: Control systems (DCS, HMI).
Level 3: Operations management (historians, batch management).
Level 3.5: Industrial DMZ — the critical boundary between OT and IT.
Level 4-5: Enterprise IT network and internet.

Traffic should flow upward through defined interfaces only; direct connections between Level 2 and the corporate IT network (Level 4) violate the model and create dangerous attack paths.

Segmentation for Compliance

Several major compliance frameworks explicitly require or reward network segmentation:

PCI DSS Requirement 1: Mandates firewall controls between the CDE and other networks. Proper segmentation can dramatically reduce PCI DSS scope by excluding systems that have no connectivity to the CDE.
HIPAA: While not prescriptive about segmentation, the Security Rule requires access controls and audit logging for ePHI systems. Segmentation is the practical mechanism for limiting access to systems containing patient data.
NIST SP 800-53 SC-7 (Boundary Protection): Requires managed interfaces at external network boundaries and between internal network components with different security requirements.

Testing Your Segmentation

Segmentation that has not been verified should not be trusted. Testing approaches include:

Firewall rule review: Audit all inter-zone firewall rules annually. Remove rules that no longer have a documented business justification. Look for any-to-any rules, overly broad source ranges, and rules permitting management protocols (SSH, RDP) from non-management networks.
Penetration testing: A segmentation-focused penetration test attempts to move between zones using misconfigurations, VLAN hopping, misconfigured ACLs, and dual-homed hosts. This should be performed at least annually and after significant network changes.
Automated segmentation verification: Tools such as Tufin, FireMon, and AlgoSec continuously analyze firewall policy and flag violations of defined segmentation policy.

Common Segmentation Mistakes

VLANs without firewall enforcement: Treating VLAN membership as a security boundary without adding inter-VLAN firewall rules. A compromised host with a VLAN-aware NIC or a misconfigured trunk port can reach other VLANs.
Misconfigured ACLs: ACL rules that are overly permissive, in the wrong direction, or applied to the wrong interface provide false confidence without real protection.
Dual-homed hosts: Servers or workstations with interfaces on multiple network segments bypass segmentation entirely. Inventory and eliminate dual-homed hosts except where operationally required and explicitly secured.
Flat OT networks: The most dangerous configuration in industrial environments. A flat OT network means ransomware that reaches any OT-connected system can spread to PLCs and engineering workstations.
No east-west controls: Segmenting north-south (perimeter) traffic but ignoring east-west (internal) traffic. Most breach damage happens east-west after the perimeter is crossed.

Zero Trust as the Evolution Beyond Segmentation

Traditional segmentation assumes that devices within a trusted zone can communicate freely with each other — only zone-crossing traffic is scrutinized. Zero trust eliminates this assumption entirely. Under a zero trust model, every communication request — regardless of source network — is authenticated, authorized, and logged. Microsegmentation is the network control layer within a zero trust architecture, but zero trust adds identity verification, device health checks, and continuous monitoring that pure network segmentation cannot provide. Organizations should view segmentation as a foundational step toward zero trust, not a destination in itself.

Topics covered

network segmentationVLANsmicrosegmentationDMZfirewall ACLslateral movementPCI DSSHIPAAzero trustPurdue ModelOT IT segmentationsubnettingcardholder data environmenteast-west trafficnetwork security zonesNIST 800-53 SC-7ransomware containmentflat network riskVMware NSXIllumio

🛠️ Related Free Tools

Put this knowledge to work on your iPhone

Browse our full catalog of professional iOS apps — from electrical code tools to AI builders.

Browse All 95+ Apps