Network segmentation: reducing your attack surface

The danger of flat networks

A flat network is one where every device can communicate with every other device. The receptionist’s laptop can reach the database server. The guest Wi-Fi sits on the same subnet as the finance system. A compromised printer becomes a stepping stone to the domain controller.

This architecture was common when networks were simpler and threats were less sophisticated. Today, it’s an invitation for lateral movement - the technique attackers use to expand their foothold after an initial compromise.

Once inside a flat network, an attacker can scan for open ports, discover vulnerable services, and move from one system to another until they reach something valuable. The average dwell time - the period between initial compromise and detection - is still measured in weeks for many South African businesses. On a flat network, that’s more than enough time to reach critical assets.

Network segmentation breaks this chain by dividing the network into isolated zones with controlled traffic flows between them.

What network segmentation is

Segmentation is the practice of partitioning a network into smaller, discrete segments, each with its own security policies and access controls. Traffic between segments passes through a firewall, router, or other enforcement point that inspects and permits or denies the communication.

Think of it like compartments in a ship. If one compartment floods, the bulkheads prevent the water from sinking the entire vessel. Segmentation works the same way: if one zone is compromised, the damage is contained.

Types of segmentation

VLAN-based segmentation

Virtual LANs (VLANs) are the most common starting point. VLANs separate broadcast domains at Layer 2, allowing you to group devices logically rather than physically. A typical setup might include:

Corporate VLAN - workstations and laptops for general staff
Server VLAN - production servers and databases
Management VLAN - switches, routers, and other infrastructure devices
Guest VLAN - Wi-Fi for visitors, completely isolated from internal resources
VoIP VLAN - IP phones, prioritised for quality of service

VLANs alone don’t provide security - they need to be combined with inter-VLAN routing policies and access control lists (ACLs) that define what traffic is permitted between zones.

Firewall zone segmentation

Next-generation firewalls can enforce segmentation at Layer 3 and above, inspecting traffic content and applying policies based on application, user identity, and threat signatures. This is more granular than VLAN ACLs and provides deeper visibility into what’s crossing zone boundaries.

Common firewall zones include:

Trust zone - internal corporate network
Untrust zone - the internet
DMZ - public-facing services (web servers, email gateways) that need internet exposure but should not have direct access to internal resources
Restricted zone - high-security systems (financial databases, HR records, backup infrastructure)

Micro-segmentation

Micro-segmentation takes the concept further by applying policies at the workload or application level, often using software-defined networking (SDN) or host-based firewalls. Instead of segmenting by network zone, you segment by individual service.

For example, a micro-segmentation policy might allow the web server to communicate with the application server on port 8080, but deny all other traffic - even from systems on the same VLAN.

Micro-segmentation is particularly valuable in cloud and virtualised environments where traditional network boundaries are blurred.

Planning your segmentation architecture

Segmentation is not something you bolt on overnight. A structured approach prevents disruption and ensures that the architecture supports business requirements.

Step 1: Inventory and classify assets

You can’t segment what you can’t see. Start with a comprehensive inventory of devices, applications, and data stores. Classify them by:

Sensitivity - does this system hold personal data, financial records, or intellectual property?
Criticality - what is the business impact if this system is unavailable?
Exposure - is this system internet-facing, used by third parties, or accessed remotely?

Step 2: Map traffic flows

Before defining policies, understand how traffic actually flows today. Which systems talk to each other, on which ports, and how frequently? Network monitoring tools and flow analysis will reveal dependencies that nobody documented.

This step often surfaces surprises: legacy applications communicating over unexpected ports, development systems with production database access, or monitoring tools with broad network reach.

Step 3: Define zones and policies

Based on your asset classification and traffic analysis, define logical zones and the rules governing traffic between them. The principle is simple: deny by default, permit by exception. Only allow the specific communication that is required for business operations.

Step 4: Implement incrementally

Start with the highest-risk boundaries - isolating the server environment from the user network, or separating guest Wi-Fi from internal resources. Then progressively tighten controls as you gain confidence and visibility.

Monitoring is essential during implementation. Watch for broken applications, failed connections, and user complaints. Each one indicates a traffic flow that needs to be explicitly permitted or an application that needs reconfiguration.

Zero trust and segmentation

Network segmentation is a foundational component of a zero trust architecture. Zero trust assumes that no device or user should be inherently trusted, regardless of their network location. Segmentation enforces this by ensuring that network position alone doesn’t grant access to resources.

In a zero trust model, segmentation works alongside identity verification, device health checks, and continuous monitoring to create layered defences. Even if an attacker compromises a device on the corporate VLAN, segmentation and access policies prevent them from reaching the server VLAN without additional authentication and authorisation.

Impact on compliance

For South African businesses subject to POPIA, network segmentation supports the requirement to implement appropriate technical measures to protect personal information. By isolating systems that process personal data, you reduce the attack surface and demonstrate to the Information Regulator that access to sensitive data is controlled.

Segmentation also aligns with industry frameworks:

ISO 27001 - Annex A controls for network security and access management map directly to segmentation practices.
PCI DSS - requires that cardholder data environments are segmented from the broader network.
CIS Controls - network segmentation is a recommended practice for limiting the impact of security incidents.

Common segmentation architectures

Small business (20–50 users)

Three VLANs: corporate, server, guest
A single next-generation firewall managing inter-VLAN routing and internet access
Separate Wi-Fi SSIDs mapped to appropriate VLANs

Mid-market (50–500 users)

Five or more VLANs: corporate, server, management, guest, VoIP, DMZ
Firewall-based zone segmentation with application-level inspection
Dedicated management network for infrastructure devices
Network access control (NAC) to enforce device compliance before granting VLAN access

Enterprise or high-security

Micro-segmentation using SDN or host-based policies
Zero trust network access (ZTNA) replacing traditional VPN
Continuous traffic analysis and anomaly detection
Automated policy enforcement based on identity and device posture

Getting started

If your network is currently flat, the first step is visibility. Understand what you have, how it communicates, and where the highest-risk boundaries lie. From there, a phased segmentation plan will dramatically reduce your attack surface without disrupting operations.

ITHQ designs and implements segmentation architectures for South African businesses of all sizes. Our network engineering and connectivity team works alongside cybersecurity operations and infrastructure specialists to ensure that your network is both performant and defensible.