Network Segmentation — modularCISO

Module 02 · Lesson 01

Network segmentation in practice

The perimeter is dead. But the principles that built it — segmentation, monitoring, defense in depth — are more important than ever. Here's how they apply now.

Defense in Depth

No single control is enough

Layer 1

Perimeter: Firewalls, WAF, DDoS protection. First line but not the last.

Layer 2

Network: Segmentation, micro-segmentation. Limit lateral movement.

Layer 3

Host: Endpoint protection, host firewalls. Device-level defense.

Layer 4

Application: AuthN/AuthZ, input validation. Business logic protection.

Layer 5

Data: Encryption at rest and in transit. Last line of defense.

Layer 6

Monitoring: Logging, alerting, detection across all layers.

An attacker who bypasses one layer hits another. That's the entire point.

Segmentation Types

Four ways to divide a network

VLANs

Layer 2

Separate departments on the same physical network. HR can't see Engineering traffic.

Subnets + ACLs

Layer 3

Isolate environments: dev, staging, production. Router-enforced rules.

Firewalls

Stateful

DMZ for public servers. Explicit allow rules between zones. OT/IT separation.

Micro-seg

Software

Per-workload policies via SDN or host agents. Cloud and container environments.

Traditional segmentation stops lateral movement between zones. Micro-segmentation stops it between individual workloads.

Zone Architecture

A typical segmented network

Internet

Untrusted

All external traffic

DMZ

Semi-trusted

Public web, APIs, email gateway

Corporate

Internal

Employee workstations, internal apps

Production

Restricted

Databases, payment systems, crown jewels

Management

Isolated

Admin jump boxes, security tools, backups

Traffic between zones flows through firewalls with explicit allow rules. Default deny everything else.

Key Controls

Five network security controls a CISO must know

NGFW

Next-Gen Firewalls: Application awareness, user identity, SSL inspection, threat intel. Palo Alto, Fortinet, Check Point.

IDS/IPS

Intrusion Detection/Prevention: Pattern matching on traffic. IDS alerts, IPS blocks. Increasingly integrated into NGFW.

DNS

DNS Security: Common C2 and exfiltration channel. DNS filtering blocks malicious domains. Monitoring detects anomalous queries.

NAC

Network Access Control: Verify device health before granting access. Critical for BYOD and IoT environments.

DDoS

DDoS Protection: Volumetric mitigation at the edge. Cloud-based: Cloudflare, AWS Shield, Akamai.

What Happens Without Segmentation

The Target breach

Step 1HVAC vendorCredentials stolen from third-party HVAC contractor

Step 2Vendor networkAttacker accesses vendor-facing network segment

Step 3Lateral moveNo segmentation → pivots directly to payment processing

Step 4POS systemsMalware installed on point-of-sale terminals

Result40M cards$162 million in total costs

The HVAC system and POS terminals were on the same flat network. Segmentation would have stopped it at Step 3.

Key Takeaway

Segmentation is not optional

Remember this

Defense in depth: layer controls so no single failure is catastrophic.

Segment by trust level. Production and corporate on the same flat network is a ticking time bomb.

Micro-segmentation is the future — per-workload policies, not just per-zone.

Every breach story has a moment where segmentation would have stopped the attacker. Don't be that story.

1 / 7