Flat networks are a liability. If an attacker compromises a single endpoint on a flat network, they have unimpeded line-of-sight to every server, database, and domain controller. Segmentation is the primary mechanism for blast radius containment.
By dividing the network into logical zones (VLANs, VRFs), you force lateral traffic through a firewall or ACL. This allows you to inspect and block unauthorized east-west movement, stopping ransomware from spreading beyond the initial infection.
💡 Pro-tip: Segment by data classification, not just by department. Put all PCI-regulated payment systems in a highly restricted zone, regardless of which physical office they reside in.
# Conceptual ACL blocking lateral SMB traffic
access-list 110 deny tcp 192.168.10.0 0.0.0.255 192.168.20.0 0.0.0.255 eq 445
access-list 110 permit ip any anyThis ACL prevents the User VLAN (192.168.10.0) from initiating SMB (port 445) connections to the Server VLAN, neutralizing a primary ransomware propagation vector.
Segmentation reduces broadcast domains, improving network performance. More importantly, it is a strict requirement for compliance frameworks like PCI-DSS and HIPAA, which mandate the isolation of sensitive data environments.
⚠️ Segmentation without strict inter-VLAN routing rules is useless. If you allow 'ANY to ANY' between your segments, you have a flat network with extra administrative overhead.
| Benefit | Mechanism | Outcome |
|---|---|---|
| Containment | Inter-VLAN ACLs | Stops lateral movement |
| Performance | Smaller broadcast domains | Reduces noise/overhead |
| Compliance | CDE Isolation | Meets PCI-DSS reqs |
Verify exercises to earn ★ 190 XP and unlock next lab level.