100% Free Forever
AI-Powered Learning
Industry Expert Content
Certificates & Badges
Learn At Your Own Pace
Python

Network Segmentation

How dividing a network into isolated zones, such as VLANs or subnets, limits lateral movement when a segment is compromised.

Network Security BasicsBeginner9 min readJul 8, 2026
Analogies

Introduction

Network segmentation is the practice of dividing a single, larger network into smaller, isolated zones, so that traffic between zones is controlled and restricted rather than flowing freely. The goal is to limit how far an attacker (or malware) can travel once they gain a foothold anywhere on the network, rather than assuming every device can be equally trusted.

🏏

Cricket analogy: Network segmentation is like separating the players' dressing room from the media zone and public stands, so a pitch invader in the stands can't simply walk into where the team keeps its gear.

Explanation

Without segmentation, a 'flat' network allows any device to potentially communicate with any other device. If an attacker compromises a single low-value machine, such as a printer or an employee's personal phone on a guest network, they may be able to freely scan and attack far more sensitive systems like file servers or databases, a technique known as lateral movement. Segmentation breaks this flat structure into distinct zones, commonly implemented using VLANs (Virtual Local Area Networks) at the switching layer or subnets combined with routing/firewall rules at the network layer. Traffic that wants to cross from one zone to another must pass through a controlled chokepoint, typically a firewall or router enforcing an access control policy, where it can be inspected, logged, and restricted based on need. A classic example is isolating a guest Wi-Fi network from internal servers: guests need internet access but have no legitimate reason to reach payroll systems, internal file shares, or databases, so the network is designed such that guest traffic can only exit to the internet and is explicitly denied any path to internal server zones.

🏏

Cricket analogy: In a 'flat' cricket ground with no barriers, a fan who sneaks past one gate could wander straight to the team bus; VLANs are like separate fenced zones, guest parking versus player parking, where crossing requires a checked gate, exactly how guest Wi-Fi is denied any path to payroll servers.

Example

text
Flat network (no segmentation):
[Guest laptop] --- [Printer] --- [File Server] --- [Database] --- [Payroll System]
(All devices on the same broadcast domain; compromise anywhere = access everywhere)

Segmented network:
VLAN 10 (Guest Wi-Fi)     -- internet only, denied to VLAN 20/30
VLAN 20 (Employee LAN)    -- limited access to VLAN 30 (specific ports only)
VLAN 30 (Servers/DB)      -- accessible only from VLAN 20 on required ports, never from VLAN 10

Firewall/ACL rule:
DENY  VLAN10 -> VLAN30  any
ALLOW VLAN20 -> VLAN30  tcp/443, tcp/3306 (only required app/db ports)

Analysis

In the flat network example, a compromised guest laptop sits on the same logical network as the payroll system, so nothing but luck (or the attacker's own limited knowledge) stands between initial compromise and access to the most sensitive data. In the segmented network, that same compromised guest laptop is explicitly denied any path to VLAN 30, so even a fully compromised device on the guest Wi-Fi cannot directly reach the database or payroll system; the attacker would need to find and exploit an additional flaw in the segmentation boundary itself, which is a much higher bar. Segmentation does not make a network unbreakable, but it converts a single compromise into a contained incident rather than a network-wide breach, buying defenders time to detect and respond via the monitoring layers (like IDS/IPS) discussed earlier in this module.

🏏

Cricket analogy: In the flat setup, a compromised scoreboard tablet sits on the same network as ticket revenue systems, easy prey; in the segmented setup, that tablet is explicitly denied any path to the finance VLAN, forcing an attacker to breach an additional boundary, buying stewards time to notice and respond.

Key Takeaways

  • Network segmentation divides a network into isolated zones to limit lateral movement after a compromise.
  • VLANs and subnets, enforced by firewall/router ACLs, are common ways to implement segmentation.
  • Traffic crossing between zones must pass a controlled chokepoint where it can be restricted and logged.
  • A guest Wi-Fi network should be isolated from internal servers, since guests have no legitimate need to reach them.
  • Segmentation contains breaches rather than preventing all attacks, reducing the overall blast radius.

Practice what you learned

Was this page helpful?

Topics covered

#Python#CyberSecurityFundamentalsStudyNotes#CyberSecurity#NetworkSegmentation#Network#Segmentation#Explanation#Example#Networking#StudyNotes#SkillVeris