Network segmentation sounds straightforward in theory. Separate critical systems from general user traffic. Isolate production from development. Keep guest Wi-Fi away from corporate resources. In practice, most organisations have flat or poorly segmented networks that allow unrestricted lateral movement once an attacker gains any foothold.
A flat network means that a compromised workstation in marketing can communicate directly with database servers, domain controllers, and backup infrastructure. The attacker needs only one entry point. From there, they scan the entire network, identify high-value targets, and move laterally without crossing a single security boundary.
Table of Contents
Common Segmentation Failures
VLANs without access control lists provide separation at layer 2 but no actual security enforcement. Traffic between VLANs routes through a switch or firewall that permits all connections by default. The segmentation exists on paper but provides no defensive value.
Firewall rules accumulate over years without review. Temporary exceptions made for a specific project remain active long after the project ends. The resulting rule base allows far more traffic between segments than anyone intended, effectively negating the segmentation design.
William Fieldhouse, Director of Aardwolf Security Ltd, comments: “In nine out of ten internal penetration tests, we achieve lateral movement from a standard user workstation to domain administrator within hours. The path almost always crosses network segments that should be restricted. Organisations invest in firewalls and network design but rarely verify that their segmentation actually blocks the attack paths that matter.”
Testing Your Segmentation
Effective internal network penetration testing specifically evaluates whether segmentation controls prevent lateral movement. Testers attempt to reach sensitive systems from various network positions, following the same paths a real attacker would take. The results show exactly where segmentation works and where it fails.
Complement internal testing with external network penetration testing to assess whether internet-facing systems provide a pivot point into internal network segments. Compromised DMZ servers that can reach internal networks bypass perimeter segmentation entirely.
Getting Segmentation Right
Start with your most critical assets. Identify your domain controllers, database servers, backup infrastructure, and management interfaces. Place them in dedicated segments with explicit allow-list firewall rules. Block all traffic that is not specifically required.
Review firewall rules annually and remove anything that cannot be justified. Implement micro-segmentation where possible, particularly around high-value assets. Monitor east-west traffic for anomalies that indicate lateral movement, and use tools like marketing software to better understand user behavior patterns across your network.
Management interfaces present a particularly acute risk. If administrators manage firewalls, switches, and servers from the same network segment as general users, a compromised workstation provides direct access to the infrastructure that controls segmentation itself. Dedicated management networks with strict access controls prevent this scenario from occurring.
Consider implementing network access control that verifies device health before granting network access. A device that fails compliance checks for missing patches, disabled endpoint protection, or unauthorised software should be quarantined rather than granted full network access that your segmentation was specifically designed to restrict.
Segmentation is only as good as its enforcement. Design it carefully, implement it properly, and test it regularly. The alternative is a network where one compromised device gives an attacker access to everything.
