A flat network — one where every device can communicate freely with every other device — is a significant security liability. An attacker who compromises a single endpoint on a flat network has potential access to every other system: servers, network-attached storage, management interfaces, CCTV systems, and printers. Segmentation limits that reach.
The Business Case for Segmentation
Network segmentation directly addresses the lateral movement stage of a cyber attack. An attacker who cannot reach high-value systems from the compromised device is constrained. Segmentation is the control that most directly limits the blast radius of a successful initial compromise.
Practical Segmentation for an SMB
For most small businesses, meaningful segmentation is achievable with managed switches and a business-grade firewall/router that supports VLANs. Core segments to create: corporate workstations and servers, guest and uncontrolled Wi-Fi, IoT and physical security devices (CCTV, access control), and management network for infrastructure administration.
Firewall Rules Between Segments
Segmentation is only effective with appropriate firewall rules controlling inter-segment traffic. Allow only the specific traffic required for legitimate business functions. Log and alert on traffic that violates those rules. Review firewall rules regularly — rule bloat over time often reintroduces the flat network problem at the firewall level.
Cloud and Hybrid Environments
Segmentation extends to cloud environments. Azure virtual networks, network security groups, and private endpoints provide equivalent segmentation capability for cloud resources. Hybrid environments — where on-premises and cloud systems communicate — require particular attention to ensure cloud boundaries are not bypassed by overly permissive on-premises-to-cloud connectivity.
Does network segmentation count toward Essential Eight?
Network segmentation is not one of the eight controls but it is referenced in the Essential Eight guidance as a compensating and supporting control. It is specifically recommended in the context of limiting the impact of incidents and supporting incident response. It is also assessed in the ACSC's Information Security Manual (ISM) for organisations with broader regulatory requirements.
