Network Segmentation: VLANs, VPNs, Micro-Segmentation, and Zero Trust Networks

Network segmentation is the practice of dividing a network into smaller, isolated sections to limit the lateral movement of attackers, contain breaches, and enforce security policies. The CISSP exam tests segmentation at the conceptual and design level: understanding the mechanisms available (physical, logical, and software-defined), their security properties, their limitations, and when each is appropriate.

The Purpose of Network Segmentation

In a flat, unsegmented network, a single compromised endpoint can communicate freely with every other device on the network. An attacker who compromises a receptionist's workstation can immediately probe the CFO's computer, the database server, the backup system, and the building management system. There are no internal barriers.

Network segmentation creates barriers that an attacker must breach to reach additional resources. Even if a segment is compromised, the attacker cannot automatically access resources in other segments. Each segment boundary represents an opportunity for detection and an obstacle to further compromise.

Segmentation also supports the principle of least privilege at the network level: a workstation that only needs to access specific application servers should not have network access to the HR database or the executive file shares.

Physical Segmentation: Air Gaps and Out-of-Band Management

Physical segmentation is the most absolute form of network separation: the networks have no physical connection between them. An air gap is a complete physical separation where no cable, fibre, or wireless connection links two networks.

Air gaps are used for the most sensitive systems: control systems for nuclear power plants, classified government networks, and some high-security financial systems. Air gaps eliminate network-based attacks but create operational challenges: data cannot flow electronically between the networks, requiring physical media transfer (a process that itself creates risks, as demonstrated by Stuxnet, which propagated via USB drives to breach an air-gapped Iranian nuclear facility).