What is network segmentation?

Q: What is network segmentation?

Network segmentation divides a computer network into smaller subnetworks (segments), limiting the lateral movement of an attacker who gains access to one segment. Without segmentation, an attacker who compromises a web server can reach all other systems on the flat network. With segmentation: DMZ (Demilitarized Zone): public-facing servers (web, email) isolated from the internal network. VLANs: logically separate network segments on the same physical infrastructure. Zero Trust micro-segmentation

Answer

Network segmentation divides a computer network into smaller subnetworks (segments), limiting the lateral movement of an attacker who gains access to one segment. Without segmentation, an attacker who compromises a web server can reach all other systems on the flat network. With segmentation: DMZ (Demilitarized Zone): public-facing servers (web, email) isolated from the internal network. VLANs: logically separate network segments on the same physical infrastructure. Zero Trust micro-segmentation: every workload is isolated — traffic must be explicitly allowed. Practical application: separate development, staging, and production environments; isolate POS systems from corporate network (Target breach showed cost of flat networks); separate IoT devices from critical systems. Combined with firewalls between segments, segmentation is a critical containment control — even if an attacker gets in, they can't easily reach everything.

Answer

More Cybersecurity / Web Security Questions