What is Network Segmentation?

What Network Segmentation Is and How It Works

Network segmentation divides a network into multiple isolated zones — segments — where systems within a segment can communicate with each other but communication between segments is controlled and restricted. The boundary between segments is enforced by firewalls, access control lists, VLANs, or software-defined networking controls that apply rules governing what traffic can pass between zones.

A segmented network might separate: corporate user workstations from servers, production systems from development environments, finance systems from general corporate systems, OT/ICS environments from IT environments, and guest wireless from corporate wireless. Each boundary represents a barrier that an attacker must cross to reach the next zone — requiring different credentials, exploiting different vulnerabilities, and generating detectable traffic anomalies at each crossing attempt.

VLANs and Firewall-Based Segmentation

VLAN-based segmentation uses network switch configuration to create logically separate broadcast domains at Layer 2. VLANs alone do not provide security — inter-VLAN routing without firewall controls allows unrestricted traffic between segments. Effective network segmentation requires firewall enforcement at segment boundaries: all traffic between segments passes through a firewall that applies access control rules governing what communications are permitted.

Why Network Segmentation Fails in Practice

Network segmentation is one of the most frequently cited security controls and one of the most inconsistently implemented. The gap between the stated segmentation architecture and the actual access permissions enforced is a consistent finding in enterprise security assessments.

Segmentation implementations drift over time as business requirements create pressure for exceptions — an application that needs to access systems in multiple segments, a vendor that needs temporary access that becomes permanent, a legacy system that cannot be moved without breaking dependencies. Each exception is individually justified; the cumulative effect is a segmentation architecture that exists on paper but does not meaningfully restrict lateral movement in practice.

Flat network architectures — environments where all systems can communicate with all other systems without restriction — remain common in mid-market organizations because they are operationally easier to manage than segmented environments and because the security investment in implementing segmentation is difficult to justify without a concrete incident to point to. The business case for segmentation is made most powerfully after a ransomware event that propagates across a flat network in minutes.

Microsegmentation and Zero Trust Networks

Microsegmentation extends network segmentation to the individual workload level — rather than creating zones of systems that can communicate freely, microsegmentation applies granular controls at the individual server, container, or application level. A web server in a microsegmented environment can only communicate with the specific database servers it needs to function, on the specific ports required, and nothing else. This dramatically limits an attacker's ability to move laterally even after compromising a system, because the compromised system has minimal network access to other systems.

Zero trust network access (ZTNA) replaces traditional VPN-based remote access with a model where every access request — regardless of where it originates — is authenticated, authorized, and continuously validated. Rather than granting network-level access to a remote user and trusting them to access only what they should, ZTNA grants access to specific applications based on identity and device posture, with no network-level visibility or access to systems the user has no reason to reach.

Real-World Example: Colonial Pipeline — IT/OT Segmentation Failure

The 2021 Colonial Pipeline ransomware attack prompted the company to proactively shut down pipeline operations — not because operational technology (OT) systems were compromised, but because the inadequacy of IT/OT segmentation created uncertainty about whether the ransomware could spread from IT systems to OT systems. Colonial could not confirm that the ransomware was contained to IT. The uncertainty about segmentation effectiveness — not confirmed OT compromise — caused the shutdown that disrupted fuel supplies across the eastern US and triggered a national emergency declaration. Effective IT/OT segmentation would have provided confidence that the OT environment was unaffected, potentially avoiding the operational shutdown entirely.