® 
Network Segmentation
Definition
Network segmentation divides a computer network into smaller, isolated subnets. It limits damage from a breach: if an attacker penetrates one segment, they don't have direct access to the rest of the network.
Network segmentation divides a computer network into smaller, controlled subnets to strengthen security and limit the impact of security incidents. According to the IBM Cost of Data Breach Report 2024, organisations with effective network segmentation save an average of $1.3 million per incident.
How does network segmentation work?
Network segmentation divides the network into zones with controlled access points between them. Traffic between zones passes through firewalls or access control lists that determine which communication is allowed. Only necessary traffic between zones is permitted, hindering lateral movement.
Types of network segmentation
VLAN segmentation divides the network into logical segments at Layer 2. Firewall-based segmentation places firewalls between segments. DMZ isolates public-facing services from the internal network. Microsegmentation is the most advanced form: each individual workload has its own security perimeter, regardless of network location. This is a core Zero Trust principle.
Impact on organisations
Without segmentation, a flat network gives attackers free rein after initial compromise. Worms like WannaCry spread rapidly through unsegmented networks. NIS2 requires adequate network segmentation. ISO 27001 sets network access control requirements. DORA requires segmentation of critical financial systems.
Protection
Segment at minimum: office, servers, OT, guests and management in separate zones. Apply least privilege at network level. Monitor inter-segment traffic. Consider microsegmentation for critical workloads.
How DEFION helps
DEFION evaluates network segmentation as part of Security Assessments and pentests. Internal pentests test whether lateral movement between segments is possible.