⚡ Quick Answer
Network segmentation divides a network into separate zones so that traffic between zones must pass through a security control (firewall, ACL, router). The purpose is containment — if an attacker compromises one zone, they cannot freely move to others. The main techniques are VLANs (logical separation on a switch), DMZ / screened subnet (isolating public-facing servers), subnetting (IP-layer separation), air gaps (physical separation), and microsegmentation (granular east-west traffic control in modern/cloud environments).
Why Segmentation Matters
An unsegmented "flat" network treats every device as equally trusted — if ransomware infects a workstation, it can scan and spread to every other device on the same network. Segmentation creates blast radius containment: the attacker who compromises a guest Wi-Fi device cannot reach the finance server because they are on separate segments with a firewall between them.
This concept connects directly to Zero Trust (never trust, always verify) and defence in depth (multiple layers of controls). Network segmentation is the architectural implementation of the principle that internal traffic should be as untrusted as external traffic.
The Main Segmentation Techniques
🔀
VLANs
Virtual Local Area Networks
Logical separation at Layer 2 (Data Link). A switch can carry multiple VLANs over the same physical cable — each VLAN is a separate broadcast domain. Devices on VLAN 10 cannot communicate with VLAN 20 without going through a router or Layer 3 switch. VLANs are the most common segmentation method in enterprise networks.
🛡️
DMZ / Screened Subnet
Demilitarised Zone
A separate network zone that sits between the internet and the internal network, used to host public-facing servers (web servers, email servers, DNS). If an attacker compromises a server in the DMZ, they still face a firewall before reaching the internal network. CompTIA now prefers the term "screened subnet" for the same concept.
📐
Subnetting
IP-Layer Separation
Dividing an IP address space into smaller networks. Subnetting separates hosts at Layer 3 — traffic between subnets must pass through a router, where ACLs can filter it. Often combined with VLANs: each VLAN gets its own subnet. Subnetting alone doesn't enforce security — a misconfigured router can allow all inter-subnet traffic.
✂️
Air Gap
Physical Isolation
The strongest form of segmentation — no physical or logical connection between networks. Used for classified systems, industrial control systems (ICS/SCADA), and payment systems. An air-gapped network cannot be reached over any network — data transfer requires physical media (USB, optical disk). Eliminates remote attack surface entirely.
🔬
Microsegmentation
Granular East-West Control
Fine-grained segmentation that controls traffic between individual workloads, not just network zones. Key in cloud, virtualised, and Zero Trust environments. Instead of trusting all traffic inside a network segment, microsegmentation applies policy to every communication pair. Controls east-west traffic (server to server) that traditional firewalls don't inspect.
📱
Guest Network Isolation
Wireless Segmentation
Placing guest Wi-Fi users on a separate VLAN and network segment so they can access the internet but cannot reach corporate resources. Common in offices, retail, and hospitality. A guest VLAN typically has internet access only, with firewall rules blocking any route to the internal VLAN. IoT devices are often placed on a similar isolated segment.
DMZ Architecture — How It Works
Three-Zone Network with DMZ (Screened Subnet)
🌐 Internet (Untrusted)
External users, attackers, partners — all untrusted traffic originates here
↓ Outer Firewall / Border Router ↓
🟠 DMZ / Screened Subnet (Semi-Trusted)
Web servers · Email servers (MX) · Public DNS · Reverse proxies · Load balancers
Accessible from internet — isolated from internal network
↓ Inner Firewall ↓
🟢 Internal Network (Trusted)
Workstations · File servers · Print servers · Internal applications · Active Directory
↓ Additional Segmentation ↓
🔵 Secure / Restricted Zone (Highly Trusted)
Finance systems · HR database · PII · Executive endpoints · ICS/SCADA systems
🎯 DMZ vs Screened Subnet — Exam Language
CompTIA Security+ SY0-701 uses the term "screened subnet" rather than "DMZ" — they describe the same concept. Both refer to a network zone between the internet and the internal network where public-facing servers are placed. If you see "screened subnet" on the exam, think DMZ.
A dual-firewall DMZ (two separate firewalls) is more secure than a single firewall with three interfaces — if the outer firewall is compromised, the inner firewall still protects the internal network. This distinction may appear on Security+ scenario questions.
VLANs in Detail
VLANs are the primary tool for segmenting a switched network. They operate at Layer 2 and divide a physical switch into multiple logical switches. Key concepts:
| VLAN Concept | What It Means | Exam Relevance |
|---|
| Access Port |
A switch port that belongs to a single VLAN. End devices (workstations, printers) connect to access ports. The device doesn't know it's on a VLAN — the switch handles it transparently. |
Network+ A+ |
| Trunk Port |
A switch port that carries traffic for multiple VLANs simultaneously. Uses 802.1Q tagging to identify which VLAN each frame belongs to. Connects switches to each other or to routers. |
Network+ |
| 802.1Q Tagging |
The IEEE standard for VLAN tagging on trunk links. Adds a 4-byte tag to Ethernet frames identifying the VLAN ID (1–4094). Also called "dot1q." |
Network+ |
| Native VLAN |
The VLAN for untagged traffic on a trunk port. If a device sends an untagged frame on a trunk port, it's placed in the native VLAN. Misconfigured native VLANs can lead to VLAN hopping attacks. |
Network+ Security+ |
| Inter-VLAN Routing |
For devices on different VLANs to communicate, traffic must pass through a Layer 3 device (router or Layer 3 switch). "Router on a stick" uses a single physical link with subinterfaces for each VLAN. |
Network+ |
| VLAN Hopping |
An attack where a device on one VLAN crafts frames to reach another VLAN — exploiting misconfigurations in trunk ports or native VLAN settings. Prevented by disabling unused ports, setting explicit native VLANs, and turning off DTP. |
Security+ |
| Voice VLAN |
A dedicated VLAN for VoIP phones, separate from data traffic. Ensures voice traffic gets QoS priority and is isolated from user data traffic. IP phones often tag themselves to the voice VLAN automatically. |
Network+ |
| Management VLAN |
A dedicated VLAN for network device management (SSH to switches/routers). Separating management traffic prevents a compromised user VLAN from reaching switch management interfaces. |
Network+ Security+ |
Microsegmentation and East-West Traffic
Traditional firewalls focus on north-south traffic — traffic entering and leaving the network perimeter. But in modern environments, most attacks move laterally through east-west traffic — server to server, workload to workload, inside the same network segment.
East-West vs North-South Traffic
North-South traffic crosses the network perimeter — a user requesting a website, a remote employee connecting via VPN, an attacker probing from the internet. Traditional firewalls inspect this.
East-West traffic moves laterally within a network — a compromised web server talking to a database, ransomware spreading from workstation to workstation, an attacker moving through the network after initial compromise. Traditional perimeter firewalls typically do not inspect this traffic.
Microsegmentation applies policy to east-west traffic. Even if an attacker breaches one workload, they cannot communicate with adjacent workloads unless explicitly permitted by policy.
Segmentation Techniques Compared
| Technique | Layer | Separation Type | Use Case | Exam |
|---|
| VLAN |
Layer 2 |
Logical |
Separating departments, guest vs corporate, voice vs data |
Network+ Security+ |
| Subnet |
Layer 3 |
Logical |
IP-level isolation, routing control, ACL enforcement points |
Network+ A+ |
| DMZ / Screened Subnet |
Layer 3–7 |
Logical + firewall |
Hosting public-facing servers safely between two firewalls |
Network+ Security+ |
| Air Gap |
Physical |
Physical |
ICS/SCADA, classified systems, payment processing isolation |
Security+ |
| Microsegmentation |
Layer 3–7 |
Logical (software-defined) |
Cloud workloads, Zero Trust, east-west traffic control |
Security+ |
| Jump Server / Bastion Host |
Layer 7 |
Access control |
Secure admin access to restricted segments — all admin traffic goes through the jump server |
Network+ Security+ |
Jump Server / Bastion Host
A jump server (also called a bastion host or jump box) is a hardened server that acts as the only access point for administrators to reach a restricted network segment. Instead of allowing direct SSH or RDP into production servers, admins connect to the jump server first, then connect onward from there.
This creates a single audited chokepoint for all administrative traffic. If the jump server is compromised, the attacker still cannot reach production systems without additional credentials. Jump servers are tested on both Network+ (remote access) and Security+ (access control).
Exam Scenarios
💬 "A company wants to host a public web server that can be reached from the internet while keeping internal workstations protected. Which network design should the administrator implement?" → Place the web server in a DMZ (screened subnet) — a network zone separated from the internal network by a firewall. Internet users can reach the web server, but a second firewall prevents DMZ traffic from reaching the internal network. If the web server is compromised, the attacker faces another firewall before reaching internal systems.
💬 "After a ransomware infection on a workstation, the malware spread to 30 other workstations on the same floor before being detected. Which network control would have most limited the spread?" → VLAN segmentation — placing workstations in separate VLANs with inter-VLAN routing controlled by a firewall would have contained lateral movement. Without segmentation, ransomware can spread freely across a flat Layer 2 network. With VLANs, the firewall can block or limit SMB traffic between segments.
💬 "A security analyst wants to ensure that even if an attacker compromises one cloud workload, they cannot communicate with adjacent workloads without explicit policy permission. What should be implemented?" → Microsegmentation — applying identity and policy-based controls to east-west traffic between individual workloads. Unlike traditional VLANs (which segment at a network level), microsegmentation enforces policy at the workload level and is a core component of Zero Trust architecture.
💬 "An attacker on the guest Wi-Fi network is able to access the company's internal file server. What misconfiguration allowed this?" → Improper VLAN isolation — the guest wireless network should be on a separate VLAN with firewall rules blocking access to internal VLANs. If guest traffic is on the same VLAN as corporate resources, or if inter-VLAN routing permits guest-to-internal traffic, a guest user can reach internal systems.
💬 "A company uses a management VLAN for all switch and router management access. Why is this a security best practice?" → Separating management traffic onto a dedicated VLAN means that even if a user VLAN is compromised, the attacker cannot directly reach network device management interfaces (SSH, HTTPS management). Management traffic is isolated and only reachable from authorised devices on the management VLAN — reducing the attack surface for network infrastructure.
💬 "An industrial facility needs to connect a SCADA system to a monitoring workstation but must ensure the SCADA network is completely isolated from the corporate network. Which control provides the strongest isolation?" → Air gap — physical separation with no network connection between the SCADA network and the corporate network. An air-gapped network cannot be reached over any network path, eliminating remote attack vectors. Data transfer requires physical media. For ICS/SCADA environments where availability is critical and remote access is unnecessary, an air gap is the strongest control.
Related Articles