You are viewing a free preview of this lesson.
Subscribe to unlock all 10 lessons in this course and every other course on LearningBro.
Traditional network security assumes that everything inside the perimeter is trusted. This assumption has proven catastrophically wrong. Network segmentation and Zero Trust architecture address this by dividing networks into controlled zones and verifying every access request, regardless of source.
A flat network has no internal boundaries — once an attacker gains access to any device, they can move freely to any other:
Flat Network:
┌─────────────────────────────────────────────┐
│ Server A ←──── Attacker ────→ Server B │
│ │ │
│ Database Server │
│ (no barriers) │
└─────────────────────────────────────────────┘
Lateral movement — the ability to move from one compromised system to another — is how attackers escalate from initial access to full compromise. Segmentation is the primary defence.
Network segmentation divides a network into smaller, isolated zones. Traffic between zones must pass through a security control point (firewall, router ACL, or policy engine).
| Method | Description | Granularity |
|---|---|---|
| VLANs (Virtual LANs) | Logically separate broadcast domains on a single switch | Moderate |
| Subnets | IP-based separation with routing controls between segments | Moderate |
| Firewall zones | Physical or logical firewalls between network segments | High |
| Software-Defined Networking (SDN) | Programmatic control of network flows | High |
| Micro-segmentation | Per-workload isolation using host-based policies | Very high |
| Zone | Purpose | Example Systems |
|---|---|---|
| DMZ | Public-facing services | Web servers, mail relay |
| Internal / Corporate | Employee workstations and services | Desktops, printers, file shares |
| Server / Data Centre | Application and database servers | App servers, databases, APIs |
| Management | Network device management interfaces | Switch consoles, firewall admin |
| IoT / OT | Internet of Things and operational technology | CCTV, HVAC, SCADA |
| Guest | Visitor network with internet-only access | Guest Wi-Fi |
Internet
│
┌──────────────┐
│ Firewall │
└──────────────┘
│ │ │
┌────┘ ┌───┘ ┌──┘
▼ ▼ ▼
┌─────┐ ┌─────┐ ┌────────┐
│ DMZ │ │Corp │ │Servers │
└─────┘ └─────┘ └────────┘
│
┌────────┐
│Database│
└────────┘
VLANs separate traffic at Layer 2. To communicate between VLANs, traffic must be routed through a Layer 3 device (router or Layer 3 switch) where ACLs and firewall rules can be applied.
| Risk | Description | Mitigation |
|---|---|---|
| VLAN hopping | Attacker jumps between VLANs using double tagging | Disable DTP, set native VLAN to unused VLAN |
| Switch spoofing | Attacker configures a rogue trunk port | Disable unused ports, enforce port security |
| Broadcast storms | Excessive broadcast traffic within a VLAN | Spanning Tree Protocol, storm control |
Zero Trust is a security model based on the principle: "Never trust, always verify."
| Principle | Description |
|---|---|
| Verify explicitly | Authenticate and authorise every access request based on all available signals |
| Least privilege access | Grant minimum permissions, use just-in-time and just-enough access |
| Assume breach | Design as if the network is already compromised; minimise blast radius |
Subscribe to continue reading
Get full access to this lesson and all 10 lessons in this course.