Network segmentation is surprisingly less about keeping bad guys out and more about controlling the blast radius if they get in.
Let’s say you have a typical web application. It has a frontend web server, an application server, and a database.
+--------------+ +-----------------+ +-------------+
| Web Server | --> | App Server | --> | Database |
| (e.g., Nginx)| | (e.g., Python) | | (e.g., PG) |
+--------------+ +-----------------+ +-------------+
Without segmentation, if your web server gets compromised, the attacker can directly pivot to your application server, and then to your database. All traffic between these components is wide open on your internal network.
Now, let’s introduce segmentation using VLANs and firewall rules.
+-----------------+ +-----------------+ +-----------------+
| VLAN 10 (Web) | ----> | VLAN 20 (App) | ----> | VLAN 30 (DB) |
| Firewall Rules: | | Firewall Rules: | | Firewall Rules: |
| Allow 80/443 | | Allow App Port | | Allow DB Port |
| to VLAN 20 | | from VLAN 10 | | from VLAN 20 |
+-----------------+ +-----------------+ +-----------------+
Here’s how it looks in practice. We’re using VLANs (Virtual Local Area Networks) to logically separate traffic on the same physical network infrastructure.
On your network switch (like a Cisco Catalyst or a Juniper EX), you’d configure VLANs:
Switch(config)# vlan 10
Switch(config-vlan)# name WEB
Switch(config-vlan)# exit
Switch(config)# vlan 20
Switch(config-vlan)# name APP
Switch(config-vlan)# exit
Switch(config)# vlan 30
Switch(config-vlan)# name DB
Switch(config-vlan)# exit
Then, you’d assign ports to these VLANs. Ports connected to your web servers go into VLAN 10, app servers into VLAN 20, and databases into VLAN 30.
Switch(config)# interface GigabitEthernet1/0/1
Switch(config-if)# switchport mode access
Switch(config-if)# switchport access vlan 10
Switch(config-if)# exit
Switch(config)# interface GigabitEthernet1/0/2
Switch(config-if)# switchport mode access
Switch(config-if)# switchport access vlan 20
Switch(config-if)# exit
Switch(config)# interface GigabitEthernet1/0/3
Switch(config-if)# switchport mode access
Switch(config-if)# switchport access vlan 30
Switch(config-if)# exit
Next, you need a router or a Layer 3 switch to act as the gateway for each VLAN and enforce the segmentation rules. This is where the firewall rules come into play.
Let’s say your router has IP addresses on each VLAN:
- VLAN 10 Gateway:
192.168.10.1/24 - VLAN 20 Gateway:
192.168.20.1/24 - VLAN 30 Gateway:
192.168.30.1/24
On the router (e.g., a Cisco ISR or a Juniper SRX), you’d configure access control lists (ACLs) or firewall policies.
For example, to allow traffic from the Web VLAN to the App VLAN on port 5000 (the app server’s port):
Router(config)# ip access-list extended WEB_TO_APP
Router(config-acl)# permit tcp 192.168.10.0 0.0.0.255 192.168.20.0 0.0.0.255 eq 5000
Router(config-acl)# deny ip any any log // Deny everything else and log it
Router(config-acl)# exit
Router(config)# interface Vlan10
Router(config-if)# ip policy route-map WEB_TO_APP // Apply the ACL to traffic leaving VLAN 10
Router(config-if)# exit
Similarly, for traffic from App to DB on port 5432 (PostgreSQL):
Router(config)# ip access-list extended APP_TO_DB
Router(config-acl)# permit tcp 192.168.20.0 0.0.0.255 192.168.30.0 0.0.0.255 eq 5432
Router(config-acl)# deny ip any any log
Router(config-acl)# exit
Router(config)# interface Vlan20
Router(config-if)# ip policy route-map APP_TO_DB
Router(config-if)# exit
The crucial part is that traffic between these VLANs must pass through the router/firewall. If the web server is compromised, the attacker can only reach the app server on port 5000. They can’t scan the entire internal network or directly attack the database. The firewall rules prevent lateral movement.
The most surprising thing about network segmentation is that its primary benefit isn’t about blocking external threats, but about containing internal breaches. When a system is compromised, segmentation limits the attacker’s ability to move freely across your network, significantly reducing the impact of a breach. It turns a potential total compromise into a localized incident.
The common misconception is that segmentation is solely about creating strict "inbound" and "outbound" rules for your network perimeter. While that’s a part of it, the real power comes from defining granular "east-west" traffic flows between internal segments, treating each segment as if it were a separate, untrusted network.
This approach is also known as Zero Trust networking, where trust is never assumed, even for internal communication.
The next step in hardening is often microsegmentation, where you segment down to individual workloads or even application processes, rather than just VLANs.