- A flat network allows attackers free movement (lateral movement) to all systems after the initial breach, including the domain controller, backups, and production.
- Meaningful segmentation divides the network into zones: DMZ, servers, clients, production/OT, guest Wi-Fi, and IoT. Each zone gets its own VLAN.
- Firewall rules regulate traffic between zones based on the principle: everything is denied unless explicitly allowed.
- Implementation proceeds step by step: inventory, zone model, VLAN configuration, firewall rules, testing, and documentation.
- ISO 27001 (Annex A.8.22) and NIS2 require network segmentation as a technical risk mitigation measure.
Why a flat network is a security risk
Most networks in small and mid-market companies have grown organically. At some point, a switch was set up, a few cables were run, the provider's router was connected, and since then workstations, servers, printers, the phone system, guest Wi-Fi, and perhaps a few IoT sensors all share one and the same network. Everything is in the same subnet, everything can communicate with everything. It works, after all.
Until it doesn't.
The problem with a flat network is not day-to-day operations. In normal business, nobody notices that the accounting workstation could theoretically communicate directly with the backup server. Or that the smart thermostat in the conference room sits in the same network segment as the domain controller. As long as nobody exploits these connections, it goes unnoticed.
But that is precisely where the risk lies. When an attacker compromises a single workstation -- through a phishing email with malware or an unpatched vulnerability -- they instantly have access to the entire network in a flat setup. They can move freely, scan systems, find vulnerabilities, exfiltrate data, and work their way toward the truly valuable targets: the domain controller, the ERP system, the backups. This is called lateral movement, and it is the reason why a compromised workstation can escalate to a full network takeover within hours. A functioning incident response plan can limit the damage, but without segmentation, the time window is extremely short.
The numbers are sobering. In most ransomware attacks, only a few days -- sometimes only hours -- elapse between initial access and encryption of the entire network. Attackers use this time to move through the network, escalate privileges, and destroy backups before they strike. In a segmented network, this path would be blocked or at least significantly hindered.
What network segmentation means
Network segmentation is the principle of dividing a network into multiple separated areas. Each area, also called a zone, contains only systems with similar security and communication requirements. Traffic between zones is controlled by firewalls or access control lists and restricted to what is necessary.
The concept is not new. In the physical world, it corresponds to fire doors in a building. A fire in one room should not be able to spread uncontrolled throughout the entire building. Each fire door limits the damage to the affected area and gives first responders time to react. Network segmentation does exactly the same for your IT network.
ISO 27001 addresses network segmentation in Annex A.8.22 (Segregation of Networks). The requirement states that groups of information services, users, and information systems in networks should be segregated. NIS2 goes a step further and explicitly demands network security measures among its minimum requirements, which undoubtedly includes segmentation. The BSI also recommends network zoning and segmentation in its IT-Grundschutz framework (NET.1.1) as a fundamental security measure.
The six zones: How to partition your network
Before you start configuring VLANs, you need a well-thought-out zone model. The following six zones form a sensible framework for most SMEs. Depending on your organization, you may merge zones or add others, but this model covers typical requirements.
Zone 1: DMZ (Demilitarized Zone)
The DMZ is the zone between the internet and your internal network. It hosts all systems that must be reachable from the internet: the web server, the mail server, the VPN gateway, possibly a reverse proxy. These systems are exposed by definition and therefore carry higher risk. The DMZ ensures that a compromised web server has no direct access to the internal network.
Communication between DMZ and internet is restricted to necessary ports (HTTP/HTTPS, SMTP, VPN). Communication between DMZ and internal network is strictly regulated: the mail server may forward emails to the internal mail relay, but it may not access the file server or domain controller. The fundamental rule is: no connection may ever be initiated from the DMZ to the internal network unless there is an explicit, documented exception.
Zone 2: Server zone
The server zone houses your internal servers: domain controller, file server, ERP system, database server, monitoring, internal mail server. These systems are the backbone of your IT and contain the most valuable data. The server zone has the strictest access rules.
Client workstations may access server services only through defined ports. A workstation may establish an HTTPS connection to the ERP system but may not access the server directly via RDP or SSH. Administrative access to servers occurs exclusively from a separate management network or through a jump host solution. This prevents a compromised client from directly executing administrative access to servers.
Zone 3: Client zone
The client zone encompasses all employee workstations and notebooks. This zone has the highest compromise risk because it is where interaction with emails, websites, and external files takes place. The client zone may access server services, but communication between clients should be restricted as much as possible.
Why? Because lateral movement typically occurs from client to client. A compromised workstation attempts to scan and attack other machines in the same segment. If clients cannot communicate with each other, this attack vector is eliminated. In practice, this can be implemented through private VLANs or micro-segmentation, but even a simple separation of clients and servers into different VLANs is an enormous improvement over a flat network.
Zone 4: Production and OT zone
If your organization operates production facilities, control systems, or other operational technology, these need their own zone. OT systems have special requirements: they often run outdated software, cannot be easily patched, and have long lifecycles. A compromised OT system can cause physical damage, from production interruptions to safety risks for employees.
The OT zone must be strictly separated from the IT network. If data must be exchanged between IT and OT -- such as production orders from the ERP -- it occurs through defined interfaces and controlled data flows. A data diode or an application-level gateway can be useful here. Under no circumstances should an office workstation be able to directly access a control system.
Zone 5: Guest Wi-Fi
The guest Wi-Fi is conceptually the simplest zone: it provides internet access for visitors, contractors, and personal devices. Period. No access to internal resources, no access to other zones. The guest Wi-Fi is completely isolated and has only an outbound connection to the internet.
In practice, guest Wi-Fi is frequently neglected. Sometimes it shares a subnet with the internal Wi-Fi, sometimes there is no separate guest network at all, and visitors get the internal Wi-Fi password. This is a risk that can be eliminated with minimal effort. Any reasonably modern access point can provide a separate guest network with its own VLAN.
Zone 6: IoT zone
An increasing number of devices on the network are not traditional computers: IP cameras, access control systems, smart thermostats, multifunction printers, digital door signs, elevator controls. These devices often have minimal security features, are rarely updated, and are a popular entry point for attackers.
IoT devices belong in their own VLAN with heavily restricted communication. An IP camera may need to send its video stream to the NVR (Network Video Recorder) but does not need access to the internet or the rest of the network. A printer must receive print jobs from clients but does not need access to the domain controller. The more restrictive the rules for the IoT zone, the better.
VLANs in practice: The technical implementation
The technical foundation for network segmentation is VLANs (Virtual Local Area Networks). A VLAN is a logically separated network on the same physical infrastructure. Instead of running separate switches and cables for each zone, you configure the separation on existing switches via software. This saves hardware and makes segmentation flexible.
How VLANs work
Each VLAN receives a unique ID (VLAN tag) per the IEEE 802.1Q standard. Switch ports are assigned to a VLAN: a port assigned to VLAN 10 can only communicate with other ports in VLAN 10. Packets between VLANs must be routed through a router or Layer 3 firewall, where they can be inspected and filtered.
There are two types of switch ports: access ports and trunk ports. Access ports belong to exactly one VLAN and are typically used for end devices. Trunk ports carry traffic from multiple VLANs simultaneously and are used for connections between switches or between a switch and a firewall. The VLAN tag in the Ethernet frame identifies which VLAN a packet belongs to.
A typical VLAN scheme
For an SME with the six zones described, the VLAN scheme might look like this:
VLAN 10 -- Management: Switches, access points, firewall management interfaces. Only accessible by administrators.
VLAN 20 -- DMZ: Web server, mail server, VPN gateway. Reachable from the internet on defined ports.
VLAN 30 -- Servers: Domain controller, file server, ERP, databases. Reachable from the client zone via application protocols.
VLAN 40 -- Clients: Workstations and notebooks. Internet access and access to server services.
VLAN 50 -- Production/OT: Control systems, production facilities. Strictly isolated, controlled data exchange with the server zone.
VLAN 60 -- Guests: Guest Wi-Fi. Internet access only, no internal resources.
VLAN 70 -- IoT: Cameras, sensors, access control. Restricted communication with specific target servers.
IP addressing follows the VLAN scheme: VLAN 10 gets 10.10.10.0/24, VLAN 20 gets 10.10.20.0/24, and so on. This convention makes the assignment intuitive and simplifies firewall configuration.
DHCP and DNS in segmented networks
Each VLAN needs its own DHCP scope. The DHCP server typically resides in the server zone and serves all VLANs via DHCP relay (ip helper-address on the router/Layer 3 switch). This way, you need only one centrally managed DHCP server.
DNS works similarly: an internal DNS server in the server zone answers queries from all zones. Firewall rules must allow DNS traffic (port 53) from all internal zones to the DNS server. Guest Wi-Fi can alternatively use an external DNS server so that guests cannot resolve internal DNS entries.
Firewall rules between zones
VLANs alone do not provide security. Without firewall rules controlling traffic between VLANs, segmentation is merely a logical separation without protective effect. The firewall is the heart of segmentation.
The fundamental principle: Default Deny
Every firewall rule configuration starts with a single rule: everything is denied. Deny Any Any. From this baseline, you selectively open only the communication paths that are actually needed. This is the principle of least privilege applied to network communication.
In practice, this means: you sit down with the business departments and document which systems need to communicate with which other systems over which protocols. Each communication relationship becomes a firewall rule. What is not documented and approved remains blocked.
Example ruleset for the six zones
The following rules are a starting point. In practice, you will adapt them to your specific systems and requirements.
Clients -> Servers (VLAN 40 -> VLAN 30): Permitted are the application protocols employees need for their work: HTTPS (443) to the ERP and intranet, SMB (445) to the file server, LDAP/Kerberos (389/88) to the domain controller, DNS (53), NTP (123). Not permitted: RDP, SSH, direct database access, ICMP (or only for admins).
Clients -> Internet (VLAN 40 -> WAN): Permitted: HTTP/HTTPS through the proxy or firewall. Depending on requirements, additional protocols for specific applications. Web traffic should flow through a proxy or next-generation firewall with URL filtering.
Servers -> Internet (VLAN 30 -> WAN): Only for defined purposes: Windows Update, antivirus updates, cloud services. Each server that needs internet access gets an explicit rule. Servers without a need stay offline.
DMZ -> Servers (VLAN 20 -> VLAN 30): Only for specific, documented data flows. The mail server in the DMZ may forward emails to the internal mail server (SMTP, port 25). The reverse proxy may forward requests to internal web applications. Nothing else.
DMZ -> Clients: Denied. No exceptions.
Guests -> anything but internet: Denied. Guest Wi-Fi has internet access exclusively.
IoT -> Servers (VLAN 70 -> VLAN 30): Only for specific devices and target servers. The camera may send its stream to the NVR. The access control system may communicate with its management server. Everything else is blocked.
IoT -> Internet: Denied by default. If an IoT device requires cloud connectivity, this is configured as an exception with a specific destination IP and port.
Production/OT -> IT network: Denied by default. Data exchange only through defined interfaces in the server zone.
Logging and monitoring
Every firewall rule should have logging enabled, at a minimum for denied connections (deny log). This helps you detect when systems attempt to communicate across zone boundaries in ways that are not intended. A well-designed logging and monitoring strategy is essential here. Such attempts can indicate a misconfiguration or an attack. A SIEM system or at least a central syslog server collects these logs and enables analysis.
Practical example: A company with 100 employees
To make the theory tangible, here is a concrete example. Mueller Machine Building GmbH has 100 employees, one location, its own production facility, and a typical IT landscape.
Starting situation
The network has grown organically. All devices are on the subnet 192.168.1.0/24. A single switch connects everything: 80 workstations, 5 servers, 3 printers, 10 IP cameras, a PLC controller in the production hall, 4 access points, and the guest Wi-Fi. The provider's router does NAT and has a simple firewall that blocks inbound traffic, but there is no internal control.
The problem
After a penetration test, the external service provider finds that a compromised workstation could reach the domain controller within minutes, scan all network shares, and access the PLC controller in production. The pentest report includes the recommendation: introduce network segmentation.
The solution
The IT department plans the segmentation together with an external service provider. The existing managed switches support VLANs, and the existing firewall can handle inter-VLAN routing with rulesets. No new hardware is needed -- only configuration.
The zone model is defined:
Accounting, the sales team, and engineering go into the client VLAN. The five servers (domain controller, file server, ERP, database, backup) go into the server VLAN. The PLC controller and HMI terminal get their own production VLAN. Cameras and the access control system are moved to the IoT VLAN. Guest Wi-Fi gets an isolated VLAN. The externally reachable VPN concentrator goes into the DMZ.
Firewall rules are built using the default deny principle. For each communication relationship, there is a documented rule with source zone, destination zone, protocol, port, and rationale. The IT department maintains these rules in a table that also serves as evidence of controls in the ISMS. Tools like ISMS Lite allow you to link the zone model and firewall rules directly as control evidence in risk treatment.
The result
After the transition, a compromised workstation can no longer reach the PLC controller. It cannot directly access the backup server. It cannot even scan other workstations because the firewall also blocks intra-VLAN traffic for unnecessary protocols. The attack surface has shrunk dramatically. The second penetration test three months later confirms: lateral movement is significantly restricted.
Step-by-step implementation
Want to segment your own network? Here is the concrete roadmap.
Step 1: Inventory
Before you segment, you need to know what you have. Create a complete inventory of all devices on the network: servers, clients, printers, phones, cameras, IoT devices, network components. Use network scanners like Nmap or the inventory function of your management system. Document the current IP address, location, purpose, and communication relationships for each device.
This step is the most time-consuming and the most important. If you don't know which devices are on your network and how they communicate, you cannot segment meaningfully. The IT asset inventory from your ISMS is the foundation here.
Step 2: Define the zone model
Assign each device to a zone. Use the six-zone model as a starting point and adapt it to your organization. Perhaps you don't need an OT zone because you have no production. Perhaps you need an additional zone for a separate development network. The zone model must fit your organization, not the other way around.
Create a network diagram showing the zones and planned communication paths. This diagram becomes the central planning document and later the documentation in the ISMS.
Step 3: Create the communication matrix
For each zone, document which other zones it needs to communicate with, over which protocols and ports. This matrix will become the basis for your firewall ruleset. Discuss the matrix with the business departments -- they know best which applications they use and which connections they need.
A simple table suffices: source zone, destination zone, protocol, port, purpose, responsible party. This table becomes a living document that is updated with every change.
Step 4: VLAN configuration
Configure the VLANs on your switches. Assign each VLAN an ID and an IP subnet. Configure access ports for end devices and trunk ports for connections between switches and to the firewall. Set up DHCP scopes for each VLAN.
Important: don't change everything at once. Start with one zone, such as guest Wi-Fi, and test the configuration thoroughly before moving to the next zone. A phased approach significantly reduces the risk of production outages.
Step 5: Implement firewall rules
Translate the communication matrix into firewall rules. Start with default deny and then selectively open the documented communication paths. Enable logging for all rules, especially deny rules. Test each rule after implementation.
Plan sufficient time for testing. Communication relationships will surface that are missing from the matrix because nobody had them on their radar. An application that suddenly stops working because the required port is blocked. An update mechanism that can no longer get through. This is normal and part of the process. That is why phased rollout is so important.
Step 6: Documentation and review
Document the entire segmentation concept: zone model, VLAN scheme, IP addressing plan, communication matrix, firewall ruleset, network diagram. This documentation is part of your ISMS and will be reviewed during audits.
Schedule regular reviews: at least annually, preferably semi-annually. At each review, check whether firewall rules are still current, whether new systems have been correctly assigned, and whether the segmentation still matches the current threat landscape. Firewall rulesets tend to weaken over time as exceptions are added but never removed. You must actively counteract this.
Common mistakes and how to avoid them
The following mistakes appear time and again in practice. If you know them, you can avoid them from the start.
Too many exceptions
Every exception in the firewall is a hole in the segmentation. If you create a new allow rule for every employee complaint, after a year you have a ruleset with hundreds of entries and no effective segmentation. Every exception needs a documented rationale, an approval, and an expiration date. Temporary rules created for a migration or a test must be removed after completion.
No monitoring after introduction
Segmentation is not a one-time project. Without continuous monitoring of firewall logs, you don't know whether the rules are effective, whether anomalies exist, or whether communication patterns have changed. Set up alerts for unusual deny patterns and regularly review allow rules for currency.
Management access not secured
The management interfaces of switches, firewalls, and access points must reside in their own management VLAN, accessible only by administrators. If management access runs over the same VLAN as the clients, a compromised client can attack the network infrastructure and undermine the segmentation.
Forgotten legacy systems
During migration to a segmented network, individual devices are frequently forgotten. An old printer still in the server VLAN. A test server that was never moved to the correct VLAN. These legacy systems are potential bridges between zones. Regular network scans uncover such remnants.
Micro-segmentation: The next step
Classic network segmentation via VLANs and firewalls is a good first step. For organizations with higher security requirements, there is the concept of micro-segmentation. Here, control is enforced not just between zones but between individual workloads or even individual applications.
Micro-segmentation is typically implemented through software-defined networking (SDN) or host-based firewalls. Products like VMware NSX, Cisco ACI, or even the Windows Firewall with Group Policies allow communication rules to be enforced at the level of individual virtual machines or containers. The result is even finer-grained control: even if two servers are in the same VLAN, micro-segmentation can ensure they communicate only over permitted protocols.
For most SMEs, classic VLAN-based segmentation is the right starting point. Micro-segmentation pays off when you have already segmented and want to further increase security, for example for particularly sensitive systems like databases with personal data or systems in PCI DSS scope.
Segmentation as the foundation for Zero Trust
Network segmentation is also the cornerstone of a Zero Trust architecture. The Zero Trust model assumes that no device and no user is inherently trustworthy -- not even within your own network. Every access is authenticated, authorized, and continuously verified.
In a segmented network, you have the infrastructure to implement Zero Trust: the firewall between zones can check not just ports and protocols but also user identities and device states. A next-generation firewall can define rules like: "Only users in the Finance group may access the ERP server via HTTPS, and only from devices running a current endpoint protection agent."
That is of course more ambitious than basic zoning. But it shows where the journey is headed and why segmenting your network is not an optional nice-to-have but the foundation for a modern security architecture.
Network segmentation is essential, not optional
Segmenting your network is one of the most effective measures you can take for your organization's information security. It requires no exotic hardware and no massive budget. What it requires is a well-thought-out concept, careful planning, and the discipline to maintain the rules even after implementation.
The effort is worth it. A segmented network limits damage during a security incident, hinders lateral movement, protects critical systems, and meets the requirements of ISO 27001, NIS2, and BSI IT-Grundschutz. It does not make your organization invulnerable, but it makes a successful attack significantly harder and the potential damage significantly smaller.
Start with the inventory. Draw your zone model. Put the guest Wi-Fi in its own VLAN. And then work your way zone by zone until your network is no longer an open field but a series of enclosed rooms with controlled access points.
Further reading
- Top 10 information security risks for mid-market companies
- IT asset management for the ISMS: Inventory, criticality, and classification
- Access and entry control: Creating and implementing a policy
- Protection requirements analysis: Assessing and prioritizing assets
- Creating an authorization concept: Roles, permissions, and recertification
Start with guest Wi-Fi -- it is the zone with the lowest risk of production outages and the greatest learning effect for your team. Once it is in place and working cleanly, take on the next zone.