Network segmentation

Last updated September 05, 2025

Network segmentation in computer networking is the act or practice of splitting a computer network into subnetworks, each being a network segment. Advantages of such splitting are primarily for boosting performance and improving security.

Advantages

Reduced congestion: On a segmented network, there are fewer hosts per subnetwork and the traffic and thus congestion per segment is reduced
Improved security:
- Broadcasts will be contained to local network. Internal network structure will not be visible from outside.
- There is a reduced attack surface available to pivot in if one of the hosts on the network segment is compromised. Common attack vectors such as LLMNR and NetBIOS poisoning can be partially alleviated by proper network segmentation as they only work on the local network. For this reason it is recommended to segment the various areas of a network by usage. A basic example would be to split up web servers, databases servers and standard user machines each into their own segment.
- By creating network segments containing only the resources specific to the consumers that you authorise access to, you are creating an environment of least privilege^[1]^[2]
Containing network problems: Limiting the effect of local failures on other parts of network
Controlling visitor access: Visitor access to the network can be controlled by implementing VLANs to segregate the network

Improved security

When a cyber-criminal gains unauthorized access to a network, segmentation or “zoning” can provide effective controls to limit further movement across the network.^[3] PCI-DSS (Payment Card Industry Data Security Standard), and similar standards, provide guidance on creating clear separation of data within the network, for example separating the network for Payment Card authorizations from those for Point-of-Service (till) or customer Wi-Fi traffic. A sound security policy entails segmenting the network into multiple zones, with varying security requirements, and rigorously enforcing the policy on what is allowed to move from zone to zone.^[4]

Controlling visitor access

Finance and Human Resources typically need access via their own VLAN to their application servers because of the confidential nature of the information they process and store. Other groups of personnel may require their own segregated networks, such as server administrators, security administration, managers and executives.^[5]

Third parties are usually required to have their own segments, with different administration passwords to the main network, to avoid attacks via a compromised, less well protected, third party site.^[6]^[7]

Means of segregation

Segregation is typically achieved by a combination of firewalls and VLANs (virtual local area networks). Software-defined networking (SDN) can allow the creation and management of micro-segmented networks.

References

↑ Carter, Kim (2019). "Network: Identify Risks". Holistic Info-Sec for Web Developers. Leanpub. Archived from the original on September 26, 2018. Retrieved April 11, 2019.
↑ Carter, Kim (2019). "Network: Lack of Segmentation". Holistic Info-Sec for Web Developers. Leanpub. Archived from the original on September 26, 2018. Retrieved April 11, 2019.
↑ Reichenberg, Nimmy (March 20, 2014). "Improving Security via Proper Network Segmentation". Security Week. Archived from the original on March 8, 2016. Retrieved March 15, 2016.
↑ Barker, Ian (August 21, 2017). "How network segmentation can help contain cyber attacks". betanews.com. Archived from the original on August 21, 2017. Retrieved April 11, 2019.
↑ Reichenberg, Nimmy; Wolfgang, Mark (24 November 2014). "Segmenting for security: Five steps to protect your network". Network World . Retrieved April 11, 2019.
↑ Krebs, Brian (February 5, 2014). "Target Hackers Broke in Via HVAC Company". KrebsonSecurity.com. Archived from the original on May 26, 2016. Retrieved March 15, 2016.
↑ Fazio, Ross E. "Statement on Target data breach" (PDF). faziomechanical.com. Fazio Mechanical Services. Archived from the original (PDF) on February 28, 2014. Retrieved April 11, 2019.

This page is based on this Wikipedia article
Text is available under the CC BY-SA 4.0 license; additional terms may apply.
Images, videos and audio are available under their respective licenses.

[1] Carter, Kim (2019). "Network: Identify Risks". Holistic Info-Sec for Web Developers. Leanpub. Archived from the original on September 26, 2018. Retrieved April 11, 2019.

[2] Carter, Kim (2019). "Network: Lack of Segmentation". Holistic Info-Sec for Web Developers. Leanpub. Archived from the original on September 26, 2018. Retrieved April 11, 2019.

[3] Reichenberg, Nimmy (March 20, 2014). "Improving Security via Proper Network Segmentation". Security Week. Archived from the original on March 8, 2016. Retrieved March 15, 2016.

[4] Barker, Ian (August 21, 2017). "How network segmentation can help contain cyber attacks". betanews.com. Archived from the original on August 21, 2017. Retrieved April 11, 2019.

[5] Reichenberg, Nimmy; Wolfgang, Mark (24 November 2014). "Segmenting for security: Five steps to protect your network". Network World . Retrieved April 11, 2019.

[6] Krebs, Brian (February 5, 2014). "Target Hackers Broke in Via HVAC Company". KrebsonSecurity.com. Archived from the original on May 26, 2016. Retrieved March 15, 2016.

[7] Fazio, Ross E. "Statement on Target data breach" (PDF). faziomechanical.com. Fazio Mechanical Services. Archived from the original (PDF) on February 28, 2014. Retrieved April 11, 2019.

[1]

[2]

[3]

[4]

[5]

[6]

[7]