Network Segmentation: Shrinking the Blast Radius
Why a flat network is a ransomware accelerant
Most breaches do not fail at the front door. An attacker phishes one user, lands on one laptop, and then the real damage depends on a single question: how far can they reach from there? On a flat network, the answer is "everywhere." File shares, domain controllers, backup servers, the finance database, and the badge-reader appliance all sit in the same broadcast domain with unrestricted east-west traffic between them. That is exactly the topology ransomware is built to exploit.
The Verizon Data Breach Investigations Report consistently shows that lateral movement, not initial access, is where a nuisance becomes a crisis. Encrypt one workstation and you have an insurance claim. Reach the hypervisor and the backup repository and you have a company-ending event. Segmentation is the control that decides which of those two outcomes you get. It will not stop the initial compromise — that is the job of controls covered in our network security practice — but it caps the maximum damage any single foothold can cause. Think of it as the fire doors in a building: you still want smoke detectors, but when something ignites, the doors are what keep one room from becoming the whole floor.
Macro-segmentation versus micro-segmentation
Segmentation lives on a spectrum, and conflating the two ends is where most projects go wrong.
- Macro-segmentation carves the network into a handful of large zones — user workstations, servers, guest, management, OT — with firewall policy governing traffic between them. It is coarse, well understood, and delivers the biggest risk reduction for the least effort. If a company has done nothing, this is where the first 70 percent of the benefit comes from.
- Micro-segmentation pushes policy down to the individual workload. Each server or application tier gets its own allow-list of who may talk to it, on which ports, regardless of which subnet it sits in. This is what finally kills server-to-server lateral movement inside a data center or cloud VPC — the flat space that macro zones still leave wide open.
You do not choose one; you sequence them. Macro zones first to contain the obvious blast radius, then micro-segmentation on the crown-jewel systems where a breach would be catastrophic. Trying to micro-segment an entire estate on day one is how programs stall for eighteen months and deliver nothing.
VLANs, firewalls, or identity — pick the right tool per boundary
Three mechanisms enforce segmentation, and they are not interchangeable.
- VLANs separate broadcast domains at layer 2. They are cheap and native to every managed switch, but a VLAN alone is not a security boundary — it is an organizational one. Traffic still routes freely between VLANs unless something inspects it. VLANs are the plumbing; they are not the valve.
- Firewalls — physical, virtual, or the policy engine in a next-generation platform — are the valve. Inter-VLAN and inter-zone traffic should be forced through a firewall that default-denies and logs. This is where your allow-lists actually live and where east-west inspection happens.
- Identity-based segmentation decouples policy from IP addresses entirely. Access is granted based on who the user is, what device they are on, and its posture — not what subnet they landed in. This is the model behind zero trust implementation, and it is the only approach that holds up when users are remote, workloads are ephemeral, and IP addresses change hourly in a cloud environment.
The practical answer is layered: VLANs and firewalls for the physical and OT world, identity-based policy for users and cloud workloads. IP-based rules age badly; identity-based rules follow the workload.
The zones most people forget: IoT, OT, and guest
The devices that cause the worst incidents are rarely the ones IT thinks about daily.
- IoT and building systems — cameras, badge readers, HVAC controllers, smart TVs, printers — ship with weak firmware, hardcoded credentials, and no ability to run an endpoint agent. They belong in a tightly restricted VLAN that can reach the internet only through a filtered path and cannot initiate connections to your server or user zones at all. The 2013 Target breach began at an HVAC vendor's network access; that lesson is over a decade old and still routinely ignored.
- OT and industrial systems demand even stricter isolation. Use the Purdue model as a reference: production control networks should be separated from IT by a demilitarized zone, with data flowing out through brokers rather than direct connections in. Never let a business-side compromise have a routable path to a PLC or SCADA host.
- Guest Wi-Fi should be a completely separate context — internet-only, with client isolation on, no route to any internal resource. It is astonishing how often a "guest" network still resolves internal DNS or reaches a file server.
East-west traffic inspection
Perimeter firewalls inspect north-south traffic — in and out of the organization. The traffic that matters during a ransomware event is east-west: server to server, workstation to workstation, inside the walls. Historically that traffic was invisible because it never crossed a chokepoint. Segmentation creates the chokepoints, and inspection is what makes them useful.
Once inter-zone traffic is forced through a policy engine, you can log every flow, alert on anomalies, and feed that telemetry into monitoring. A workstation suddenly scanning SMB across a /24, or a database reaching outward to a host it has never contacted, is a textbook lateral-movement signature — but only if something is watching the internal flows. Segmentation without inspection is a locked door with no camera on it. Pairing the two turns your network fabric into a detection sensor and gives your response team the visibility to isolate a compromised segment in minutes rather than discovering the spread days later.
A phased rollout that does not break your applications
The reason segmentation projects fail is not technology — it is undocumented dependencies. Enforce a default-deny policy before you understand real traffic and you will take down a business-critical integration nobody remembered existed. Run it in this order instead.
- Discover and map. Deploy flow monitoring and watch actual east-west traffic for two to four weeks. You will find dependencies no diagram shows.
- Design zones around blast radius. Group assets by sensitivity and by what a compromise of each would cost — not by org chart or physical location.
- Build in monitor-only mode. Apply the intended policy but log violations instead of blocking. This surfaces the flows you missed without an outage.
- Enforce incrementally. Flip one boundary to default-deny at a time, starting with the lowest-risk zones, and confirm nothing broke before moving on.
- Micro-segment the crown jewels. Once macro zones are stable, tighten workload-level policy around domain controllers, backup infrastructure, and sensitive data stores.
- Review continuously. New applications and access requests erode segmentation the way access sprawl erodes least privilege. Schedule policy reviews.
Across a distributed footprint, this same discipline extends over the wide-area network. Consistent segmentation policy across sites and clouds is far easier to enforce when the underlying fabric supports it, which is one reason we build it into how we design global networks for clients rather than bolting it on afterward.
Where to start
If your network is flat today, do not aim for perfect micro-segmentation this quarter. Isolate three things first: your backup infrastructure, your IoT and OT devices, and your guest network. Those three moves alone eliminate the most common paths a ransomware actor uses to turn one compromised laptop into an enterprise-wide outage.
Segmentation is a program, not a project — and getting it wrong causes the exact outage everyone fears. intSignal designs and rolls out segmentation the way it should be done: discovery first, monitor-only before enforcement, and policy tied to your real dependencies instead of a vendor template. If you want a candid assessment of how far an attacker could move inside your network today, talk to our team.