Think of a network like a big office building. If every room shared one giant open floor, anyone who got inside could wander anywhere. But if you add walls, locked doors, and keycard zones, a single intruder gets stuck in one area. That's the idea behind network segmentation: splitting a network into smaller pieces so that problems in one piece don't spread to the rest.
What Network Segmentation Is
Network segmentation is the process of dividing a network into smaller, isolated segments called subnetworks (or subnets). Instead of one flat network where every device can freely talk to every other device, you carve the network into chunks. Each chunk has its own boundary, and traffic between chunks gets controlled.
Why bother? Three big reasons:
- Traffic isolation. Devices in one subnet don't see traffic from another subnet. That keeps things tidy and limits what an attacker can snoop on.
- Breach containment. If malware infects a laptop in the marketing subnet, segmentation can stop it from spreading to the finance servers in a different subnet.
- Custom security policies. You can lock down sensitive segments way harder than less-sensitive ones. A subnet holding patient records can have strict rules, while the guest Wi-Fi subnet can be more relaxed.
This last point introduces the idea of higher security zones and lower security zones. A higher security zone gets tighter firewall rules, stricter access controls, and more monitoring. A lower security zone is more open because the stuff inside it is less sensitive (or already meant to be public).
Screened Subnets (DMZs)
Some servers need to be reachable from the public internet. Think of a company's website, email server, or a web app that customers log into. You can't hide those behind a wall, because customers need to reach them. But you also don't want random people on the internet getting anywhere near your internal files.
The solution is a screened subnet, also called a demilitarized zone (DMZ). It's a network segment that sits between the public internet and the private internal network, created using firewall zones and rules.
Here's the layout:
</>CodeInternet → [Firewall 1] → Screened Subnet (DMZ) → [Firewall 2] → Internal LAN (web servers, email, (employee computers, public-facing apps) file servers, databases)
The screened subnet is a lower security zone. It holds the organization's publicly facing resources, like web servers. The first firewall lets internet traffic reach those servers but blocks everything else. The second firewall is much stricter and protects the internal LAN, which is a higher security zone.
So if an attacker manages to compromise a web server in the DMZ, they're still stuck. The second firewall stops them from jumping into the internal network where the real sensitive data lives. The DMZ acts like a buffer.
A quick way to remember it: the DMZ is the lobby of the building. Visitors can come in, but they can't get past the security desk into the actual offices.
Subnetting Based on IP Addressing
Subnetting is one way to actually build those segments. It uses IP addressing to split a larger network into smaller logical pieces.
For example, a company might use the IP range 10.0.0.0/16 for its whole network, then divide it like this:
10.0.1.0/24for the finance department10.0.2.0/24for engineering10.0.3.0/24for guest Wi-Fi10.0.4.0/24for servers
Each /24 is its own subnet with up to 254 usable addresses. Routers and firewalls sit between these subnets and control which ones can talk to which.
The security payoff: if an adversary compromises a device on the guest Wi-Fi subnet (10.0.3.0/24), the breach is contained to that subnet. The attacker can't automatically reach finance machines on 10.0.1.0/24 because the firewall rules between those subnets won't let them through. You've reduced the number of exposed devices dramatically.
VLANs and Switches
Sometimes you want to separate devices logically even if they're plugged into the same physical hardware. That's where VLANs (Virtual Local Area Networks) come in.
A switch is the device that connects computers, printers, and other gear together inside a building using cables. Normally, every device plugged into a switch can talk to every other device on that switch. VLANs change that by grouping ports into separate virtual networks.
Picture a single 24-port switch in an office. Without VLANs, all 24 ports share one network. With VLANs, you can configure it like this:
- Ports 1 to 8: VLAN 10 (Finance)
- Ports 9 to 16: VLAN 20 (Engineering)
- Ports 17 to 24: VLAN 30 (Guest)
Even though all those computers are wired into the same physical switch, the switch treats them as if they were on three completely separate networks. A finance computer on port 3 can't directly talk to a guest laptop on port 20 without going through a router or firewall that allows it.
VLANs are super useful because you don't need to buy separate switches for each department. One switch, logically separated. That saves money and makes the network easier to reconfigure when people move desks.
Port Security and MAC Flooding
Switches keep a table that maps MAC addresses (unique hardware IDs on every network device) to the physical port they're connected to. That's how the switch knows where to send traffic.
But this table has a limited size. In a MAC flooding attack, an adversary sends a huge flood of fake MAC addresses into a switch port. The table fills up, and the switch panics. When it can't fit any more entries, it starts broadcasting all incoming traffic to every port, kind of like a desperate mailman shouting every letter to the whole street. Now the attacker can sniff traffic they shouldn't be able to see.
Port security is a switch feature that prevents this. You configure each port to only allow a limited number of MAC addresses, often just one or two. If the port sees more MACs than allowed, it can shut down or ignore the extra addresses.
For example, a port security rule might say:
</>Codeinterface FastEthernet0/5 switchport port-security switchport port-security maximum 2 switchport port-security violation shutdown
That tells the switch: this port allows a maximum of 2 MAC addresses, and if more show up, shut the port down. MAC flooding attack stopped before it starts.
Putting It All Together
Network segmentation isn't just one technique. It's a layered approach:
- Screened subnets (DMZs) separate public-facing servers from your internal network using firewalls and zones.
- Subnetting uses IP addressing to divide the network into logical groups that firewalls can control.
- VLANs logically separate devices on the same physical switch.
- Port security locks down individual switch ports to prevent specific attacks like MAC flooding.
Each layer reduces the blast radius of an attack. If something does go wrong, you want the damage to stay contained. A flat network is one big problem waiting to happen. A segmented network gives defenders time to spot the breach, isolate it, and clean it up before it spreads.
The key thing to remember: segmentation is about giving different parts of the network different levels of trust and different rules, then enforcing those boundaries with firewalls, routers, switches, and IP design.
Vocabulary
The following words are mentioned explicitly in the College Board Course and Exam Description for this topic.Term | Definition |
|---|---|
demilitarized zone | A network segment (also called a screened subnet) that is behind a firewall but still externally accessible, typically containing servers that host web applications or websites. |
firewall rules | Specific configurations that define which network traffic should be allowed or denied based on criteria such as source, destination, port, protocol, or application. |
firewall zones | Distinct network areas created and controlled by firewalls to separate different levels of trust and security within a network. |
MAC flooding attack | An attack where an adversary sends many Ethernet frames with different MAC addresses to a switch, potentially forcing it into broadcast mode to allow eavesdropping. |
network segmentation | The practice of dividing a network into separate segments or zones to improve security and contain potential breaches. |
network traffic | The flow of data packets between devices on a network, including both inbound and outbound communications. |
port security | A network security feature that controls which devices can connect to specific switch ports by limiting the number of MAC addresses allowed on a port. |
screened subnet | A network segment that sits between public external networks and internal private networks, typically holding an organization's publicly facing resources while maintaining lower security than internal networks. |
security policies | Rules and controls that define how security is managed and enforced on network segments. |
security zones | Network segments designated with different levels of security controls, ranging from higher security to lower security areas. |
subnet | A smaller network segment created through subnetting that can be isolated to contain security breaches and reduce the number of exposed devices. |
subnetting | The technique of dividing a network into smaller subnets based on IP addressing to contain security breaches and limit exposure of devices. |
virtual local area network | A network configuration that logically separates devices physically connected to central switches without requiring separate physical hardware. |