How to implement network segmentation for security

Short answer

Network segmentation divides a network into smaller, isolated zones so that if one segment is compromised, the attacker cannot easily move to others. Each segment has its own access controls, and traffic between segments passes through firewalls. This limits the blast radius of breaches and enforces the principle of least privilege. For a related concept, see how to configure VLANs.

How it works

Without segmentation, every device can reach every other device — a compromised laptop can pivot to the database server. With segmentation:

1. Public-facing servers sit in a DMZ, isolated from the internal network
2. Application servers are in their own segment, accessible only from the DMZ
3. Database servers are in a protected segment, accessible only from application servers
4. Management networks are completely isolated, accessible only via VPN

Implementation approaches

• VLAN-based segmentation: Use switches to create virtual LANs. Simple and cost-effective. See how to configure VLANs for setup details.
• Firewall-based segmentation: Place firewalls between network zones. More granular control over traffic rules.
• Micro-segmentation: Software-defined policies at the workload level (e.g., each container has its own firewall rules). Used in cloud and container environments.
• Zero trust: Assume no segment is trusted. Every request is authenticated regardless of network location.

Tips

• Start with three zones: DMZ, application, database — then refine
• Deny all traffic by default, then allow only what's needed
• For firewall configuration, see how to configure networking with iptables and UFW