The 2017 NotPetya outbreak provided the clearest possible demonstration of what a flat network costs in practice. Maersk, one of the world's largest shipping companies, lost an estimated $300 million and rebuilt its entire network infrastructure — 45,000 PCs, 4,000 servers, 2,500 applications — after the malware propagated freely across an insufficiently segmented network. The initial infection point was a single accounting software update. The blast radius was global because there was nothing to contain it.
Network segmentation is the foundational technical control that limits what an attacker can do after they gain initial access. It does not prevent initial compromise — no single control does. But it determines the difference between a contained incident and a catastrophic business disruption. This guide covers segmentation architecture from VLANs through micro-segmentation, with specific attention to PCI DSS CDE isolation requirements and the practical design decisions that determine whether segmentation provides real security or merely nominal compliance.
Why Flat Networks Are Catastrophic
A flat network — one where all or most hosts can communicate with each other via direct routing — provides an attacker who has compromised any single endpoint with immediate network-layer access to every other reachable system. The attacker does not need to defeat any additional controls between the initial workstation and the database server containing customer data. They simply make a direct TCP connection.
In practice, flat network architectures are more common than security professionals acknowledge. Organizations that have nominally implemented VLANs often have permissive inter-VLAN routing rules, a single firewall with a default "LAN to LAN allow" policy, or switch configurations that allow inter-VLAN communication at Layer 2 without traversing a firewall. None of these constitute effective segmentation.
VLANs: Network Segmentation, Not Security Segmentation
VLANs (Virtual Local Area Networks) divide a physical network into logical segments, creating separate broadcast domains. A host in VLAN 10 cannot send Layer 2 frames directly to a host in VLAN 20. This limits broadcast traffic and provides logical network organization.
VLANs are not a security control on their own. Inter-VLAN routing — the process of forwarding traffic between VLANs — typically occurs either through a Layer 3 switch with a "router-on-a-stick" configuration or through a firewall. If inter-VLAN routing is handled by a Layer 3 switch with a permit-all routing policy, the VLAN boundary provides no security enforcement. Traffic moves freely between VLANs at wire speed, with no inspection, logging, or policy enforcement.
Security segmentation requires that inter-VLAN traffic traverse a stateful firewall or security policy enforcement point. The firewall policy must be explicit and least-privilege: define exactly which source VLAN, source IP range, and source port may communicate with which destination VLAN, destination IP range, and destination port. Everything else is denied, and denies are logged.
Firewall Policy Design for Segmented Networks
A segmented network architecture typically defines several security zones with different trust levels and communication patterns:
- DMZ (Demilitarized Zone): Internet-facing services — web servers, mail relays, VPN concentrators. No inbound access to internal zones from DMZ; only permitted outbound connections (database calls to specific backend servers on defined ports) are allowed.
- User workstation zone: Employee endpoints. Outbound internet access through web proxy; access to specific application servers on defined ports; no direct access to server or database zones.
- Server zone: Application servers, file servers, Active Directory. Receives connections from workstation zone on defined application ports; access to database zone on defined ports only.
- Database zone: Database servers. Receives connections from server zone on database ports only; no direct access from workstation zone; no outbound internet access.
- Management zone: Jump servers, monitoring systems, network management infrastructure. Inbound from dedicated management workstations only; outbound management protocols (SSH, SNMP, RDP) to all zones for legitimate management.
East-west traffic — lateral movement between systems in the same zone — is the movement pattern that traditional perimeter-focused segmentation does not address. A compromised server in the server zone can move to other servers in the same zone if intra-zone traffic is unrestricted. This is the problem that micro-segmentation solves.
SDN-Based Micro-Segmentation
Micro-segmentation enforces firewall policy at the workload level — each virtual machine, container, or application instance has its own policy that governs exactly which other workloads it may communicate with. Software-defined networking platforms provide the enforcement infrastructure:
VMware NSX
NSX deploys a distributed firewall on the hypervisor that inspects and enforces policy on every packet leaving or entering each virtual machine. Policy is expressed in terms of NSX groups (logical collections of VMs, tags, or attributes) rather than IP addresses, enabling dynamic policy that automatically applies to new workloads that meet group criteria. A policy that says "web tier may not initiate connections to the database tier except on TCP 5432 from tagged application servers" applies to every VM tagged as a web tier workload, regardless of IP address.
Cisco ACI
Application Centric Infrastructure expresses network policy in terms of application endpoints and contracts. Endpoints in the same Endpoint Group (EPG) may communicate freely; endpoints in different EPGs require a contract explicitly permitting the communication. The default-deny posture between EPGs provides micro-segmentation enforcement without explicit deny rules for every possible unauthorized flow.
PCI DSS CDE Isolation Requirements
PCI DSS defines the Cardholder Data Environment (CDE) as all system components that store, process, or transmit cardholder data, plus all components that could impact the security of those systems. Any system with network reachability to a CDE system is considered connected to the CDE and may fall within scope.
Effective CDE segmentation requires that no system outside the CDE can directly communicate with any system inside the CDE except through defined, controlled pathways (application-layer proxies, jump servers, specific firewall rules). Critically, PCI DSS requires that segmentation controls be validated through penetration testing — an active attempt to traverse the segmentation boundary from an out-of-scope network. A penetration tester who can reach CDE systems from an out-of-scope VLAN has proven the segmentation is inadequate, regardless of what the firewall rules say on paper.
The segmentation penetration test should attempt: direct IP routing from out-of-scope VLANs to CDE IP ranges, exploitation of firewall policy gaps, VLAN hopping attacks against misconfigured trunks, and application-layer pivoting through permitted application pathways. This testing should be part of your annual network penetration testing engagement for any organization with PCI DSS obligations.
For mid-market organizations in NYC designing or auditing their segmentation architecture, Fortress MSSP provides network architecture design and security validation services — including penetration testing of segmentation controls. Contact us to discuss your segmentation posture and compliance requirements.