Securing my network
Changing default credentials and applying firmware updates are critical first steps — but they only harden individual devices. Firewalls and network segmentation are the technical controls that shape how traffic flows between devices and what each part of the network can and cannot access. Together, they transform a flat, fully open network into one with zones of trust and explicit access rules.
What this topic covers
- › 2.6.A — How firewalls and network segmentation limit unauthorized access and reduce the risk of lateral movement
- › 2.6.B — Strategies for grouping devices into network segments based on role, risk level, performance needs, and user type
The problem with flat networks
On a flat network, every connected device can communicate with every other device without restriction. A guest's laptop can talk to the file server. A compromised smart camera can probe executive laptops. A gaming console can reach the network printer. This unrestricted communication is convenient until one device is compromised — at which point the entire network is exposed. Segmentation puts explicit boundaries on who can talk to whom.
Firewalls and network segmentation
Firewalls and segmentation are both technical controls used to restrict traffic flow. They work at different layers and are often used together to create a defense-in-depth approach to SOHO network security.
Firewalls
A firewall is a device or software component that evaluates network traffic against a set of rules and allows or blocks that traffic based on the rules' outcome. Firewalls inspect packets and make decisions based on one or more of:
- IP address: Is this traffic from a known or allowed source? Is it going to a permitted destination?
- Port number: Is this traffic using an allowed port? (e.g., port 80 for HTTP, port 443 for HTTPS)
- Protocol: Is this TCP, UDP, ICMP, or another protocol, and is it permitted?
By filtering traffic before it can reach its destination, firewalls reduce the exposure of devices and services to unauthorized connections. A rule denying all inbound connections to a media server's management port, for example, prevents anyone outside the LAN from reaching that interface.
Example firewall rules
Allow: LAN → internet (TCP/UDP, any port)
Allow: LAN → printer (TCP port 9100)
Deny: guest network → main LAN (all traffic)
Deny: IoT segment → main LAN (all traffic)
Allow: IoT segment → internet (TCP/UDP)
Network segmentation
Network segmentation divides one large network into multiple smaller, isolated segments. Devices within a segment can communicate with each other, but traffic between segments is controlled — usually by a router or firewall applying rules between the segments. This prevents a problem in one segment from spreading to others.
Segmentation creates distinct security zones within the network:
- Internal/main LAN: Trusted computers, servers, storage devices
- IoT segment: Smart home or office devices — isolated to limit lateral movement if compromised
- Guest segment: Visitor and contractor devices — internet access only, no LAN access
Segmentation is often implemented using VLANs (Virtual Local Area Networks) on managed switches or using separate physical networks and access points. Consumer routers increasingly support this through guest network features and VLAN tagging.
How they work together
Segmentation creates the zones. Firewalls enforce the rules between them. A guest network segment isolates guest devices physically (network layer), and firewall rules ensure that even if something in the guest segment tries to route traffic to the main LAN, the firewall blocks it before it arrives. Together, they create a layered boundary that is much harder to cross than either control alone.
Defense benefit: limiting lateral movement
If a compromised IoT camera on the IoT segment attempts to probe computers on the main LAN segment, the firewall rules between segments deny this traffic entirely. The attacker is contained within the IoT zone and cannot reach the higher-value targets on the main network — even with full control of the camera.
Device grouping strategies for segmentation
Deciding which segment each device belongs to requires a plan. Four primary strategies guide device grouping: by role, by risk level, by performance need, and by user type. Real networks may use a combination of these strategies.
Group by role
Grouping by functional role places devices that share a primary function together in a segment. This makes it straightforward to apply appropriate rules for how each function group interacts with the rest of the network.
Security camera systems
IP cameras, NVRs, and video monitoring equipment isolated together. Only the active monitoring workstation needs access to this segment; no other devices should reach it.
Media devices
Game consoles, streaming sticks, media players, and smart TVs grouped together. These devices typically need internet access and access to a media server but not to office computers or file servers.
User devices
Laptops, desktops, tablets, and smartphones used for work or family tasks. These typically need access to shared resources (printers, file servers, internet) and represent the core user segment.
Group by risk level
Grouping by risk level places devices with similar security postures together and separates high-risk devices from high-value targets. This ensures that compromising the most vulnerable device category (IoT) does not provide access to the most sensitive resources.
High-security segment: office computers and servers
Managed, regularly patched workstations and servers housing sensitive business data. Highest trust level; most restricted inbound access from other segments.
Medium-risk segment: IoT devices
Thermostats, smart bulbs, speakers, smart TVs — often infrequently updated, sometimes never patched. Isolated to prevent lateral movement if any device is compromised.
Low-trust segment: guest devices
Unmanaged visitor and contractor devices. Separated on a dedicated wireless segment with internet-only access; no routing to internal resources.
Group by performance need
Grouping by performance need places bandwidth-intensive devices together and applies quality-of-service (QoS) rules to prioritize their traffic. This prevents high-bandwidth applications from degrading the performance of other segments.
Gaming and real-time applications
Online gaming consoles and gaming PCs require low latency and consistent throughput. Prioritizing their traffic ensures game sessions are not affected by background downloads or media streaming.
Media streaming
Media servers and streaming devices require high and consistent bandwidth for 4K video. Grouping them together enables effective QoS prioritization for streaming traffic.
High-demand workstations
Video editing, 3D rendering, and other high-bandwidth intensive tasks. These devices benefit from dedicated bandwidth that is not shared with lower-priority endpoints.
Group by user type
Grouping by user type places devices used by the same category of user together, enabling access control policies that match the access levels those users are authorized to have.
Office department segments
In a small business, separating sales, accounting, and operations devices ensures that each department can access the resources it needs without having access to other departments' sensitive data (e.g., accounting data should not be reachable from the sales floor).
Education environments
Teachers, students, and IT technicians each have different access requirements. Teacher devices may access grade management systems; student devices should not. Technician devices may access infrastructure management interfaces that are blocked for all other users.
Putting it all together: a segmented SOHO network
A well-segmented SOHO network explicitly defines what each group of devices can do and what it can reach. Here is an example structure using risk-level grouping:
| Segment | Devices | Allowed access | Blocked from |
|---|---|---|---|
| Main LAN | Computers, servers, NAS | Internet, internal resources | Initiated traffic from IoT or guest |
| IoT segment | Smart devices, cameras, thermostats | Internet (for cloud functions) | Main LAN, guest segment |
| Guest network | Visitor phones, contractor laptops | Internet only | Main LAN, IoT segment |
| Media segment | Game consoles, smart TVs, media players | Internet, media server | Office computers, file servers |
Firewalls enforce the inter-segment rules. Segmentation creates the zones. The combination limits lateral movement, protects high-value resources, and contains the impact of any single device compromise.