Building the boundaries: segmentation security
Segmenting a network into separate zones creates the foundation for security — but the boundaries only hold when the right controls are in place. Weak wireless encryption, missing firewall rules, and unverified devices can all undermine a segmented design. This topic covers how to identify these vulnerabilities and apply the controls that protect each zone.
What this topic covers
- › 3.4.A — Identifying the impacts of common vulnerabilities in a segmented LAN
- › 3.4.B — Security controls that limit the impact of those vulnerabilities
- › 3.4.C — Configuring subnetting to segment and isolate a network by IP address range
Principle of least privilege
All security controls in a segmented LAN should be designed around the principle of least privilege: every user, device, and process should have only the minimum access necessary to perform its specific function. This principle drives decisions about subnetting, firewall rules, DHCP configuration, and port management.
Threats in a segmented LAN (3.4.A)
Even a well-designed segmented network has specific vulnerabilities that attackers can exploit if security controls are insufficient.
Insufficient access controls
When user groups, devices, or resources are not properly separated, users may access data or systems outside their authorized role. One compromised account can lead to unauthorized access across the entire network if access controls are not enforced between segments.
Weak wireless security
Networks using weak or outdated encryption (WEP), simple passwords, or no encryption are vulnerable to interception by attackers within signal range. WEP is cryptographically broken and should never be used. Only WPA2 or WPA3 provides adequate wireless security.
Unknown or unverified devices
Allowing any device to connect to the network without verification creates significant risk. An unknown device could intercept traffic, spread malware, or bypass internal security controls. This is especially concerning on networks with multiple user types and sensitive segments.
Lateral movement via weak firewall rules
When firewall rules between segments are weak or misconfigured, an attacker who compromises one device can move laterally to other segments. A deny-by-default policy with only explicitly allowed traffic permitted is essential to contain any compromise within its original segment.
Security controls (3.4.B)
Each category of vulnerability has specific technical controls that reduce its impact.
| Vulnerability | Security controls |
|---|---|
| Unauthorized access | Isolated guest wireless network • Separate IP ranges/DHCP pools per segment • Physical segmentation for sensitive zones |
| Weak wireless security | Unique SSID • Strong password • WPA2 or WPA3 encryption (never WEP) |
| Unknown devices | MAC address filtering (approved MACs only) • Set unused switch ports to down • DHCP reservations for known devices |
| Lateral movement | Allow only essential services across segments • Deny-by-default ACL between subnets |
Configuring subnets (3.4.C)
Subnetting divides a large network into smaller sections called subnets, providing better congestion management, improved security, and easier administration. Host bits are reassigned as network bits, reducing the host address range and creating distinct subnet blocks.
Key subnet concepts
- › Network address: The first address in a subnet — identifies the subnet itself. Cannot be assigned to a host.
- › Broadcast address: The last address in a subnet — used to send messages to all devices in that subnet. Cannot be assigned to a host.
- › Usable host range: All addresses between the network and broadcast addresses. Formula: 2n − 2, where n = number of host bits.
Common subnet sizes
| CIDR | Host bits | Total | Usable |
|---|---|---|---|
| /24 | 8 | 256 | 254 |
| /25 | 7 | 128 | 126 |
| /26 | 6 | 64 | 62 |
| /27 | 5 | 32 | 30 |
| /28 | 4 | 16 | 14 |
Choosing the right subnet size
An appropriate subnet size is the smallest possible network that still accommodates the required number of hosts. Choose the smallest block where total addresses ≥ hosts needed + 2 (for network and broadcast addresses).
Example: sizing two subnets
Subnet A: 27 hosts needed
27 + 2 = 29 addresses → next power of 2 is 32 → /27 (5 host bits)
Subnet B: 12 hosts needed
12 + 2 = 14 addresses → next power of 2 is 16 → /28 (4 host bits)
Example: splitting 192.168.1.0/24 into two subnets
Change mask from /24 to /25 (255.255.255.128) — one more network bit, one fewer host bit:
Subnet 1: 192.168.1.0 – 192.168.1.127
Subnet 2: 192.168.1.128 – 192.168.1.255
After subnetting: assigning and verifying
Once subnets are created, each is assigned to a VLAN or segment with a non-overlapping IP address range and subnet mask. Subnet blocks are configured on routers or switches via the CLI or network settings. After assignment, verify that devices on the same subnet can communicate — this confirms the configuration is correct before applying inter-segment security rules.