Network segmentation has been good security practice for thirty years. The principle is simple. Break the network into zones with controlled paths between them, so a compromise in one zone does not automatically reach another. The principle is sound. The implementations in production networks tend to leak, sometimes badly, in ways that only become visible when someone actually tests the boundaries.
Flat Networks Hide Inside Segmented Ones
Most organisations claim to have a segmented network. Many of those organisations have a segmented edge with a flat interior, which means the firewall rules apply where the network meets the internet but not between the workloads inside. An attacker who reaches the interior, whether through phishing or a compromised supplier, finds a network that behaves much like the flat ones of fifteen years ago. A focused internal network pen testing engagement should map the actual reachability between zones rather than the reachability the network diagram suggests.
East-West Traffic Is Rarely Inspected
Even where firewalls exist between segments, the policies tend to allow far more than they prevent. Internal services need to reach other internal services, and the path of least resistance is to permit broad ranges of ports and protocols between segments. The result is policies that look like firewall rules but function more like minor inconveniences. Tighten the policies based on what the workloads actually need, not on what the team might want in the future.
Expert Commentary
William Fieldhouse, Director of Aardwolf Security Ltd
A pattern I see often is a beautifully diagrammed segmentation plan that does not match the live configuration. The diagram shows three zones. The reality has dozens of micro-zones with inconsistent policies that grew organically. The fix is to start from observed traffic and work backward to the policy, not the other way around.
Software Defined Networking Changes The Game
Software defined networking and micro-segmentation tools have made meaningful segmentation feasible at a level of detail that traditional firewalls could not match. The technology is no longer the limit. The limit is the operational discipline to define, deploy and maintain segmentation policies that actually reflect business requirements. Pick a platform, commit to it, train the team properly and treat segmentation as ongoing operational work rather than a one-off project. Worth combining segmentation with strong identity management. The two together produce a far better posture than either alone. Identity tells you who is asking. Segmentation tells you what they can reach. Both layers contribute to the overall defence.
Identity Aware Segmentation Goes Further
Network level segmentation buys real value but stops at the network boundary. Identity aware controls add a second dimension by asking who is trying to reach what, regardless of where the request originates. The combination is significantly stronger than network controls alone. Validate the combined posture with a best pen testing company that explicitly tests cross zone access from multiple identity contexts.
Segmentation works when it is verified. Without verification, it is an idea on a diagram. Segmentation works when it is verified continuously. Without verification, the diagram and the live configuration drift apart over time, sometimes considerably. Network security has changed considerably over the last decade and the principles that survived the change tend to be the ones worth investing in. The fundamentals remain valuable even as the implementation details evolve around them.
