← Lessons

quiz vs the machine

Gold1370

Security

Network Segmentation

Dividing a network into zones so a single breach cannot reach everything.

4 min read · core · beat Gold to climb

Containing the Blast Radius

A flat network lets any compromised host reach every other host. Network segmentation divides the network into separate zones, with controlled gateways between them, so a breach in one zone cannot freely spread.

Common zones include a public facing tier, an application tier, and a sensitive data tier. Traffic between zones passes through firewalls that allow only the specific flows each tier needs.

Principles That Make It Work

  • Apply least privilege to traffic, allowing only required connections between zones.
  • Place the most sensitive systems, such as databases, in the most restricted zone.
  • Use microsegmentation to isolate workloads even within a zone.
  • Assume any single zone may fall, and design so the damage stops at its boundary.

Segmentation pairs naturally with a zero trust posture, where crossing a boundary always requires authentication rather than mere network location.

Key idea

Network segmentation splits a network into zones with controlled gateways, applying least privilege to cross zone traffic so that a breach in one zone is contained rather than spreading to the whole system.

Check yourself

Answer to earn rating on the learn ladder.

1. What is the main security benefit of segmentation?

2. Which principle governs traffic between zones?