Network Segmentation
Network segmentation is a security infrastructure technique that divides a computer network into separate logical or physical sub-networks, or segments. Each segment operates with restricted communication pathways to other segments, typically controlled by firewalls or similar access control mechanisms. This isolation limits the lateral movement of threats within a network, meaning that a compromise in one segment cannot automatically grant an attacker access to other segments.
Implementation Methods
Network segmentation can be achieved through physical separation, where distinct networks operate on different hardware and infrastructure, or through logical segmentation, which uses virtual networks and software controls to partition a single physical network. Physical air gaps represent the most extreme form of segmentation, isolating critical systems entirely from external networks. Logical segmentation is more flexible and cost-effective, using VLANs, subnets, and firewall rules to enforce boundaries between network zones.
Security Applications
Organizations typically implement network segmentation to protect critical infrastructure and sensitive systems. In military and government facilities such as air force bases, segmentation separates operational technology networks from administrative networks, isolates classified systems from unclassified ones, and ensures that compromised perimeter defenses do not expose internal systems. This approach reduces the attack surface and contains potential breaches within limited operational zones.