Network segmentation is the practice of dividing systems, users, and services into distinct network zones with controlled communication paths between them. Rather than permitting broad internal access by default, segmentation enforces boundaries so that a compromise in one area does not automatically expose everything else.
In practice, network segmentation is implemented through a combination of VLANs, internal firewalls, routing controls, and access control lists, and sometimes extended with identity-aware or zero-trust policies. VLANs alone provide logical separation but require firewall enforcement to be meaningful as a security control.
The goal of this is to define which systems can communicate with others, on specific ports, and for what purpose. A finance workstation, a development server, a domain controller, and a cardholder data environment should each sit behind boundaries that reflect their sensitivity and trust level.
If an attacker gains a foothold through a phishing email or a vulnerable internet-facing service, then effective segmentation should make it materially harder to reach sensitive databases, management interfaces, or critical infrastructure. Without it, internal networks offer little resistance to lateral movement and a single compromised workstation can become the starting point for a domain-wide incident.
Segmentation also carries a direct compliance function, such as with PCI DSS where network boundaries should define and limit the scope of the cardholder data environment. A flat network increases both the impact radius of a breach and the cost of demonstrating compliance.
Internal penetration testing is one method to validate whether segmentation is genuinely enforced rather than merely documented. Controls that appear robust on network diagrams frequently prove bypassable in practice through misconfigured trust relationships, overly permissive firewall rules, or unaccounted administrative pathways between zones.