Network segmentation, when a flat network becomes a liability

Most small and mid-market firms run a flat network by default. Every device, every server, every printer, every guest phone, every IoT thermostat sits on the same broadcast domain and can theoretically reach every other device. The setup works, the network is simple to manage and nobody thinks about it until something goes wrong.

What goes wrong is usually ransomware. Or a compromised office printer that becomes a lateral-movement foothold. Or a vendor laptop that joins the WiFi and scans the entire internal environment. Or a customer security questionnaire that asks “is your network segmented” and there is no credible way to answer “yes.”

Network segmentation is the discipline that converts a flat, permissive network into a set of controlled zones with documented traffic rules between them. At the enterprise level, segmentation is a major architectural project. At the small and mid-market level, it is more achievable than most firms assume — a sequence of practical moves that can be phased over quarters without disrupting operations.

Here is what network segmentation actually looks like at 20 to 500 employees, what it protects against and how to sequence the work.

What segmentation actually means at this scale

A segmented network at a mid-market firm is not a reference architecture with 30 zones and a dedicated firewall per boundary. It is a set of 4 to 8 zones with documented traffic rules, reviewed periodically, enforced by the firewall and switches already in place.

Typical mid-market zones:

• Corporate users. Workstations, laptops, printers, conference room equipment.
• Servers. Internal application servers, file servers, authentication servers.
• Production or operational technology. Shop floor, HVAC, physical security systems, medical devices, anything that cannot tolerate the patch cadence corporate IT runs.
• Guest or public WiFi. Visitors, contractor devices, personal phones.
• IoT and unmanaged devices. Smart TVs, building automation, cameras, door controllers, anything that cannot run an endpoint agent.
• Administrative and management. Jump hosts, administrative workstations, management interfaces of network gear.
• DMZ. Any externally-facing services (usually empty at this scale because most services have moved to SaaS).
• Backup and recovery. Backup servers and their storage, deliberately isolated from production so a compromise of production cannot reach the backups.

Not every firm needs all 8. A 40-person professional services firm might run 4 zones (users, servers, guest, backup). A 300-person manufacturer might run 7. The principle is the same: groups of devices with similar trust levels and similar security needs, with controlled traffic between groups.

What segmentation actually protects against

Four threat classes, in descending frequency.

• Ransomware lateral movement. The ransomware operator lands on a workstation and needs to reach servers, file shares and backup systems to do real damage. A segmented network with firewall rules between user and server zones slows or stops this movement. Most ransomware incidents at mid-market firms are lateral-movement events that exploit flat-network assumptions.
• Vendor or third-party compromise. A vendor’s compromised laptop joins the corporate WiFi. On a flat network, that laptop can scan and attack every internal system. On a segmented network with guest isolation, it can reach the internet and nothing else.
• IoT and unmanaged device attack surface. A building automation system running firmware from 2016 cannot be patched. On a flat network, it is a foothold into the rest of the environment. On a segmented network, it can talk to its management server and nothing else.
• Insider risk. Disgruntled employees, curious employees, contractors doing more than their scope. Segmentation limits what any individual can reach, which reduces both the blast radius and the forensic investigation cost when something happens.

Firms that have been through a ransomware incident describe segmentation as the control they most regret not having in place. Firms that have segmentation in place describe ransomware incidents as operational problems instead of existential ones.

The practical implementation sequence

A realistic path for a 100 to 300-employee firm starting from a flat network.

Phase 1, discovery and design

The foundation that determines whether the rest of the work succeeds.

• Inventory. Every device on the network, ideally with make, model, operating system, firmware version and business function. Passive network discovery tools help (most firewalls can do this).
• Traffic analysis. What talks to what today. A week or two of NetFlow or equivalent reveals the real communication patterns, which are almost always different from the assumed ones.
• Zone design. Based on inventory and traffic, define the target zones and the rules between them.
• Business review. Walk the zone design past operations, finance, facilities and any other stakeholders whose systems are in scope. Catch missed dependencies before they become outage causes.

Estimated duration: 4 to 8 weeks.

Phase 2, infrastructure readiness

Making the network capable of enforcing segmentation.

• VLAN design. One VLAN per zone, at minimum. Sometimes two or more for sub-zoning within a large zone.
• Firewall placement. Usually the existing perimeter firewall does double duty. Larger firms may add internal segmentation firewalls.
• Addressing. IP subnetting per zone. Usually redoing the IP scheme rather than patching the existing one, because the existing scheme is almost never segmentation-ready.
• Switch configuration. VLAN assignment, trunk ports, access ports. Sometimes 802.1X for port-based device authentication if the environment supports it.
• Wireless. Separate SSIDs for corporate, guest and IoT. Dynamic VLAN assignment where possible.

Estimated duration: 4 to 12 weeks depending on network complexity.

Phase 3, phased migration

Moving devices into zones without breaking operations.

• Start with the easiest zones. Guest WiFi usually has no internal dependencies and can be segmented first with minimal risk.
• Backup isolation early. Moving backup systems into an isolated zone has outsized security value and minimal operational risk.
• IoT next. Building automation, cameras, smart devices usually have narrow, well-known traffic patterns.
• Servers and users last. These are the highest-risk migrations because any firewall-rule mistake causes visible outages. Do them with a documented rollback plan and during scheduled windows.
• OT last of all, with extreme caution. Manufacturing production environments require coordinated downtime windows and deep coordination with operations teams.

Estimated duration: 8 to 24 weeks depending on the number of zones and the complexity of the environment.

Phase 4, operational discipline

The segmented network stays segmented only if someone maintains it.

• Rule review. Quarterly review of firewall rules, removing any that are unused or overly permissive.
• New-device process. Any new device added to the network goes through a zone assignment. Add a step to the onboarding runbook.
• Change management. Any firewall rule change is documented with a business justification and an expiration date where feasible.
• Monitoring. Logs from the firewall and switch ports feed the SIEM or MDR, with alerts on anomalous cross-zone traffic.

Without operational discipline, segmented networks drift back toward flat over 12 to 24 months as ad-hoc rules accumulate.

Common failure modes

Predictable ways segmentation projects go sideways at the mid-market level.

• Missed dependencies. A legacy application that nobody documented quietly depends on cross-zone traffic that the new firewall rules block. First business day of the new zone, the application breaks. Discovery and traffic-analysis work reduces this risk but never eliminates it.
• Overly permissive rules that defeat the point. A rule that says “allow corporate users to reach anything in servers zone on any port” satisfies the business request but neutralizes segmentation. Rules need to be as narrow as operations will tolerate.
• Printer traffic. Printers on a separate zone from users generate a surprising number of support tickets because discovery protocols stop working. Usually solved with specific allow rules, but often a frustrating surprise.
• Conference room and AV systems. Meeting-room hardware often assumes broadcast discovery. Modern conferencing tools usually work fine across zones but legacy systems sometimes don’t.
• Vendor remote access. Vendor access tools that tunnel through the firewall in unexpected ways often bypass segmentation entirely. Inventory these explicitly and route them through controlled mechanisms.

Every segmentation project produces some post-go-live tickets. The goal is to minimize them, not eliminate them.

Where we fit

Atticus Rowan approaches segmentation as a phased operational project rather than a single architectural overhaul. For most mid-market clients, the work runs 3 to 9 months from discovery through full operation, with business impact minimized by sequencing the easy zones first and the risky zones during scheduled windows.

The segmentation posture also becomes evidence for several other efforts. Cyber insurance renewal applications now ask specific segmentation questions. Customer security questionnaires often ask for a network diagram. SOC 2 readiness assessments look for segmentation between production and corporate environments. A documented, operating segmentation program answers all three.

If your firm is running a flat network and you want a practical read on where the highest-risk gaps are and how to phase a segmentation project without disrupting operations, schedule a discovery call. We can walk through the current environment and scope the work.