Max 
There’s a common misconception that network segmentation is only for large enterprises with complex infrastructures. In reality, organisations of every size benefit from keeping their critical systems separated from their general-purpose network. The ones that don’t learn this the hard way when an attacker moves from a compromised workstation to the domain controller in under ten minutes.
The Flat Network Problem
A flat network puts every device on the same broadcast domain. Workstations can reach servers directly. Printers sit alongside financial systems. Guest wireless clients share a network with domain controllers.
This architecture persists because it’s easy to manage. No firewall rules to maintain between segments. No routing complexity. No access control lists to troubleshoot when something stops working. But that simplicity comes at a catastrophic cost when an attacker gets inside.
William Fieldhouse, Director of Aardwolf Security Ltd, comments: “Flat networks are the single biggest gift you can give an attacker. Once they compromise one workstation, they have line of sight to every server, every printer, and every domain controller on the network. Proper segmentation won’t prevent an initial compromise, but it dramatically limits what an attacker can do afterwards.”
Segmentation Mistakes Worth Avoiding
Even organisations that attempt segmentation frequently make errors that undermine the effort. Creating VLANs without implementing firewall rules between them provides no security benefit. The traffic still flows freely. You’ve added complexity without adding protection.
Another common mistake is segmenting the obvious assets but ignoring the supporting infrastructure. Your database servers sit behind a firewall, but the backup server that connects to every system in the environment sits on the flat management network. Attackers don’t attack what’s well-protected. They find the path of least resistance.
Getting Segmentation Right
Start with your crown jewels. Identify the systems and data that would cause the most damage if compromised. Domain controllers, financial systems, customer databases, and backup infrastructure should all sit in dedicated segments with strict access controls.
Regular internal network penetration testing validates whether your segmentation works in practice, not just on paper. A tester will attempt to move laterally between segments, test firewall rules for weaknesses, and identify trust relationships that bypass your controls.
Testing and Maintaining Your Segmentation
Network segmentation isn’t a project you complete and forget. Firewall rules accumulate over time. Temporary exceptions become permanent. New systems get deployed in the wrong segment because the correct one required a change request that nobody wanted to wait for.
Periodic testing ensures your segmentation still provides the protection you intended. If you haven’t tested yours recently, getting a penetration test quote will help you understand where you stand and what needs attention. The investment in proper segmentation pays for itself the moment an attacker tries to move through your network and finds the door locked.
