Imagine a building where every room connects to every other room with no locks, no doors, and no access controls. If someone breaks into any room, they have immediate, unrestricted access to everything — the server room, the executive offices, the file room, the loading dock. That's the security model of a flat network.
Most small and medium-sized businesses are running exactly this architecture. All their devices — workstations, servers, printers, IP cameras, HVAC controllers, guest laptops, and personal smartphones — share the same network segment. They receive IP addresses from the same DHCP pool. They can communicate with each other directly with no controls in between.
When a ransomware attack hits one workstation on a flat network, that ransomware can immediately scan and reach every other device on the network. File servers, backup systems, accounting workstations, the point-of-sale terminal — all visible, all reachable. Segmentation is the architectural control that limits this. It doesn't prevent the initial compromise, but it contains what happens next.
What Lateral Movement Actually Looks Like
Security teams talk about "lateral movement" — the phase of an attack where an adversary who has compromised one system uses it as a foothold to move deeper into the network, compromising additional systems until they reach their objective. On a flat network, lateral movement is trivially easy. The attacker has immediate network access to every other device. All that's required is finding a vulnerability or credential that works on the next target.
The practical attack sequence on a flat network often looks like this: an employee opens a phishing email and their workstation is compromised. The attacker's code begins scanning the local subnet. It finds the file server, which is accessible because everything is on the same network. It finds the backup server. It finds other workstations with weak credentials or unpatched vulnerabilities. Within hours, attackers may have established persistence across multiple systems, exfiltrated sensitive data, and positioned ransomware for detonation. The initial compromise was one workstation. The blast radius was the entire company.
The VLAN answer to lateral movement: If the compromised workstation were on a workstation VLAN with firewall rules preventing it from initiating connections to the server VLAN, the ransomware's network scanning would be blocked at the VLAN boundary. The malware is still on that workstation — but it cannot reach anything else. Containment begins at the architectural layer, before detection even occurs.
VLANs: The Foundation of Network Segmentation
A Virtual Local Area Network (VLAN) is a logical grouping of network devices that are treated as if they were on a separate physical network, even though they share the same physical switches. VLANs are configured at the switch level by tagging traffic with a VLAN ID. Devices on VLAN 10 (the workstation VLAN) cannot directly communicate with devices on VLAN 20 (the server VLAN) without that traffic passing through a router or firewall — where access controls can be applied.
This is the core value proposition of VLANs: they create choke points. Instead of devices communicating freely across a flat layer-2 network, inter-VLAN traffic must traverse your firewall, where you control what is allowed. You can enforce the principle of least privilege at the network level — devices only have network access to what they legitimately need to communicate with.
Workstation VLAN
Employee workstations, laptops, and desktop computers belong here. These devices need access to specific servers (file, print, email, business applications) and to the internet. They do not need to communicate with each other in most business environments, and they absolutely should not be able to initiate connections to management interfaces, infrastructure systems, or other sensitive segments.
Server VLAN
File servers, application servers, database servers, and NAS devices belong in a dedicated server segment. Access from the workstation VLAN should be limited to specific services on specific ports — not open network access. Administrator access to manage servers should come from a separate management VLAN or via jump host, not from workstations directly.
Management VLAN
Switch management interfaces, firewall management, router interfaces, out-of-band management — these belong in a highly restricted VLAN accessible only to IT administrators, ideally only from specific workstations or via MFA-protected access. If management interfaces are accessible from the general workstation VLAN, compromising any workstation gives the attacker network-level access to all your infrastructure controls.
The DMZ: Where Internet-Facing Services Live
A demilitarized zone (DMZ) is a network segment positioned between the internet and the internal network, designed to host services that must be accessible from the outside — web servers, mail servers, VPN concentrators, DNS servers. The DMZ architecture uses two firewall boundaries: one between the internet and the DMZ, and one between the DMZ and the internal network.
The result: an attacker who compromises a web server in the DMZ cannot directly reach internal systems. They're trapped in the DMZ, blocked by firewall rules that prevent DMZ-to-internal traffic except for specific, explicitly permitted flows. This is the correct architecture for any service that must accept inbound connections from the internet. Running internet-facing services directly on your internal network — without a DMZ — is an architectural mistake that is unfortunately common.
Guest Network Isolation
Every business that offers guest Wi-Fi is running a potential lateral movement entry point if that guest network is not properly isolated. A guest who connects to your Wi-Fi and happens to have malware on their device — or who is deliberately probing your network — should have zero ability to reach anything on your internal network. They should reach only the internet.
True guest isolation requires the guest SSID to be on a separate VLAN, with firewall rules that block all traffic between the guest VLAN and any internal segment. Client isolation should also be enabled on the wireless controller so that guest devices cannot communicate with each other. A guest network that shares a VLAN with workstations, or that allows intra-VLAN traffic, provides essentially no isolation.
IoT Segmentation: The Most Overlooked Risk
Internet of Things devices — IP cameras, smart thermostats, badge readers, building automation systems, network-connected printers, VoIP phones, industrial sensors — are ubiquitous in business environments. They are also frequently the least secure devices on the network: running embedded Linux with years of unpatched vulnerabilities, using default credentials, and rarely updated.
Placing IoT devices on the same network segment as workstations and servers is an invitation for compromise. An attacker who gains access to a poorly secured IP camera has a foothold on your internal network. From there, lateral movement to workstations and servers is limited only by what firewall rules (if any) exist between them. On a flat network, there are none.
IoT devices should be on a dedicated VLAN with strict outbound rules: allow only the specific traffic each device type legitimately requires (camera to NVR, VoIP to PBX, printer to print server), and block everything else. IoT devices have no business initiating connections to workstations, servers, or management interfaces.
Recommended VLAN Structure for SMBs
VLAN 10 — Corporate Workstations
VLAN 20 — Servers
VLAN 30 — Management / Infrastructure
VLAN 40 — Guest Wi-Fi
VLAN 50 — IoT / Building Systems
VLAN 60 — VoIP
VLAN 70 — DMZ (internet-facing)
What Inter-VLAN Firewall Rules Should Enforce
Workstations → Servers: allowed (specific services only)
Workstations → Management: blocked
IoT → Workstations: blocked
Guest → Internal (any): blocked
DMZ → Internal: blocked (except specific permitted flows)
Management: restricted to admin workstations
Practical Steps to Segment Your Network
Network segmentation requires managed switches that support 802.1Q VLAN tagging, a firewall capable of inter-VLAN routing with policy enforcement, and wireless access points that support multiple SSIDs mapped to separate VLANs. Consumer-grade equipment — the router/switch combo from a retail store — typically cannot do any of this correctly.
- Audit your current network: Identify all device types and map them to logical groups. This is the foundation for designing your VLAN structure.
- Upgrade infrastructure if needed: Managed switches (not unmanaged consumer switches) are required for VLAN tagging. A next-generation firewall is required for inter-VLAN policy enforcement.
- Design before you deploy: Map out which VLANs need to communicate with which, and what services are permitted. Build the firewall ruleset from this map.
- Configure wireless SSIDs: Map each SSID (corporate, guest, IoT) to the appropriate VLAN at the wireless controller level.
- Test and verify: After deployment, verify that isolation works by attempting cross-VLAN connections that should be blocked. Don't assume the rules are correct without testing them.
- Document and maintain: Document your VLAN design and firewall rule rationale. Network changes should be reviewed against the segmentation design, not made ad-hoc.
Flat Network Red Flags We Find in New Client Assessments
- All devices on the same 192.168.1.x or 10.0.0.x subnet with no VLAN tags
- IP cameras or badge readers accessible from workstation network
- Guest Wi-Fi on the same VLAN as corporate devices
- Servers accessible directly from workstations on all ports
- Consumer-grade router/switch combo managing all traffic
- No firewall rules between device categories — only external perimeter rules
Is Your Network Segmented Against Lateral Movement?
IT Center designs and implements network segmentation for Southern California businesses — from VLAN architecture to inter-VLAN firewall policy. We'll assess your current flat network and build a segmentation plan that stops attackers from moving freely once inside.
Explore Network ServicesOr call us at (888) 221-0098 — Contact us online