← Back to Articles

Network Segmentation and Zero Trust Architecture: Building Defense in Depth That Actually Works

April 16, 2023Network Security4 min read

In 2023, the average time for an attacker to move laterally after initial compromise dropped to just 62 minutes. If your network is flat, that's all the time needed to reach your crown jewels. The convergence of network segmentation and Zero Trust Architecture isn't just a buzzword pairing—it's the most effective strategy we have to ensure that a single compromised endpoint doesn't become a full-blown breach.

The Problem with Flat Networks

Most legacy enterprise networks were designed for convenience. A workstation in HR can ping the database server in finance. A compromised IoT device on the guest VLAN can reach your domain controllers. Once an attacker gains a foothold, there's nothing stopping east-west movement.

Network segmentation addresses this by dividing your network into isolated zones. Zero Trust takes it further: never trust, always verify—regardless of whether traffic originates inside or outside the perimeter.

Layered Segmentation: Start with VLANs, Then Go Deeper

The foundation begins with VLAN segmentation. Here's a practical Cisco IOS example creating isolated zones for different business functions:

! Create VLANs for segmentation
vlan 10
 name CORP_WORKSTATIONS
vlan 20
 name SERVERS_PRODUCTION
vlan 30
 name IOT_DEVICES
vlan 99
 name MANAGEMENT

! Restrict inter-VLAN routing on the Layer 3 switch
interface Vlan10
 ip address 10.10.10.1 255.255.255.0
 ip access-group CORP_TO_SERVERS in
 no ip proxy-arp

ip access-list extended CORP_TO_SERVERS
 permit tcp 10.10.10.0 0.0.0.255 10.20.20.0 0.0.0.255 eq 443
 permit tcp 10.10.10.0 0.0.0.255 10.20.20.0 0.0.0.255 eq 88
 deny   ip any any log

This ensures corporate workstations can only reach production servers on HTTPS and Kerberos—nothing else. Every denied packet gets logged for your SIEM.

Microsegmentation: The Zero Trust Accelerator

VLANs segment at the network layer, but microsegmentation enforces policy at the workload level. If you're running Linux hosts, nftables gives you host-based firewall control that aligns with Zero Trust principles:

#!/usr/bin/nft -f
flush ruleset

table inet zero_trust {
    chain input {
        type filter hook input priority 0; policy drop;

        # Allow established connections only
        ct state established,related accept
        ct state invalid drop

        # Allow SSH only from jump host
        ip saddr 10.99.1.50 tcp dport 22 accept

        # Allow HTTPS from application tier only
        ip saddr 10.20.20.0/24 tcp dport 443 accept

        # Log and drop everything else
        log prefix "ZT_DENIED: " counter drop
    }

    chain output {
        type filter hook output priority 0; policy drop;

        ct state established,related accept

        # Allow DNS and NTP to specific servers only
        ip daddr 10.99.1.10 udp dport 53 accept
        ip daddr 10.99.1.11 udp dport 123 accept

        log prefix "ZT_OUT_DENIED: " counter drop
    }
}

Notice the default-deny on both input and output. This is Zero Trust at the host level—every connection must be explicitly permitted. Even if an attacker compromises this server, outbound communication is restricted to known-good destinations.

Identity-Aware Access: The Missing Piece

Segmentation without identity verification is incomplete. Modern Zero Trust implementations tie network access to user and device identity. For example, a Palo Alto Networks security policy might look like:

Source Zone: CORP_WORKSTATIONS
Source User: domain\finance-group
Destination Zone: SERVERS_PRODUCTION
Application: oracle-db
Action: Allow (with TLS decryption and DLP profile)

Non-finance users hitting the same database from the same VLAN? Denied. The network segment gets you partway there; identity-aware policy closes the gap.

Monitoring: Trust but Verify Everything

Zero Trust demands continuous monitoring. Feed your segmentation logs into your SIEM and alert on anomalies:

# Quick check for denied cross-segment traffic (Linux journal)
journalctl --grep="ZT_DENIED" --since="1 hour ago" | \
  awk '{print $NF}' | sort | uniq -c | sort -rn | head -20

Spikes in denied traffic often reveal misconfigurations—or active reconnaissance.

Where to Start Tomorrow

  1. Map your data flows before creating rules. You can't segment what you don't understand.
  2. Start with your most critical assets—segment the database tier first, not the printer VLAN.
  3. Implement default-deny incrementally. Begin in audit mode, review logs for 30 days, then enforce.
  4. Automate policy management. Manual firewall rules don't scale across hundreds of microsegments.

Network segmentation and Zero Trust aren't projects with an end date—they're operational disciplines. Start small, measure your blast radius reduction, and iterate. Your future incident responders will thank you.

Have questions about network segmentation and zero trust architecture? I'm always happy to talk shop — reach out or connect with me on LinkedIn.

← Back to Articles