Network architecture

LAN network segmentation

An overview of how to setup network segmentation.

FocusSegmentation & security
AudienceNetwork & security engineers
FormatTechnical explainer

Overview

Network segmentation divides a flat network into smaller, logically separated segments, limiting the spread of attacks and improving visibility and control.

This redesigned page presents the original content in a cleaner structure while aligning visuals with the rest of the Fortnetworks site. The goal is to make the benefits of segmentation easier to scan and reference.

Why segment a LAN?

  • Limit the blast radius of compromises by preventing lateral movement across the entire flat network.
  • Apply more precise security controls and monitoring to high-value or high-risk segments.
  • Reduce noise in logging and detection tools by scoping traffic more tightly.
  • Support compliance requirements that mandate separation of duties or environments.

Segmentation approaches

  • VLAN-based segmentation to separate user groups, server zones and management networks.
  • Firewall or ACL enforcement between segments to control which services are reachable.
  • Dedicated management segments for infrastructure and security tooling.
  • DMZs and external-facing zones to contain exposure around internet-facing services.

Practical controls

  • Use separate VLANs for user workstations, servers, OT/IoT devices, and management interfaces.
  • Apply default-deny ACLs between segments and explicitly allow only required ports.
  • Ensure routing between segments is deliberate and reviewed, not implicit.
  • Feed inter-segment traffic into IDS/IPS and logging for early detection of abnormal movement.

Summary

Segmentation does not eliminate risk, but it significantly improves an organisation’s ability to contain attacks and observe what is happening on the wire. The key is to design segments around business functions and apply clear, enforced controls between them.