Flat networks are a ransomware attacker's best friend. Segmentation is the control that limits how far a breach can travel — and it is more achievable than most IT teams think.
What Flat Networks Cost You
A flat network — where every device can communicate with every other device — means that a compromised endpoint can reach your domain controllers, your file servers, your production database, and your backup systems. This is the condition that turns a single infected endpoint into a company-wide ransomware event. In a properly segmented network, a compromised endpoint in a workstation VLAN cannot initiate connections to the server VLAN without passing through a firewall that blocks or inspects the traffic. Segmentation does not prevent compromise; it prevents the compromise from spreading.
The Minimum Effective Segmentation
The minimum segmentation that meaningfully reduces risk at most mid-market companies: a dedicated VLAN for servers, isolated from the workstation VLAN; a separate VLAN for management traffic (remote desktop, SSH, backup agents) accessible only from a jump host or privileged access workstation; a guest network for visitors and personal devices with no access to internal resources; and a separate IoT/OT VLAN if your environment includes printers, cameras, or operational technology. These four segments, combined with inter-VLAN firewall rules, address the majority of lateral movement risk.
The Firewall Rule Problem
Segmentation without maintained firewall rules decays into a false sense of security. Firewall rule sets at mid-market companies often accumulate 'temporary' exceptions that become permanent, and rules added for specific projects that are never removed. An annual firewall rule review — documenting the business justification for every permissive rule — is a control requirement under several compliance frameworks (PCI DSS, HIPAA) and a practical necessity for maintaining effective segmentation over time.
Where to Start If You Are Starting From Scratch
The most impactful first segmentation project is separating your critical servers from your workstation network. In most environments, this can be implemented over a maintenance weekend: create the server VLAN, migrate server interfaces, create inter-VLAN firewall rules based on documented communication requirements, and monitor for denied traffic for 30 days. The 30-day monitoring period reveals legitimate traffic that was not in your communication matrix and prevents production disruption from an overly aggressive initial rule set.
- Flat networks allow a single compromised endpoint to reach all systems — segmentation limits lateral movement blast radius
- Minimum effective segmentation: workstation VLAN, server VLAN, management VLAN, guest VLAN, IoT VLAN
- Firewall rules without annual review accumulate exceptions that erode segmentation effectiveness
- Start with server-workstation separation — this is achievable in a maintenance weekend and delivers the highest risk reduction