Network segmentation is the practice of dividing a computer network into separate subnetworks, each isolated from the others. Each segment acts as its own mini-network with its own access controls, security policies, and monitoring. The goal is that a compromise in one segment cannot automatically spread to others.
In WiFi security, segmentation is the difference between an attacker who cracks the guest WiFi password and immediately gains access to the file server, and one who is trapped in an isolated guest subnet with no path to corporate resources.
Effective segmentation uses multiple layers:
- Layer 2 (Data Link): VLANs separate traffic at the switch level
- Layer 3 (Network): Firewall rules between subnets enforce what traffic is allowed to cross
- Layer 7 (Application): Identity-aware proxies and app-level access controls verify who can reach specific applications
A flat network is one where all devices â corporate laptops, IoT sensors, guest phones, industrial controllers â share the same broadcast domain and can reach each other directly. On a flat network, compromising a single device gives the attacker a window into everything else. Segmentation is the solution: if the IoT camera and the domain controller are on different VLANs, a compromised camera cannot directly reach the domain controller even if both are connected to the same switch.
VLANs Explained SimplyVLAN stands for Virtual Local Area Network. A VLAN is a logical grouping of devices that behave as if they are on the same physical network switch â even if they're spread across many different physical switches in different buildings.
Think of a VLAN like an apartment building's intercom system: each apartment has its own number, and visitors can only reach apartment 5 by dialing 5 â they can't just walk into the hallway and try every door. Without VLANs, it's like a building where every apartment door opens onto the same hallway: one broken lock exposes every unit.
How VLANs Work in PracticeWhen you configure a switch port as belonging to VLAN 10, any device plugged into that port can only communicate with other devices on VLAN 10. A device on VLAN 10 cannot send traffic directly to VLAN 20 without going through a router or firewall that sits between the two VLANs.
VLAN 10 â Corporate WiFi (10.10.10.0/24) âââ Corporate laptops (10.10.10.10â10.10.10.200) âââ Printers, MFDs (10.10.10.201â10.10.10.254) VLAN 20 â Guest WiFi (10.10.20.0/24) âââ Guest devices (10.10.20.10â10.10.20.200) VLAN 30 â IoT / Surveillance (10.10.30.0/24) âââ IP Cameras, Sensors (10.10.30.10â10.10.30.50) VLAN 99 â Management (10.10.99.0/24) âââ Switches, Routers, APs (10.10.99.1â10.10.99.50) [VLAN 20 (Guest) CANNOT reach VLAN 10 (Corporate) â enforced by firewall between VLANs] [VLAN 30 (IoT) CAN reach VLAN 99 (Management) only via explicit allow rule] [Compromised IoT camera is isolated from corporate laptops]