Module 20 of 21 · Practice-Strategy

How segmentation reduces blast radius

18 min read 4 outcomes Scenario quiz

By the end of this module you will be able to:

  • Explain how VLANs and subnetting create segmentation boundaries and where their limits are
  • Describe the difference between north-south and east-west traffic and why each requires different controls
  • Explain the DMZ (demilitarised zone) pattern and which workload categories belong in which zone
  • State what PCI DSS v4.0 requires specifically regarding segmentation for systems that handle cardholder data
Container ship in port at dusk representing global shipping operations (photo by Vidar Nordli-Mathisen on Unsplash)

Real-world incident · June 2017

NotPetya at Maersk: 45,000 PCs lost in minutes on a flat network

On June 27, 2017, the NotPetya worm began propagating through corporate networks worldwide. At A.P. Moller-Maersk, the world's largest container shipping company, it exploited a combination of the EternalBlue SMB (Server Message Block) vulnerability and stolen credentials harvested by the Mimikatz credential-dumping tool. The initial entry point was a Ukrainian subsidiary that had recently been integrated into Maersk's network.

Because Maersk operated a largely flat network, with minimal internal segmentation between sites and business units, NotPetya spread laterally at machine speed. It did not need a human operator; it propagated automatically using valid credentials to reach every Windows host it could contact. Within approximately ten minutes, 45,000 endpoints were encrypted and unusable. Maersk's global operations halted. Ports could not process container manifests. Ships waited offshore.

Recovery took ten days and required rebuilding the entire Active Directory domain from a single domain controller that happened to be offline in a Nigerian office because of a power failure. The total cost was estimated at $300 million. A segmented network would not have prevented the initial breach; it would have contained the propagation to a fraction of the estate. The blast radius is set by the topology before the attack happens, not after.

If a worm enters one computer in a global shipping company, what determines whether it infects one machine or 45,000?

20.1 What segmentation actually does

Module 19 covered how to use packet captures to observe traffic. Segmentation determines what traffic is possible in the first place. A segmented network does not stop every attack; it constrains what an attacker can reach once they have a foothold. The goal is to ensure that a breach of one workload does not automatically grant access to all others.

Blast radius is the set of systems an attacker can access from a given compromise point. In a flat network with no internal controls, the blast radius of any single compromised host is the entire network. In a segmented network with enforced policy between zones, the blast radius is the segment containing the compromised host plus whatever that segment is permitted to reach.

Segmentation is a pre-breach decision. It requires mapping workloads to zones before an incident, defining inter-zone policy, and enforcing it technically. Trying to segment retroactively during an active incident is like installing fire doors while the building is burning.

20.2 VLANs and subnetting as segmentation tools

A Virtual Local Area Network (VLAN), defined in IEEE 802.1Q, is a Layer 2 segmentation mechanism. Ports on a managed switch are assigned to a VLAN; broadcast traffic and Layer 2 frames are confined to that VLAN. Devices in different VLANs cannot communicate at Layer 2. They can only communicate by sending traffic through a Layer 3 device (a router or Layer 3 switch) that routes between VLANs.

Subnetting provides Layer 3 segmentation. Devices on different IP subnets cannot communicate without a router. Combining VLANs with subnets means that every inter-segment communication crosses a routing boundary where an ACL or firewall policy can be applied. This is the foundational design: VLAN boundaries aligned with subnet boundaries, with enforced policy at the Layer 3 gateway between them.

VLANs are a segmentation boundary, not a security boundary on their own. VLAN hopping attacks (double-tagging) can bypass VLAN isolation if trunk ports are misconfigured. The enforcement that makes segmentation a security control is the routing policy and firewall rules applied at the inter-VLAN gateway, not the VLAN tag itself.

A VLAN is a logical grouping of ports or MAC addresses that limits the broadcast domain. Inter-VLAN communication requires a Layer 3 routing function.

IEEE 802.1Q-2022, Bridges and Bridged Networks - Clause 5, VLAN Membership; Clause 9, VLAN Bridge Operation

IEEE 802.1Q is the normative standard for VLAN tagging. The key architectural implication is in Clause 5: a VLAN is a broadcast domain restriction, not a security enforcement point. Security enforcement requires routing policy applied at the Layer 3 boundary between VLANs.

20.3 Firewall zones, DMZ, and east-west versus north-south

A firewall zone is a named logical boundary with an associated policy. Classic zone models use three zones: untrusted (internet), trusted (internal), and demilitarised (DMZ). The DMZ, or demilitarised zone, sits between the two, accessible from the internet but not permitted to initiate connections to the trusted internal zone. Web servers, mail gateways, and API endpoints belong in the DMZ; databases and internal services belong in the trusted zone.

North-south traffic crosses the network perimeter: inbound requests from the internet to the DMZ, or outbound requests from the trusted zone to the internet. Traditional firewalls are designed primarily for north-south enforcement. They inspect traffic as it crosses the perimeter boundary.

East-west traffic moves between systems within the same network: between a web server and a database server, between two microservices in the same data centre, between a workstation and a file share. Most traditional firewall designs do not inspect east-west traffic at all because the systems are "inside" the perimeter. NotPetya propagated entirely over east-west paths.

Modern segmentation design must account for both traffic directions. Perimeter controls address north-south. Internal segmentation, host-based firewalls, and microsegmentation address east-west. An organisation that has only invested in north-south controls has no defence against lateral movement once the perimeter is breached.

20.4 Cloud security groups and microsegmentation

Cloud infrastructure replaces physical VLANs with virtual network constructs. In AWS (Amazon Web Services), a Virtual Private Cloud (VPC) is the top-level isolation boundary; subnets within a VPC provide further subdivision. Security groups are stateful firewalls applied at the virtual network interface (ENI) level: they control which traffic is permitted to and from each individual instance, regardless of which subnet it is in.

This means cloud security groups implement microsegmentation by default if used correctly. Each workload can have a distinct security group with rules specific to that workload's communication needs. A web tier security group permits inbound port 443 from a load balancer security group; an application tier security group permits inbound from the web tier security group only; a database security group permits inbound from the application tier security group only. Lateral movement between tiers is blocked by default.

The failure mode in cloud environments is overly permissive security groups: rules that allow all traffic from the entire VPC CIDR rather than from specific source security groups. This recreates the flat-network problem in the cloud. The discipline is to design security group rules based on intended communication paths, not convenience.

20.5 PCI DSS segmentation requirements

The Payment Card Industry Data Security Standard (PCI DSS) v4.0 uses network segmentation as a scoping mechanism. Systems that store, process, or transmit cardholder data are defined as in-scope for the standard. If those systems are on a flat network shared with unrelated systems, then the entire flat network falls within scope, vastly expanding the audit and compliance burden.

PCI DSS v4.0 Requirement 1.3 states that "network access controls are implemented to restrict traffic between the cardholder data environment and other networks." Effective segmentation means the cardholder data environment (CDE) is isolated from systems with no reason to access card data, and that network access controls between the CDE and all other networks are documented, enforced, and tested at least every six months.

The standard explicitly permits using network segmentation to reduce scope. An organisation that correctly segments its CDE into an isolated zone, with documented and enforced access controls at every boundary, need only apply PCI DSS requirements to systems in that zone. Segmentation done for security and segmentation done for compliance scope reduction are the same technical activity.

Network access controls are implemented to restrict traffic between trusted and untrusted networks. All traffic is denied except that which is necessary.

PCI DSS v4.0 - Requirement 1.3, Network Access Controls Between Networks

PCI DSS v4.0 (published March 2022, effective March 2024) is the current version of the standard. Requirement 1.3 specifically addresses inter-network access controls. The deny-by-default principle stated here is the baseline posture for any segmentation implementation: all traffic is blocked unless explicitly permitted.

Common misconception

VLAN segmentation is equivalent to firewall segmentation.

VLANs create Layer 2 broadcast domain boundaries, which limits how far ARP and broadcast traffic can spread. However, VLAN boundaries do not enforce per-flow policy between segments; they require a Layer 3 routing function to communicate, but that routing function can forward all traffic without restriction unless a firewall or ACL is applied at the routing point. Segmentation only becomes a security control when policy is enforced at the inter-segment gateway, not when VLAN tags are assigned.

20.6 Check your understanding

A worm enters a corporate network through a compromised workstation and begins scanning for other hosts. The network uses VLANs to separate workstations, servers, and management systems, but the inter-VLAN routing applies no ACLs or firewall policy. What is the effective blast radius?

Your company wants to host a public API on its on-premises infrastructure. The API must be reachable from the internet, but it calls internal microservices and a database that must not be directly reachable from the internet. Which architecture correctly implements this?

An AWS security review finds that most security groups use inbound rules allowing all TCP traffic from the VPC CIDR (e.g., 10.0.0.0/16). What is the risk, and what is the corrective design?

Key takeaways

  • Blast radius is determined by topology before an attack, not during it. Segmentation confines what a compromised workload can reach.
  • VLANs create Layer 2 broadcast domain boundaries. They are not security controls without ACLs or firewall policy enforced at the inter-VLAN routing point.
  • North-south traffic crosses the network perimeter; east-west traffic moves between internal systems. Traditional perimeter firewalls only inspect north-south. Internal segmentation is required for east-west control.
  • The DMZ pattern places externally accessible services in a zone that can receive internet traffic, with policy restricting what the DMZ can initiate to the internal zone.
  • Cloud security groups implement microsegmentation when rules reference specific source security groups rather than broad CIDR ranges.
  • PCI DSS v4.0 Requirement 1.3 requires deny-by-default access controls at every network boundary of the cardholder data environment. Effective segmentation can reduce PCI scope to the CDE zone alone.

Standards and sources cited in this module

  1. PCI DSS v4.0

    Requirement 1.3, Network Access Controls Between Networks; Appendix G, PCI DSS Glossary of Terms (Segmentation)

    The current PCI DSS standard (March 2022). Requirement 1.3 defines the network access control requirements referenced in section 20.5. The Appendix G definition of network segmentation explains how it reduces PCI DSS scope.

  2. IEEE 802.1Q-2022, Bridges and Bridged Networks

    Clause 5, VLAN Membership; Clause 9, VLAN Bridge Operation

    The normative VLAN standard. Clause 5 defines VLAN membership and broadcast domain scope. The standard does not define security policy between VLANs, which is the basis for the distinction between VLAN segmentation and firewall segmentation in section 20.2.

  3. NIST SP 800-125B, Secure Virtual Network Configuration for VM Protection

    Section 4.1, Virtual Network Segmentation

    NIST guidance on virtual and cloud network segmentation. Section 4.1 addresses the design principles for isolating workloads in virtualised environments, supporting the cloud security groups discussion in section 20.4.

  4. Sandworm: A New Era of Cyberwar and the Hunt for the Kremlin's Most Dangerous Hackers (Andy Greenberg, Wired/Doubleday, 2019)

    Chapter on the NotPetya attack on Maersk

    The primary source for the NotPetya/Maersk case study. Documents the flat network topology, propagation speed, and the recovery from a single offline domain controller in Nigeria.

  5. AWS Documentation, Security groups for your VPC

    Security group basics; Referencing other security groups

    AWS documentation on security group design patterns. The source security group reference pattern described in section 20.4 is documented here as the preferred method for controlling inter-workload communication.

Segmentation limits damage. Module 21, the Practice capstone, brings it all together with a scenario where dashboards say healthy and users disagree. You will write an incident narrative that reconciles both, choose the next most informative signal, and stay precise under operational pressure.

Back: Packet capturesNext: Practice capstone

Module 20 of 21 · Practice-Strategy