Network segmentation is highly useful as part of an effective and aggressive defense in depth strategy to protect your network. It’s based on the idea of military strategy and warfare-in the worst case scenario that you have a breach the attackers have very little if any access and you can quickly shut them down.

Think of Russia during world war 2-it was a brutal military strategy but very effective against the Germans. When Germany invaded Russia in the winter of 1941 the Russians had burnt down every last building, all of the animals, all of the plants/trees, and dumped all of the water, destroyed the telegraph lines, in certain areas. Not only was that winter brutal but the attackers had no food, no water, no place to sleep, no lines of communication, It became an empty victory and was an important turning point in the war and the allies.

Network segmentation works at a similar level, if someone gets in the Security Team tries to ensure an empty victory, ideally zero access or a very limited access while they are investigated and kicked out of the network.

Before you can implement Network Segmentation you need to carefully plan out your Network Architecture to segment groups of users into vlans. For example here are some potential vlans-IT, Engineering, Security, Finance, Accounting, HR, Sales, you can segment by geographic location or office site as well.

Once you have created the Vlans you can further complement this by having the systems team restrict the AD Access to groups of users. For example regular users will only have access to certain terminal servers etc.

This along with Segregation of Duties where the rights of users is highly compartmentalized especially for privileged accounts can make your network robust and secure. Your network should be so secure that in the worst case scenario that an attacker gets in he should never have access to a privileged account, especially ROOT, Domain/Enterprise Admin on any system or the network.

Network segmentation/sequestration works if you work it. This also allows for better administration of your assets from a systems and network perspective.