Copyright (c) 2026 MindMesh Academy. All rights reserved. This content is proprietary and may not be reproduced or distributed without permission.

4.1.2. Network Infrastructure and Segmentation

šŸ’” First Principle: A flat network is an attacker's playground ā€” compromise one system and you can reach everything. Segmentation creates internal boundaries that contain breaches, enforce access policies, and limit the blast radius of any single compromise.

Network segmentation divides a network into smaller, controlled zones. A retail company might segment point-of-sale systems, corporate workstations, and guest Wi-Fi into separate zones with firewalls controlling traffic between them.

Physical segmentation uses separate physical hardware (switches, routers) for each segment. Most secure but most expensive and least flexible.

Logical segmentation uses VLANs, subnets, and software-defined networking to create virtual boundaries on shared infrastructure. More flexible and cost-effective than physical segmentation.

DMZ (demilitarized zone) ā€” a network segment between the public internet and the internal network. Public-facing services (web servers, email servers) sit in the DMZ, protected by firewalls on both sides. If an attacker compromises the web server, they're contained in the DMZ and can't directly reach internal systems.

Intranet ā€” internal-only network accessible to employees. Extranet ā€” controlled extension of the intranet to trusted external parties (partners, vendors).

Software-Defined Networking (SDN) separates the control plane (routing decisions) from the data plane (packet forwarding), enabling centralized, programmable network management. SDN makes micro-segmentation practical at scale ā€” policies can be applied and updated across thousands of endpoints from a central controller without touching individual switches. This is essential in cloud and virtualized environments where workloads spin up and down dynamically.

East-west vs. north-south traffic: Traditional perimeter security focuses on north-south traffic (client-to-server, crossing the network boundary). In modern data centers and cloud environments, east-west traffic (server-to-server within the network) vastly exceeds north-south. Attackers who get past the perimeter move laterally through east-west traffic. Segmentation addresses this by controlling internal traffic, not just border traffic.

Loading diagram...

āš ļø Exam Trap: A DMZ sits between two firewalls ā€” one facing the internet, one facing the internal network. If a question describes only one firewall, that's not a proper DMZ configuration.

Alvin Varughese
Written byAlvin Varughese
Founderā€¢15 professional certifications