Ransomware Defenders
Defense Guide

Network Segmentation for Ransomware Defense

Architect segmented networks that contain ransomware lateral movement and limit blast radius. From VLAN design through micro-segmentation and zero trust.

Why Flat Networks Are a Ransomware Disaster

In a flat network, every system can reach every other system. When ransomware compromises a single workstation, it can immediately begin encrypting file shares, scanning for other targets, and spreading across the entire network — often completing domain-wide encryption in under an hour.

Network segmentation breaks this kill chain by creating barriers between network zones. Even if an attacker compromises a user workstation, they cannot directly access backup servers, domain controllers, or other critical infrastructure. This containment buys critical time for detection and response, and preserves the systems needed for recovery.

The Segmentation Gap

Despite being one of the most effective ransomware controls, only 25% of organizations have implemented meaningful network segmentation. The top reason: concerns about breaking applications. A phased approach with proper traffic analysis eliminates this risk.

6 Steps to Network Segmentation

A structured approach to implementing network segmentation that maximizes ransomware containment without breaking business operations.

1

Network Discovery & Asset Mapping

Before you can segment your network, you need to understand what is on it. Map all assets, data flows, and dependencies to design effective segment boundaries.

Key Activities:

  • Inventory all network-connected devices: servers, workstations, printers, IoT, OT, building systems
  • Map data flows between systems — which systems talk to which, on what ports, and why
  • Classify assets by criticality and sensitivity: critical infrastructure, business applications, user segments, guest access
  • Document existing network topology: VLANs, subnets, firewall rules, and routing
  • Identify crown jewels: domain controllers, backup infrastructure, financial systems, customer data stores
  • Map trust relationships: Active Directory trusts, VPN tunnels, cloud connectivity, partner connections
2

Segmentation Architecture Design

Design your segmentation zones based on asset classification, trust levels, and the principle of least privilege for network access.

Key Activities:

  • Define network zones: DMZ, production servers, user workstations, management network, backup network, IoT/OT
  • Separate domain controllers and identity infrastructure into a dedicated, highly restricted management zone
  • Isolate backup infrastructure from all production networks — backups are the primary ransomware target for recovery prevention
  • Create dedicated segments for high-value targets: financial systems, HR/PII databases, intellectual property
  • Design inter-zone firewall rules using deny-by-default — only allow explicitly required traffic
  • Plan for administrative access: dedicated management VLAN with jump servers (no direct admin access from user segments)
  • Design network segments to align with business units where possible for easier policy management
3

VLAN & Subnet Implementation

Implement the physical and logical network segmentation using VLANs, subnets, and layer-3 routing with access control lists.

Key Activities:

  • Create VLANs for each defined network zone on switches and configure trunk ports between switches
  • Assign subnets to each VLAN with appropriate sizing (plan for growth)
  • Configure inter-VLAN routing on layer-3 switches or firewalls with ACLs enforcing zone-to-zone policies
  • Implement 802.1X network access control (NAC) to authenticate devices before granting VLAN access
  • Configure DHCP scopes per VLAN with appropriate options (DNS, gateway, lease time)
  • Enable VLAN pruning on trunk links to prevent VLAN hopping attacks
  • Test connectivity between zones — verify that only explicitly allowed traffic passes
4

Firewall Policy Configuration

Configure firewall rules between segments to enforce least-privilege network access while maintaining business operations.

Key Activities:

  • Implement deny-by-default between all segments — start with blocking everything, then add explicit allows
  • Create rules based on business requirements: source zone, destination zone, protocol, port, application
  • Block SMB (445) and RDP (3389) between user segments — these are the primary ransomware lateral movement protocols
  • Allow DNS only to designated internal DNS servers, not directly to the internet
  • Restrict management protocols (SSH, RDP, WinRM) to the management VLAN only
  • Enable logging on all firewall rules — especially deny rules — for visibility into blocked traffic
  • Review and audit firewall rules quarterly — remove rules that are no longer needed
5

Micro-Segmentation

Go beyond network-level segmentation with host-based micro-segmentation that controls traffic at the workload level.

Key Activities:

  • Deploy host-based firewalls (Windows Firewall, iptables) with centrally managed policies via GPO or configuration management
  • Implement application-aware micro-segmentation that controls traffic based on application identity, not just IP/port
  • Create workload-specific policies: web servers can only talk to app servers, app servers can only talk to database servers
  • Block workstation-to-workstation communication — there is rarely a legitimate business need for this
  • Use identity-based segmentation where policies follow the workload regardless of IP address (critical for cloud and containerized environments)
  • Implement micro-segmentation around critical assets first: domain controllers, backup servers, financial systems
  • Monitor micro-segmentation policy violations to detect lateral movement attempts
6

Monitoring & Maintenance

Network segmentation is not a set-and-forget control. Continuous monitoring, testing, and refinement are essential to maintain effectiveness.

Key Activities:

  • Deploy network detection and response (NDR) sensors at segment boundaries to detect anomalous cross-segment traffic
  • Monitor firewall logs for policy violations and unusual traffic patterns between segments
  • Conduct regular segmentation testing: can a device in the user segment reach the backup network? It should not
  • Test segmentation during red team exercises — verify that lateral movement is contained as designed
  • Maintain documentation of all segment boundaries, firewall rules, and business justifications for allowed traffic
  • Review and update segmentation architecture when new systems, locations, or cloud services are added
  • Track key metrics: number of segments, rules per segment, policy violations per week, mean time to detect cross-segment anomalies

Segmentation Approaches

Choose the approach that matches your infrastructure maturity and security goals.

Traditional VLAN Segmentation

Network segmentation using VLANs and layer-3 ACLs to create isolated network zones with firewall-controlled inter-zone traffic.

Advantages:

Well-understood, works with existing infrastructure, manageable complexity

Considerations:

Coarse-grained, IP-based (not identity-aware), configuration complexity grows with scale

Best For:

Most organizations as the foundational segmentation layer

Software-Defined Networking (SDN)

Programmatic network control using SDN controllers that centralize policy management and enable dynamic segmentation.

Advantages:

Centralized policy management, dynamic adaptation, visibility into traffic flows

Considerations:

Requires infrastructure investment, controller becomes critical dependency

Best For:

Large enterprises and data center environments

Host-Based Micro-Segmentation

Agent-based or OS-native firewalls that enforce segmentation policies at the workload level, independent of network topology.

Advantages:

Granular control, works across physical/virtual/cloud, follows workloads

Considerations:

Agent management overhead, requires application flow mapping, can impact performance

Best For:

Organizations with hybrid/multi-cloud environments or containerized workloads

Zero Trust Network Access (ZTNA)

Identity-centric access where no implicit trust exists based on network location. Every access request is authenticated, authorized, and encrypted.

Advantages:

Eliminates implicit trust, works for remote users, identity-aware policies

Considerations:

Significant implementation effort, may require application changes, user experience impact

Best For:

Organizations with distributed workforces and cloud-first strategies

Common Segmentation Gaps

These are the network architecture weaknesses most frequently exploited during ransomware attacks.

Flat Network Risks

  • All workstations on the same VLAN — ransomware can spread to every machine directly
  • Servers and workstations on the same subnet with no firewall between them
  • Backup servers accessible from user workstations and production servers
  • Domain controllers reachable from every segment without restriction
  • IoT and OT devices on the same network as corporate workstations

Firewall Rule Drift

  • Temporary allow-all rules added during troubleshooting and never removed
  • Overly broad rules (any-to-any) that negate segmentation benefits
  • No regular review of firewall rules — years of accumulated technical debt
  • SMB and RDP allowed between user segments for legacy application needs
  • No logging on deny rules — blind to what segmentation is actually blocking

Cloud & Hybrid Gaps

  • Cloud VPCs/VNets with overly permissive security groups allowing all internal traffic
  • Site-to-site VPN extending flat on-premises network into cloud without additional controls
  • No segmentation between cloud workloads and environments (dev/staging/prod on same network)
  • Container workloads with default allow-all network policies between pods
  • Lack of visibility into east-west traffic within cloud environments

Frequently Asked Questions

Get a Network Segmentation Assessment

Our network security team can map your current topology, identify segmentation gaps, and design an architecture that contains ransomware lateral movement.