Network segmentation: access control, outbound traffic and port exposure
Network segmentation divides the network into distinct zones with access controls between them. The goal isn't to prevent all communication, but to ensure only necessary communications are allowed. A network without segmentation allows an attacker who compromises a user workstation to communicate directly with database servers, backup systems, and network equipment.
Zone architecture
A typical zone architecture separates the network into several trust levels. DMZ (demilitarized zone): internet-accessible servers (web, email, VPN). Internal network: user workstations, internal services. Server network: business applications, databases. Administration network: network equipment, backup systems, administration tools. Out-of-band management network (OOB): IPMI, management consoles.
Network access control
Network access control (NAC) ensures only authorised and compliant devices can connect to the network. 802.1X enables authenticating devices before granting network access (with a certificate or credentials). Without NAC, an attacker connecting a device to the physical network (or Wi-Fi) immediately gains internal network access.
Outbound traffic controls
Most firewalls control inbound traffic but leave outbound traffic unrestricted. An attacker who compromises an internal server can establish an outbound connection (reverse shell, DNS tunnel, HTTPS to a C2 server) without being blocked. Strict egress rules limit available exfiltration channels. Application servers generally only need to contact the services they directly interact with.
Egress rules principle (iptables)
# Par défaut : rejeter tout le trafic sortant
iptables -P OUTPUT DROP
# Autoriser uniquement les connexions nécessaires :
# DNS vers le serveur DNS interne
iptables -A OUTPUT -p udp --dport 53 -d 10.0.0.5 -j ACCEPT
# HTTPS vers l'API externe
iptables -A OUTPUT -p tcp --dport 443 -d 203.0.113.10 -j ACCEPT
# Connexions établies (réponses)
iptables -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
Uncontrolled network port exposure
Services exposed on unnecessary network ports increase the attack surface. Regularly perform: scan open ports on servers (nmap -sV), identify services listening on all interfaces (0.0.0.0) when they should only listen on the local or internal interface, verify firewall rules and cloud security groups.
Wireless client isolation
Without Wi-Fi client isolation, devices connected to the same wireless network can communicate directly with each other. In a guest network or shared space, this allows an attacker connected to the Wi-Fi to target other clients. Client isolation (client isolation or AP isolation) prevents this direct communication: clients can only communicate with the gateway, not with each other.
Remote access protection
Remote access (VPN, SSH, RDP) must be strictly controlled. VPN with MFA for all remote access. SSH access restricted to specific source IPs or via a bastion host. RDP only via VPN, never directly exposed to the internet. Logging all remote connections. Obsolete remote access solutions (PPTP, L2TP without IPsec) must be replaced.
Further reading
A question after reading?
Want to assess your network segmentation architecture? Send a message.
Or book a 30-minute scoping call directly
Book a call →