What is CertGuide.ai?

CertGuide.ai is an AI-powered certification prep platform that helps you pass CompTIA exams like Security+, Network+, and A+. It maps all exam concepts, diagnoses your weak areas, and creates personalized study plans.

How does CertGuide compare to CertMaster?

CertGuide.ai offers AI-powered diagnostics that map your knowledge across all 183 Security+ concepts, personalized study plans, and an AI tutor. Unlike traditional prep tools, CertGuide shows you exactly which concepts need work and tracks your progress to exam readiness.

What is the pass rate for CertGuide users?

99% of CertGuide users who reach 95% concept mastery pass their certification exam on the first attempt.

How much does CertGuide cost?

CertGuide offers a free baseline assessment to diagnose your current knowledge. Full course access is $79 per certification exam.

Which CompTIA certifications does CertGuide support?

CertGuide currently supports CompTIA Security+ (SY0-701), with Network+ and A+ (Core 1 & Core 2) launching soon.

Objective 2.5High Priority10 min read

Network Segmentation

Dividing networks into isolated segments to contain breaches, limit lateral movement, and control traffic flow between zones. Implemented through VLANs, subnets, firewalls, and micro-segmentation.

Understanding Network Segmentation

Network segmentation divides a network into smaller, isolated zones to improve security and contain potential breaches. When an attacker compromises one segment, proper segmentation prevents them from easily moving to other parts of the network.

Key segmentation benefits: • Breach containment — Limits damage from compromises • Lateral movement prevention — Blocks attacker progression • Traffic control — Filters traffic between zones • Compliance — Isolates regulated data (PCI DSS, HIPAA)

Segmentation is a foundational security control that reduces blast radius and enables granular access control.

Why This Matters for the Exam

Network segmentation is heavily tested on SY0-701 as a core mitigation technique. Questions cover implementation methods (VLANs, firewalls), zone design, and how segmentation prevents attack progression.

Understanding segmentation helps with security architecture decisions and incident response planning. Knowing network boundaries determines containment options during breaches.

The exam tests both conceptual understanding and practical implementation of segmentation strategies.

Deep Dive

VLANs (Virtual Local Area Networks)

Logical separation of networks at Layer 2.

How VLANs Work:

•Switch ports assigned to VLAN groups
•Traffic isolated between VLANs
•Requires router/Layer 3 to communicate between VLANs
•Same physical infrastructure, logical separation

VLAN Benefits:

Benefit	Description
Broadcast isolation	Broadcasts limited to VLAN
Security boundaries	Traffic separated logically
Flexibility	Change segment without rewiring
Cost efficiency	Single switch, multiple segments

VLAN Implementation:

•Port-based VLANs (most common)
•802.1Q tagging for trunk ports
•Management VLAN separate from user traffic
•Voice VLAN for VoIP

Subnets and IP Segmentation

Logical separation at Layer 3 using IP addressing.

Subnet Segmentation:

•Different IP ranges for different zones
•Routers control inter-subnet traffic
•ACLs filter traffic between subnets
•Enables granular routing decisions

Common Subnet Strategy:

•```
10.1.1.0/24 - Users
10.1.2.0/24 - Servers
10.1.3.0/24 - Management
10.1.4.0/24 - IoT/OT
10.1.5.0/24 - Guests
•```

DMZ (Demilitarized Zone)

Network segment between internal network and internet for public-facing services.

DMZ Architecture:

•```
•Internet → Firewall → DMZ → Firewall → Internal
• ↓
• Web Server
• Mail Server
• DNS Server
•```

DMZ Purpose:

•Hosts public-facing services
•Isolates internet exposure
•Protects internal network from direct access
•Compromised DMZ doesn't expose internal systems

DMZ Rules:

•Internet can reach DMZ services
•DMZ has limited internal access
•Internal can reach DMZ
•Internal protected from direct internet

Micro-Segmentation

Granular segmentation at the workload level.

Micro-Segmentation Characteristics:

•Individual workload isolation
•Policy enforcement at VM/container level
•East-west traffic control
•Software-defined approach

Micro-Segmentation vs. Traditional:

Traditional	Micro-Segmentation
Network-based	Workload-based
Perimeter focus	Internal focus
Coarse-grained	Fine-grained
Hardware-dependent	Software-defined

Implementation:

•Software-defined networking (SDN)
•Host-based firewalls
•Zero trust architecture
•Container network policies

Segmentation Strategies

Zone-Based Approach:

Zone	Contents	Trust Level
External	Internet	Untrusted
DMZ	Public services	Semi-trusted
Internal	Corporate resources	Trusted
Restricted	Sensitive data	Highly trusted

Functional Segmentation:

•User networks
•Server networks
•Development networks
•Production networks
•Management networks

Compliance Segmentation:

•PCI DSS cardholder data environment (CDE)
•HIPAA protected health information (PHI)
•Regulated data isolated from general network

Segmentation Controls

Firewalls:

•Inter-zone traffic filtering
•Stateful inspection
•Application layer filtering
•Logging and monitoring

Access Control Lists (ACLs):

•Router-based filtering
•Permit/deny by source, destination, port
•Quick, simple segmentation

Jump Servers/Bastion Hosts:

•Single access point to secure zones
•All administrative access through jump server
•Logging and monitoring point

How CompTIA Tests This

Example Analysis

Scenario: A company's network has all systems on a flat 10.0.0.0/16 network. A ransomware infection on one workstation spreads to file servers, databases, and eventually domain controllers within hours, affecting the entire organization.

Analysis - Lack of Segmentation:

What Went Wrong: • Flat network = no barriers between systems • Ransomware spread via SMB to all reachable systems • No containment boundaries • Lateral movement unrestricted

Proper Segmentation Design: ``` 10.1.0.0/24 - User Workstations (VLAN 10) 10.2.0.0/24 - File Servers (VLAN 20) 10.3.0.0/24 - Database Servers (VLAN 30) 10.4.0.0/24 - Domain Controllers (VLAN 40) 10.5.0.0/24 - Management (VLAN 50) ```

Segmentation Rules: • Workstations → File servers: Allowed (specific ports) • Workstations → Databases: Denied (via app servers only) • Workstations → DCs: Authentication only • All → Management: Denied (jump server required)

How Segmentation Would Help: 1. Ransomware infects workstation 2. Attempts lateral movement 3. Firewall blocks SMB to server VLANs 4. Infection contained to workstation segment 5. Servers and DCs unaffected

Key insight: Flat networks have no containment. Segmentation creates boundaries that stop or slow attack progression.

Key Terms to Know

network segmentationVLANsubnetDMZmicro-segmentationlateral movementnetwork isolationzero trust

Common Mistakes to Avoid

Thinking VLANs alone provide security—VLANs separate broadcast domains but need firewalls/ACLs to filter traffic between them.

Ignoring east-west traffic—traditional perimeter security misses lateral movement. Internal segmentation is essential.

Over-permissive inter-segment rules—segmentation is only effective if rules actually restrict traffic.

Forgetting management networks—management interfaces need their own secure segment, not mixed with user traffic.

Exam Tips

VLAN = Layer 2 logical separation. Needs router/firewall for inter-VLAN communication.

DMZ = Zone between internet and internal network for public services.

Micro-segmentation = Granular, workload-level isolation. Zero trust approach.

Segmentation contains breaches by limiting lateral movement.

PCI DSS requires segmentation to isolate cardholder data environment.

East-west traffic = Internal traffic between segments. North-south = In/out of network.

Memory Trick

"VSD-M" - Segmentation Methods

•VLANs (Layer 2 logical)
•Subnets (Layer 3 IP-based)
•DMZ (public service zone)
•Micro-segmentation (workload-level)

Segmentation Purpose: "Contain the Breach, Limit the Movement" = BLM (Breach containment, Lateral movement prevention, Movement control)

DMZ Position: Internet ← Outside → DMZ → Inside ← Internal "DMZ = Defense Middle Zone"

•Traffic Directions:
•North-South = In/out (through perimeter)
•East-West = Internal (lateral)
•Micro-segmentation controls E-W traffic

VLAN Security Reminder: "VLAN ≠ Firewall" VLANs separate, firewalls filter

Test Your Knowledge

Q1.A company wants to isolate their web servers that handle public internet traffic from their internal corporate network. What network architecture should they implement?

Q2.After a breach, investigators find that ransomware spread from a user workstation to servers across the entire network. What mitigation would have limited this lateral movement?

Q3.What is the PRIMARY difference between traditional network segmentation and micro-segmentation?

Want more practice with instant AI feedback?

Practice with AI

Continue Learning

Isolation Techniques Access Control Implementation

Ready to test your knowledge?

Practice questions on network segmentation and other Objective 2.5 concepts.

Start Practice

Back to Domain 2 Access Control Implementation