Network segmentation is one of the most effective security measures a business can implement, yet it remains one of the most overlooked. In a flat, unsegmented network — which is how most small and medium-sized businesses in the UK operate — every device can communicate directly with every other device. This means that if a single workstation is compromised by malware, the attacker can potentially move laterally across your entire network, accessing servers, databases, and other critical systems without encountering any barriers.
The principle behind network segmentation is simple: divide your network into smaller, isolated segments, each with its own access controls and security policies. Devices in one segment can only communicate with devices in another segment if explicitly permitted by firewall rules. This dramatically limits the blast radius of a security breach, contains malware outbreaks, protects sensitive data, and makes your network far easier to monitor and manage.
This guide explains what network segmentation is, why it matters for UK businesses of all sizes, and provides a practical, step-by-step approach to implementing segmentation using VLANs and firewall rules.
Why Flat Networks Are Dangerous
To understand why network segmentation matters, consider what happens when a cyber attack hits a flat network. An employee clicks a malicious link in a phishing email. Malware is downloaded to their workstation. On a flat network, that workstation can see and communicate with every other device — including your file server, your accounts system, your CRM database, and your backup server.
The malware scans the network, discovers these systems, and begins moving laterally. It compromises the file server and encrypts all shared files. It reaches the accounts system and exfiltrates financial data. It finds the backup server and encrypts or deletes your backups. Within hours, your entire business is paralysed, and recovery is impossible without paying a ransom — with no guarantee that payment will restore your data.
Now consider the same scenario with a properly segmented network. The compromised workstation sits in the user VLAN, which has no direct access to the server VLAN, the database VLAN, or the backup VLAN. The malware scans the local segment and finds only other user workstations. It cannot reach your servers, cannot access your databases, and cannot touch your backups. The breach is contained to a single segment, giving your IT team time to detect, isolate, and remediate the threat before critical systems are affected.
The National Cyber Security Centre explicitly recommends network segmentation as a key defence against ransomware and lateral movement attacks. Their guidance states that organisations should "segment networks to limit the impact of a compromise" and "use firewalls or access control lists to control traffic between segments." For businesses pursuing Cyber Essentials Plus certification, demonstrating network segmentation can strengthen your assessment significantly.
Understanding VLANs: The Foundation of Segmentation
Virtual Local Area Networks, or VLANs, are the primary technology used to implement network segmentation. A VLAN is a logical grouping of network ports that creates a separate broadcast domain, even when the devices are connected to the same physical switch. Devices in one VLAN cannot communicate with devices in another VLAN without traffic being routed through a firewall or Layer 3 switch, where access control rules can be applied.
Think of VLANs as invisible walls within your network switch. Physically, all your devices may be connected to the same switch hardware, but logically, they are separated into distinct networks. A workstation on VLAN 10 cannot see or communicate with a server on VLAN 20 unless a router or firewall explicitly permits the traffic and defines which ports and protocols are allowed.
Modern managed switches from manufacturers like Cisco, HP/Aruba, and UniFi all support VLANs. If your business is currently using unmanaged switches — the kind you buy from Amazon for £30 — you will need to upgrade to managed switches to implement VLANs. This is a worthwhile investment; managed switches capable of supporting a small business network start from around £200 to £500.
Designing Your Segmentation Strategy
Before configuring any VLANs, you need to design your segmentation strategy. This involves identifying the different categories of devices and data on your network and determining how they should be grouped and what communication between groups should be permitted.
| VLAN | Purpose | Example Devices | Security Level |
|---|---|---|---|
| VLAN 10 — Corporate | Staff workstations and laptops | Desktops, company laptops | Medium |
| VLAN 20 — Servers | Production servers and databases | File server, SQL server, app servers | High |
| VLAN 30 — Guest | Visitor internet access only | Guest Wi-Fi devices | Restricted |
| VLAN 40 — IoT | Smart devices, printers, cameras | Printers, CCTV, sensors | Isolated |
| VLAN 50 — Management | Network infrastructure management | Switches, firewalls, access points | Very High |
| VLAN 60 — Finance | Financial systems and users | Accounts team PCs, finance server | Very High |
Implementing VLANs Step by Step
With your segmentation design in place, implementation follows a structured process. The exact steps will vary depending on your switch and firewall hardware, but the general approach is consistent across all platforms.
Step 1: Configure VLANs on Your Switch
Log into your managed switch administration interface and create each VLAN according to your design. Assign a VLAN ID (the number), a name (for easy identification), and designate which physical switch ports belong to each VLAN. Ports connected to staff workstations are assigned to the corporate VLAN. Ports connected to servers go in the server VLAN. Guest Wi-Fi access points are assigned to the guest VLAN, and so on.
Step 2: Configure Trunk Ports
Trunk ports carry traffic from multiple VLANs between switches and between your switch and firewall. Any port connecting one switch to another, or connecting a switch to a firewall or router, should be configured as a trunk port with the appropriate VLANs tagged. This allows traffic from all VLANs to traverse the link while maintaining VLAN separation.
Step 3: Set Up Inter-VLAN Routing
By default, VLANs are completely isolated — no traffic can pass between them. To allow necessary communication (for example, allowing corporate workstations to access the file server), you need inter-VLAN routing. This is handled by your firewall or a Layer 3 switch, which routes traffic between VLANs while applying access control rules.
Step 4: Create Firewall Rules
This is where the real security benefit materialises. Create specific firewall rules that define exactly what traffic is permitted between VLANs. The default rule should be to deny all inter-VLAN traffic, and then add explicit allow rules only for the specific communications that are required. For example, allow VLAN 10 to access the file share service on VLAN 20, but block all other traffic between these VLANs.
Recommended Firewall Rules
- Corporate VLAN to Server VLAN: Allow specific ports only (e.g., SMB 445, HTTPS 443)
- Guest VLAN to Internet: Allow HTTP/HTTPS only
- Guest VLAN to all internal VLANs: Deny all
- IoT VLAN to Internet: Allow specific services only
- IoT VLAN to Corporate/Server: Deny all
- Management VLAN: Allow from IT admin workstations only
- Finance VLAN to Server: Allow finance application ports only
Common Segmentation Mistakes
- Creating VLANs but allowing all traffic between them
- Forgetting to segment the guest Wi-Fi network
- Leaving IoT devices on the corporate VLAN
- Not restricting management VLAN access
- Using overly broad firewall permit rules
- Failing to segment the backup infrastructure
- Not documenting VLAN assignments and rules
Segmenting Wi-Fi Networks
Wireless networks require special attention in a segmentation strategy. Modern business Wi-Fi access points support multiple SSIDs (network names), each mapped to a different VLAN. This allows you to broadcast separate wireless networks for corporate devices, guest access, and IoT devices, all from the same physical access points.
Your corporate SSID should use WPA3-Enterprise authentication (or WPA2-Enterprise as a minimum), which authenticates each user individually using their Active Directory credentials. This ensures that only authorised staff can connect and provides an audit trail of who connected and when. The corporate SSID is mapped to your corporate VLAN.
Your guest SSID should use a captive portal that requires visitors to accept your acceptable use policy before gaining internet access. It should be mapped to the guest VLAN, which has internet access only and no access to any internal resources. The guest network should also have bandwidth limits to prevent visitors from consuming excessive internet capacity.
Any IoT devices that connect wirelessly — wireless printers, smart displays, environmental sensors — should connect to a dedicated IoT SSID mapped to the IoT VLAN. This prevents compromised IoT devices from accessing corporate or server resources.
Monitoring Segmented Networks
Network segmentation is not a set-and-forget measure. You need ongoing monitoring to ensure your segmentation is working as intended, to detect any unauthorised communication between segments, and to identify when new devices are connected to the wrong VLAN.
Your firewall logs are your primary source of visibility. Every denied inter-VLAN connection attempt is logged, showing you what devices are trying to communicate across segment boundaries. Regular review of these logs reveals misconfigured devices, shadow IT, and potential security incidents. A sudden spike in denied traffic from the IoT VLAN towards the server VLAN, for example, could indicate a compromised IoT device attempting lateral movement.
Network monitoring tools such as PRTG, Nagios, or the monitoring built into platforms like Cisco Meraki or UniFi provide dashboards showing traffic patterns across your VLANs. These tools help you identify performance issues, capacity constraints, and anomalous behaviour that warrants investigation.
Segmentation and Compliance
For UK businesses subject to regulatory requirements, network segmentation is often not just a best practice but a compliance requirement. PCI DSS, which applies to any business that processes card payments, explicitly requires network segmentation to isolate the cardholder data environment from the rest of the network. Failure to segment your network significantly increases the scope of your PCI DSS assessment and the cost of compliance.
UK GDPR requires organisations to implement "appropriate technical and organisational measures" to protect personal data. The ICO has cited network segmentation as an example of an appropriate technical measure, particularly for protecting databases containing personal data from unauthorised access. If your organisation processes sensitive personal data — health records, financial information, or criminal records — network segmentation is effectively a requirement rather than a recommendation.
Cyber Essentials, the UK government-backed certification scheme, requires organisations to protect internal network services from unauthorised access. While the basic Cyber Essentials certification does not mandate VLANs specifically, Cyber Essentials Plus assessors will look favourably on segmented networks, and the underlying requirement for access control is much easier to demonstrate with proper segmentation in place.
Need Help Segmenting Your Network?
Cloudswitched designs and implements network segmentation for UK businesses of all sizes. From VLAN configuration to firewall rule design, we create segmented networks that improve security, support compliance, and protect your critical data from lateral movement attacks.
GET IN TOUCH
CloudSwitched
Centrally located in London, Shoreditch, we offer a range of IT services and solutions to small/medium sized companies.