Network Segmentation & Zero Trust (SMB-ready) — Module 7

🧭 Network Segmentation & Zero Trust (SMB-ready) — Module 7

Theory + Real Example + 18-Question Quiz Blast-Radius Reduction
NordVPN — up to 75% off NordPass — up to 70% off
Affiliate links — support our free training.

1) Theory — Kill the flat network

Ransomware and intruders love a flat LAN: one phish, and they’re everywhere. Segmentation carves the network into purpose-built zones with tightly controlled pathways. Zero Trust assumes no implicit trust from location; every access is verified (identity, device, context) and authorized to the minimum needed.

Key points (at a glance):
  • From flat to tiers: User, Server, Management, and External/Partner zones at minimum.
  • Least-privilege flows: allow only required ports between specific sources and destinations.
  • Identity-aware access: VPN/ZTNA with device posture → app, not network.
  • Microsegmentation: host or workload-level policy (EDR/agent or overlay) for east-west control.
  • Measure blast radius: how many systems fall if one endpoint is owned? Shrink it.

1.1 Core segmentation model (practical)

  • User VLANs: employees/contractors; no direct RDP/SMB to servers by default.
  • Server VLANs: app/db/file servers; permit only app-required ports from frontends.
  • Management VLAN: jump hosts, monitoring, backup; accessible only from admin identities/devices.
  • External/Partner: vendors/IoT/guest Wi-Fi isolated; no lateral reach into user/server tiers.
  • DNS/DHCP/Identity: protected services with limited inbound/outbound; first to restore in incidents.

1.2 Controls that actually reduce risk

  • Firewall policy by application (L7) where possible; else strict L3/L4 ACLs with object groups.
  • ZTNA/identity-aware proxy: publish apps via IdP + device trust, not raw network access.
  • Privileged Access Workstations (PAWs): admins operate from hardened, isolated devices.
  • EDR + microsegmentation agent: block risky east-west (e.g., SMB/RDP) unless explicitly allowed.
  • Service isolation: unique service accounts per app tier; no shared creds across zones.
  • DNS security: sinkhole/block malicious domains; split-DNS to keep internal names internal.

1.3 Quick wins (SMB-friendly)

  1. Guest/IoT off the LAN: separate SSIDs/VLANs; internet-only, no internal routes.
  2. Block peer-to-peer admin: deny SMB/RDP from user to user; require jump host to reach servers.
  3. Printer/Camera cages: isolate and allow only essentials to print servers/NTP/DNS.
  4. Backups on their own lane: separate subnets/creds; immutable storage not writable from prod.
  5. Allowlist model: start with “deny any any,” then add needed flows; document each exception.

1.4 Mapping flows (how to design rules)

  • Inventory apps → list ports/protocols between components (web ↔ app ↔ DB).
  • Data sensitivity → crown jewels get extra segments and tighter paths.
  • User roles → finance, dev, support each see only their apps.
  • Default deny → enable only documented flows; review quarterly.

1.5 Zero Trust pillars (applied)

  • Verify explicitly: strong identity + device compliance + context (geo/risk).
  • Least privilege access: scope to app, method, and time; JIT elevation for admins.
  • Assume breach: log and monitor; detect lateral movement; practice containment.
  • Segment everything: network, identity tiers, and data paths.

1.6 Incident playbook — lateral movement detected

  1. Isolate affected VLAN/workloads (firewall blocks or NAC quarantine); don’t power off.
  2. Block high-risk east-west (SMB/RDP/WMI) broadly while scoping; allow only jump host paths.
  3. Rotate credentials, disable suspected accounts, and revoke tokens.
  4. Hunt persistence (scheduled tasks, services, GPOs); verify via EDR.
  5. Restore from clean points where needed; reopen flows incrementally with monitoring.

2) Real-world example

Accounts PC phished → file server safe: Before segmentation, one phish encrypted the whole share. After redesign: users in User VLANs couldn’t hit SMB on servers directly; only a jump host could. When another phish landed, encryption stayed local. IR rebuilt the PC, no outage for finance. Blast radius collapsed from “entire company” to “one machine.”

3) Assessment — 18 Professional Questions

Choose the best answer for each question. Answers and feedback appear after you submit.

1) Primary goal of segmentation?

2) Which default posture is strongest?

3) Best path from user PCs to servers?

4) ZTNA improves on VPN by:

5) Which traffic should be broadly blocked between user subnets?

6) Best placement for backup servers?

7) Microsegmentation is primarily about:

8) Which identity control pairs best with segmentation?

9) IoT/printers should:

10) Best rule-writing approach?

11) Why use PAWs for admins?

12) Which signal should alert you to east-west spread?

13) What’s the most secure remote access method for a single internal app?

14) Which policy shrinks blast radius if a helpdesk account is phished?

15) Best way to bring a legacy app into Zero Trust?

16) Which default for inter-VLAN is sensible?

17) Why isolate guest Wi-Fi?

18) First firewall move during an active lateral-movement incident?

4) Finish

When you’re done, use the buttons below.

✅ Finish ⬅️ Back Next ➡️
NordVPN — up to 75% off NordPass — up to 70% off
Affiliate links — support our free training.