Segmentation, DMZ, VLAN, VPN, NAC, and IoT

Network design should assume that some controls will fail and some systems will be compromised. Segmentation reduces the damage by limiting what a user, device, workload, or attacker can reach. It is a core defense-in-depth idea: do not rely on one perimeter firewall to protect everything behind it.

Segmentation and Defense in Depth

Segmentation divides a network into zones based on trust, function, sensitivity, or business need. User workstations, servers, payment systems, guest wireless, management networks, development systems, backups, and industrial or building systems may belong in separate segments. The purpose is not just neat diagrams. The purpose is controlled communication. A guest phone should not reach a domain controller. A compromised workstation should not freely connect to database servers. A camera should not administer a firewall.

Defense in depth uses multiple layers of controls. A server may be protected by a network firewall, host firewall, strong authentication, patching, logging, EDR, backups, and restricted administrative access. If one layer fails, another may still reduce risk.

DMZ

A demilitarized zone is a network segment for systems that must be reachable from a less trusted network, often the internet, while still being separated from the internal network. Public web servers, reverse proxies, mail gateways, or VPN portals may sit in a DMZ. The DMZ should allow only necessary traffic. For example, internet users may reach a reverse proxy on HTTPS, the proxy may reach an application server on a specific port, and the application server may reach a database on a specific port. Broad access from the internet to internal databases would defeat the purpose.

VLANs and Micro-Segmentation

A virtual LAN separates Layer 2 broadcast domains on shared switching infrastructure. VLANs help organize traffic, but they are not complete security by themselves. If traffic is routed between VLANs with permissive rules, separation is weak. Inter-VLAN communication should be controlled by routing policy, access control lists, or firewalls.

Micro-segmentation applies fine-grained controls between workloads, often in data center, virtualized, or cloud environments. Instead of trusting everything inside a server network, policy may allow only specific application-to-database flows or management access from approved jump hosts. This reduces lateral movement.

VPN and NAC

A VPN creates an encrypted tunnel for remote users or site-to-site connections. It protects traffic over untrusted networks, but it should still require strong identity, MFA where appropriate, endpoint posture checks, and least-privilege access. A user connected to VPN should not automatically reach every internal system.

Network access control evaluates whether a device or user should be allowed onto a network and what access they should receive. NAC may check authentication, certificate presence, device compliance, patch level, EDR status, or ownership. Noncompliant devices may be denied, quarantined, or placed on a remediation network.

IoT and Embedded Devices

IoT and embedded systems include cameras, badge readers, printers, sensors, medical devices, building controls, and industrial controllers. They often have weak update processes, long lifecycles, default credentials, limited logging, and unusual vendor support. They should be placed in restricted segments with only required traffic allowed. A badge reader may need to reach its controller, but it should not browse the internet or connect to finance file shares.

Practical Scenario

A company discovers that guest wireless clients can scan internal servers. The fix is not user awareness alone. Place guests in a separate VLAN or network, restrict routing to the internet only, apply firewall policy, and monitor for violations. Another scenario: security cameras share a network with workstations. Segment the cameras, block unnecessary outbound access, change default credentials, and monitor vendor connections. These are practical examples of segmentation reducing blast radius.

High-Yield Checkpoints

• Segmentation limits which systems can communicate and reduces the blast radius of compromise.
• A DMZ exposes selected services to untrusted networks while separating them from internal systems.
• VLANs separate Layer 2 broadcast domains, but routing and firewall policy still determine allowed communication.
• VPNs protect traffic over untrusted networks, while NAC checks identity, device posture, or policy before access.
• IoT and embedded devices should be segmented because they are often difficult to patch and monitor.