Segmentation, DMZ, VLAN, VPN, NAC, and IoT

Assume Breach, Then Contain It

Good network design assumes some controls will fail and some systems will be compromised. Segmentation limits the damage by restricting what a user, device, workload, or attacker can reach. This is the heart of defense in depth: never rely on one perimeter firewall to protect everything behind it. On the CC exam, the right answer to "a compromised host reached sensitive servers" is usually a segmentation or least-privilege control, not awareness training alone.

Segmentation divides a network into zones by trust, function, or sensitivity. Workstations, servers, payment systems, guest Wi-Fi, the management network, development, backups, and building/industrial systems each belong in their own zone. The goal is controlled communication: a guest phone should not reach a domain controller; a camera should not administer a firewall.

DMZ, VLANs, and Micro-Segmentation

A demilitarized zone (DMZ) is a segment for systems reachable from an untrusted network (often the internet) while still separated from the internal network. Web servers, reverse proxies, mail gateways, and VPN portals sit there. Rules must be port-specific: internet users reach a reverse proxy on TCP 443 (HTTPS), the proxy reaches an app server on one port, the app server reaches a database on one port. Allowing the internet straight to internal databases defeats the design.

A virtual LAN (VLAN) separates Layer 2 broadcast domains on shared switches. VLANs organize traffic but are not full security alone — if inter-VLAN routing is permissive, separation is weak. Enforce access control lists (ACLs) or firewalls between VLANs. Micro-segmentation applies fine-grained policy between individual workloads (common in virtualized and cloud environments), allowing only specific app-to-database flows and blocking the rest to stop lateral movement.

VPN and Network Access Control

A virtual private network (VPN) creates an encrypted tunnel for remote users (client-to-site) or to join two sites (site-to-site). It protects confidentiality and integrity over untrusted links, but a VPN-connected user should still face MFA, posture checks, and least privilege — being on the VPN must not equal reaching everything.

Network access control (NAC) decides whether a device or user may join the network and what access to grant. NAC evaluates authentication, certificate presence, patch level, EDR status, or ownership. Noncompliant devices are denied, quarantined, or sent to a remediation network.

IoT, OT, and Embedded Devices

Internet of Things (IoT) and operational technology (OT) devices — cameras, badge readers, printers, sensors, medical devices, building controls, industrial controllers — often ship with default credentials, weak update paths, long lifecycles, and limited logging. Isolate them in restricted segments allowing only required traffic. A badge reader reaches its controller but should not browse the internet or touch finance shares.

Worked Scenarios

Scenario 1: Guest Wi-Fi clients can scan internal servers. The fix is not awareness alone — place guests on a separate VLAN/subnet, restrict routing to internet-only, apply firewall policy, and monitor. Scenario 2: Security cameras share a flat network with workstations; segment the cameras, change default credentials, block unneeded outbound traffic, and watch vendor connections. Each example shows segmentation shrinking the blast radius.

VPN Tunnel Modes, IPsec, and TLS

CC keeps VPN coverage conceptual, but two distinctions help. By topology, a client-to-site (remote-access) VPN connects an individual user's device to the corporate network, while a site-to-site VPN joins two networks (such as a branch to headquarters) over the internet. By protocol, IPsec secures traffic at the network layer and is common for site-to-site tunnels, while TLS/SSL VPNs operate higher in the stack and are convenient for browser-based remote access.

A second concept is split tunneling versus full tunneling: split tunneling sends only corporate-bound traffic through the VPN (faster, but the device's internet traffic bypasses inspection), while full tunneling routes everything through the corporate gateway for monitoring and filtering. The control intent is the same — encrypt traffic over untrusted paths and still require strong identity and least privilege at the other end.

Zero Trust and the Limits of the Perimeter

Segmentation, NAC, and micro-segmentation point toward zero trust, the principle of "never trust, always verify." Rather than assuming everything inside the perimeter is safe, zero trust treats every access request as untrusted until identity, device posture, and authorization are checked — even for internal traffic. This directly counters lateral movement, where an attacker who lands on one host tries to pivot to higher-value systems. For the exam, recognize that a flat internal network is a single large blast radius, and that segmentation plus identity verification is the antidote.

Common Traps and Exam Cues

Watch for these: (1) a VLAN described as if it were a firewall — separation needs ACL or firewall policy on the routed boundary; (2) "the user is on the VPN, so they can reach everything" — a VPN encrypts the link but should not grant blanket access; (3) IoT and OT devices left on the user or server network because "they need to work" — isolate them instead; (4) relying on a single perimeter firewall while the internal network is flat; and (5) confusing a DMZ (a zone for exposed services) with a VPN (an encrypted tunnel) or with NAC (an admission and posture decision).

When a stem says "reduce the blast radius" or "limit lateral movement," the answer is almost always segmentation, micro-segmentation, or least-privilege access — not a single product.