Skip to main content
SummitDNC

Contact
Get a Free QuoteClient Login(714) 333-1414
Cybersecurity

Network Segmentation: Why Flat Networks Are a Security Risk

Summit DNC EngineeringMarch 13, 202611 min read

# Network Segmentation: Why Flat Networks Are a Security Risk

If every device in your office — workstations, servers, phones, cameras, guest WiFi, IoT sensors — is on the same network, a single compromised device gives an attacker access to everything. This is a flat network, and it is one of the most common security weaknesses in small and mid-size businesses.

## What Is a Flat Network?

A flat network puts all devices in a single broadcast domain with no separation. Every device can see and communicate with every other device directly. This is the default configuration when you plug switches together without configuring VLANs.

The problem:

When a workstation gets infected with ransomware on a flat network, the malware can immediately: - Discover and encrypt file servers - Spread to other workstations - Access security camera DVRs and NVRs - Compromise VoIP phone systems - Reach backup appliances and encrypt backup data

With network segmentation, the infected workstation can only see devices in its segment. The ransomware cannot reach servers, backups, cameras, or phones because they are on different network segments with firewall rules controlling cross-segment traffic.

## Segmentation Architecture

### The Minimum Viable Segments

Every business network should have at least these segments:

1. **Corporate data** — Workstations and printers

2. **Servers** — File servers, application servers, domain controllers

3. **Voice** — VoIP phones and call infrastructure

4. **Security** — Cameras, access control, alarm systems

5. **Guest** — Completely isolated guest WiFi

### Additional Segments for Larger Organizations

6. **Management** — Network device management (switch/firewall admin interfaces)

7. **IoT** — Building automation, sensors, smart devices

8. **DMZ** — Public-facing services (web servers, email gateways)

9. **PCI** — Cardholder data environment (for PCI DSS compliance)

10. **Medical devices** — Connected medical equipment (for HIPAA environments)

## Implementation with VLANs

VLANs (Virtual LANs) are the primary tool for network segmentation:

### Step 1: Create VLANs on Your Managed Switches

| VLAN ID | Name | Subnet | Purpose | |---------|------|--------|---------| | 10 | Corporate | 10.0.10.0/24 | Workstations and printers | | 20 | Servers | 10.0.20.0/24 | All server infrastructure | | 30 | Voice | 10.0.30.0/24 | VoIP phones | | 40 | Security | 10.0.40.0/24 | Cameras and access control | | 50 | Guest | 10.0.50.0/24 | Guest WiFi (internet only) |

### Step 2: Assign Switch Ports to VLANs

  • Access ports: One VLAN per port (workstations, cameras, printers)
  • Trunk ports: Carry multiple VLANs between switches and to the firewall
  • VoIP ports: Configured with both data and voice VLANs (for phones with passthrough ports)

### Step 3: Create Firewall Rules Between Segments

This is where the real security happens. The firewall controls what traffic is allowed between VLANs:

Example rules:

- Corporate → Servers: Allow specific ports (SMB, HTTPS, RDP) - Corporate → Internet: Allow with content filtering - Servers → Corporate: Deny (servers should not initiate connections to workstations) - Voice → anything: Allow SIP and RTP only — deny all else - Guest → Internet: Allow — deny all internal access - Security → Servers: Allow NVR recording traffic only

### Step 4: Configure Wireless SSIDs per VLAN

Each WiFi SSID maps to a VLAN: - Corporate SSID → VLAN 10 (802.1X authentication) - Guest SSID → VLAN 50 (captive portal, isolated) - IoT SSID → VLAN 60 (if applicable)

## Compliance Benefits

Network segmentation is required or strongly recommended by every major compliance framework:

  • **PCI DSS** — Requires cardholder data environment (CDE) to be segmented from all other networks
  • **HIPAA** — Medical devices and ePHI systems should be segmented from general network
  • **NIST CSF** — Network segmentation is a core control for the Protect function
  • **CIS Controls** — Control 12: Network Infrastructure Management includes segmentation

## Common Mistakes

1. **Creating VLANs but not firewall rules** — VLANs without inter-VLAN firewall rules provide no security (Layer 3 switches route between VLANs freely by default)

2. **Flat guest WiFi** — Guest traffic should never touch internal networks

3. **Cameras on the corporate VLAN** — Security cameras are IoT devices with known vulnerabilities

4. **No monitoring of cross-segment traffic** — You should log and alert on unusual cross-VLAN traffic

5. **Over-permissive rules** — "Allow all" between VLANs defeats the purpose of segmentation

## Getting Started

If you are currently running a flat network, segment in phases:

1. **Phase 1:** Separate guest WiFi (highest risk, easiest to implement)

2. **Phase 2:** Create voice VLAN for VoIP phones (improves call quality too)

3. **Phase 3:** Separate cameras and security devices

4. **Phase 4:** Segment servers from workstations

5. **Phase 5:** Implement monitoring and refine firewall rules

Each phase requires managed switches (for VLANs) and a firewall capable of inter-VLAN routing and filtering. This is standard equipment for any business network.

Summit DNC designs and implements segmented networks for businesses across Southern California. From initial design through switch configuration and firewall rules, we build networks that limit blast radius and protect your critical assets. Contact us for a network security assessment.

Network SecurityVLANsNetwork SegmentationFirewallZero Trust
Share:

Related Services

Network InfrastructureSecurity & SurveillanceManaged IT

Related Comparisons

VoIP vs Landline: Which Phone System Is Right for Your Business?Managed IT vs Break-Fix: Proactive vs Reactive IT Support ComparedCloud vs On-Premises: Choosing the Right Infrastructure for Your Business

Industries We Serve

HealthcareFinancial ServicesRetail

Related Articles

Infrastructure

Managed Switch Configuration Guide: VLANs, QoS, and Security Best Practices

Learn how to configure managed switches for business networks. Covers VLAN segmentation, QoS for VoIP, port security, SNMP monitoring, and common configuration mistakes.

Compliance

HIPAA-Compliant Network Design: Requirements for Healthcare Facilities

Build a network that meets HIPAA security requirements — segmentation, encryption, access controls, and audit logging.

Security

Office Network Security Checklist for 2025

A practical security checklist for small and mid-size businesses — no enterprise budget required. Cover these 15 items and you will be ahead of 90% of SMBs.

Need Help With Your Infrastructure Project?

Summit DNC designs and deploys the systems covered in this article. Contact us for a free consultation.

Get a Free QuoteBack to Blog
Licensed & Insured (C-7, C-10)BICSI Certified15-Year WarrantyBBB Accredited
Get a Free Quote