When most mid-market companies build their network, simplicity wins. One subnet, everything connected, IT can reach any device from anywhere. It works. Until it doesn't.
A flat network — one without meaningful segmentation between different types of devices and users — is one of the most common and consequential security gaps we find during network assessments. It doesn't show up in vulnerability scanners. It won't trigger a firewall alert. But it is the architectural condition that turns a contained incident into a catastrophic one.
This post explains what network segmentation is, why flat networks create disproportionate risk, and what a practical segmentation approach looks like for an organization that isn't starting from scratch.
What a Flat Network Actually Means
A flat network is one where all devices share the same broadcast domain and can communicate with each other without passing through any access controls. Your accounting workstations, your conference room smart TVs, your manufacturing floor sensors, your guest Wi-Fi, and your servers containing patient records or financial data are all on the same network — and by default, they can all talk to each other.
This isn't necessarily how someone designed it. It's usually how a network grew over ten years of adding devices and never revisiting the underlying architecture.
The attacker's perspective: When a threat actor compromises a single device on a flat network — through phishing, a vulnerable application, or a stolen credential — they have a platform to scan and attack every other device on the network. There is no internal boundary to slow them down or limit what they can reach. Lateral movement is trivially easy.
Why This Matters More Than It Used To
The threat model has changed. The perimeter — your firewall at the edge of the network — used to be a reliable primary defense. Attacks came from outside. If you kept the outside out, the inside was safe.
That model doesn't hold in 2026. Attacks now routinely get past the perimeter through phishing, compromised credentials, supply chain vulnerabilities, and remote access abuse. Once an attacker is inside a flat network, the perimeter firewall offers no protection whatsoever against lateral movement.
The other shift is the device mix. Modern networks include laptops, phones, IoT devices, HVAC controllers, security cameras, printers, and cloud-connected appliances — each with its own attack surface. Putting all of these on the same network as your servers and sensitive data is an architecture decision that needs to be revisited.
What Gets Segmented — and Why
A well-segmented network separates devices and systems based on trust level, function, and data sensitivity. The specific segments vary by organization, but common ones include:
Servers / Data
File servers, databases, ERP, EMR. Highest sensitivity — access should be tightly controlled and logged.
Corporate Endpoints
Employee workstations and managed laptops. Should reach business applications but not server infrastructure directly.
Guest / BYOD
Visitor Wi-Fi, personal devices. Internet access only — zero access to internal resources.
OT / IoT
Building systems, cameras, floor sensors. Often the most vulnerable devices — should be fully isolated from corporate systems.
Management
Network infrastructure management, out-of-band access. Restricted to IT staff only.
Cloud Connectivity
Connections to AWS, Azure, SaaS applications. Controlled and monitored separately from general LAN traffic.
How Segmentation Actually Works
Network segmentation is implemented primarily through VLANs (Virtual Local Area Networks) at the switching layer, with firewall or access control list (ACL) rules governing traffic between segments. In practice this means:
- Devices are assigned to specific VLANs based on their type and trust level
- Traffic between VLANs passes through a firewall or layer 3 switch with defined rules
- Only explicitly permitted traffic crosses segment boundaries — everything else is denied by default
- Logging captures inter-segment traffic, creating visibility into lateral movement attempts
More advanced implementations add microsegmentation — controls at the workload level that restrict communication even within a segment. This is increasingly relevant for cloud environments and organizations running Zero Trust architectures.
How to Approach This Without Starting Over
Most organizations can't tear down their network and rebuild it segmented from scratch. The practical approach is phased, starting with the highest-risk separations:
Isolate Guest and BYOD Traffic First
This is typically the lowest-effort, highest-impact first step. Guest Wi-Fi and personal devices should reach the internet and nothing else. If this isn't already in place, it's the first boundary to draw.
Segment IoT and OT Devices
Cameras, HVAC systems, building automation, and floor equipment are routinely the least-patched and most vulnerable devices on the network. Isolating them prevents compromise from becoming a pivot point into corporate systems.
Create a Dedicated Server Segment
Servers containing sensitive data should sit in their own segment with explicit access rules. Endpoints shouldn't be able to initiate connections directly to server infrastructure without passing through a control point.
Add Logging Between Segments
Segmentation limits blast radius. Logging gives you visibility when something tries to cross a boundary it shouldn't. Both together are significantly more effective than either alone.
Audit and Iterate
Segmentation isn't a one-time project. New devices get added. Applications change dependencies. A network security assessment at least annually ensures the architecture stays aligned with the current environment.
The goal isn't perfection — it's meaningful reduction of blast radius and lateral movement opportunity. Even partial segmentation is dramatically better than a fully flat network when an incident occurs.