Domain 4 of 5 · Chapter 6 of 8

Network Segmentation

Unlock the complete study guide + 1,040 practice questions across 16 full exams.

Bundled into the existing CompTIA Network+ premium course — no separate purchase.

Included in this chapter:

  • Why segment: containment, compliance, fragile devices
  • VLANs are zones; firewalls and ACLs are the gates
  • Device-class segments: OT, IoT, DMZ, guest, BYOD
  • Microsegmentation and zero trust
  • Exam-pattern recognition

Which segment for which device class

Segment / zoneWhat goes thereReachability it should haveWhy it is isolated
OT / ICS / SCADA zoneLegacy industrial controllers, PLCs, DCSOnly its own controllers and engineering hostsUnpatchable, no AV; isolate per NIST SP 800-82r3
IoT / IIoT VLANCameras, sensors, smart/embedded devicesOnly required controllers and update serversWeak defaults, rarely updated
Screened subnet (DMZ)Public web, mail, DNS serversInternet inbound + tightly limited internalInternet-exposed; breach must not reach LAN
Guest / BYOD segmentVisitor and personal devicesInternet only, no internal accessUntrusted devices, unknown posture
Internal trusted zoneCorporate workstations and serversInternal services per least privilegeHolds the assets the other zones protect

Decision tree

Can the device be patchedand run AV?Isolate on own segmentOT/ICS/SCADA, IoT + compensateNoMust it accept internetconnections?YesScreened subnetDMZ: web / mail / DNSYesUntrusted user device?guest / personalNoGuest / BYOD segmentinternet-only, no internalYesStop same-subnet pivot?east-west lateral movementNoMicrosegmentationYesInternal trusted zoneNoAll crossings: firewall/ACL, deny by default

Cheat sheet

  • Segment to limit the blast radius of a breach
  • A VLAN is the boundary; a firewall or ACL is the control
  • Isolate unpatchable OT/ICS/SCADA, do not try to patch it
  • Put IoT/IIoT devices on a dedicated VLAN
  • Place internet-facing servers in a screened subnet (DMZ)
  • Give guests and BYOD internet-only access, no internal reach
  • Microsegmentation stops east-west, same-subnet lateral movement
  • Zero trust grants nothing for being on the internal network
  • North-south crosses the zone edge; east-west moves laterally
  • Segment regulated systems to cut PCI DSS audit scope
  • Segmentation contains a breach; it does not prevent one
  • Use 802.1X to assign a device to the right segment at connect
  • Build inter-zone rules deny-by-default, then allow only what is needed
  • OT, ICS, and SCADA name overlapping operational-technology scopes
  • Segment when device classes or trust levels actually differ

Unlock with Premium — includes all practice exams and the complete study guide.

Also tested in

References

  1. IEEE 802.1Q: Bridges and Bridged Networks (VLANs and VLAN Bridges) Whitepaper
  2. NIST SP 800-41 Rev. 1: Guidelines on Firewalls and Firewall Policy Whitepaper
  3. NIST SP 800-82 Rev. 3: Guide to Operational Technology (OT) Security Whitepaper
  4. NIST SP 800-207: Zero Trust Architecture Whitepaper