Network Segmentation

Dividing networks into isolated zones to contain attacks and protect critical systems.

What is Network Segmentation?

Network segmentation is the practice of dividing a computer network into smaller, isolated subnetworks. Each segment acts as its own network zone with controlled access points, limiting what systems can communicate with each other.

This architectural approach follows the principle of Least Privilege - systems only have network access to the resources they absolutely need. If an attacker compromises one segment, they cannot easily move laterally to other parts of the network.

Key Benefits

  • Containment: Breaches are limited to one segment
  • Reduced Attack Surface: Fewer systems are reachable
  • Better Monitoring: Easier to detect anomalies
  • Compliance: Required by many security standards
  • Performance: Reduces broadcast traffic

Why Network Segmentation is Critical

Without Segmentation

  • One compromised system = entire network at risk
  • Ransomware spreads rapidly across all systems
  • Attackers move laterally with ease
  • No containment of breaches
  • Difficult to detect intrusions

Real-World Attacks

  • Colonial Pipeline (2021): Ransomware spread from IT to OT
  • Target (2013): HVAC vendor access led to POS breach
  • NotPetya (2017): Spread across flat networks globally
  • Maersk (2017): $300M loss from lateral movement

With Proper Segmentation

  • Attacks contained to single zone
  • Critical systems isolated from general network
  • Defense in Depth achieved
  • Clear security boundaries
  • Easier incident response

Regulatory Requirements

Network segmentation is required or strongly recommended by major security frameworks.

BDEW Whitepaper

Section 4.4.2 - Sichere Netzwerkstruktur

The German Association of Energy and Water Industries (BDEW) mandates network segmentation for critical infrastructure. Key requirements include:

  • Separation of office IT from process control networks (OT)
  • DMZ zones for external communication
  • Firewalls between all network segments
  • Strict access control at segment boundaries
  • Monitoring of cross-segment traffic
BDEW Security Guidelines →

BSI IT-Grundschutz

NET.1.1 - Netzarchitektur und -design

The German Federal Office for Information Security (BSI) defines network segmentation as a fundamental security measure. Key requirements:

  • NET.1.1.A1: Network should be divided into security zones
  • NET.1.1.A4: Clear documentation of network topology
  • NET.1.1.A13: Micro-segmentation for high-security areas
  • Protection of management networks
  • Isolation of development from production
BSI IT-Grundschutz →

Implementation in Signando REST

How we apply network segmentation principles in our API Gateway architecture.

4 Isolated NATS Instances

Signando REST uses four completely isolated NATS JetStream instances. Each instance runs in its own network segment with no direct communication between them:

  • NATS 1: DMZ-facing, receives untrusted client requests
  • NATS 2: Internal clean zone, validated requests only
  • NATS 3: Backend-facing, receives untrusted responses
  • NATS 4: Internal clean zone, validated responses only

Why This Matters

Even if an attacker compromises one component, they cannot:

  • Access validated data in clean zones
  • Inject malicious requests into the backend
  • Exfiltrate data through the same channel
  • Move laterally to other processing stages

This is network segmentation applied at the application level - following both BDEW and BSI recommendations for defense in depth.

Implement Network Segmentation

Learn how Signando REST provides built-in network isolation for your API infrastructure.

View ArchitectureRequest Consultation