First, a little history
When I zoom out on our timeline, I can so clearly recall when the day came that we had the facility to connect computers to each other, operate in a network, and no longer operate as individual standalone hosts that relied on some sort of tape or magnetic media to move files around. Our world would change forever!
The simple concept of one device talking to another device in the same segment was revolutionary! Amazing applications took advantage of this enabling technology. I recall, for instance, Microsoft Mail rapidly replacing inter-office memos. We weren’t even connected to the internet and business was already more productive! Then along came the internet and for the next 30 years we just connected more and more and more.
Fast forward to 2025 and sometimes we just shake our heads with “What have we done?”. All of our networks now need to be thought of as potentially-hostile. Most wifi networks can be penetrated and red teams most often compromise Ethernet networks by socially engineering access to a boardroom ethernet jack and leave a tooled raspberry pi connected.
So as digital defenders, we have gone down the path of building a defense-in-depth strategy by not only protecting each endpoint to the best of our ability, but also to effectively place a boundary ahead of it so from a network point of view it isn’t even reachable by other devices.
Network Segmentation
Network segmentation at first came out of necessity. The introduction of routers and switches in the 1980’s allowed larger networks to interconnect and segmentation was a necessary means of limiting broadcast traffic, enhance security as well as manageability. A decade later, VLANs offered even more flexibility but as everything became IP-enabled and firewalls were so commonly deployed everywhere, the default any-any rules made it so segmentation no longer offered any effective security.
Multi-stage malware today relies on lateral movement and it’s this feature that renders the traditional boundary firewall ineffective.
Micro-Segmentation
Micro-segmentation lets you control network access in a detailed way by splitting things into separate sections for each workload. It’s especially helpful in data centers and cloud setups, where it boosts security and keeps everything compliant. Even nodes within the same subnet are unable to make IP connections to one another. It is accepted as a strong defense strategy, but it does rely on an agent and management platform to deploy. OT, IoT and non-user devices in general cannot accept an agent, and as such, they can only be protected via other means. When this is done correctly, it actually removes the necessity of endpoint agents micro-segmentation features entirely.
Ethernet Port and WiFi Isolation
Infrastructure-based micro-segmentation that does not rely on endpoint agents at all. Instead, modern switches and access points have features built-in that allow for per-client isolation (WiFi and Ethernet), even when they are on the same network segment. This is very practical and easy to implement, especially if the services that endpoints need to reach are outside of its own network segment.
Screenshots above illustrate an example of Unifi’s isolation features.
Porosity remaining
Even with all of the micro-segmentation implemented, the porosity remaining is the lack of egress control. As long as this is lacking, the red team adversary emulator can still reach the Active Directory controller and internal server hosts from the above-mentioned hijacked boardroom Ethernet jack.
The role of Zero Trust connectivity
ZTc applies even to internal lateral traffic from unknown or unverified sources. The simple approach of default-deny-all is essential from a network gateway perspective. Any endpoint that is not identified by 802.1X, identity management integration or trusted MAC address as a last resort, simply cannot communicate past the gateway.
In short, ZTc allows segmentation and micro-segmentation to be leak-proof and actually be segmented for real. Say goodbye to lateral movement for good.