Network segmentation — SY0-701
Understand network segmentation for CompTIA Security+ SY0-701: what it is, how it limits lateral movement, and how it differs from access control lists.
WHAT IT IS
Network segmentation is the practice of dividing a single network into distinct sub-networks — each operating as a separate security domain — so that each segment implements its own security policy and is administered under a defined authority.
The NIST glossary defines a security domain as "a domain that implements a security policy and is administered by a single authority," and defines a VLAN (a common segmentation mechanism) as "a broadcast domain that is partitioned and isolated within a network at the data link layer" (NIST SP 1800-15B). A demilitarized zone (DMZ) — one of the most tested segmentation patterns — is defined as "a perimeter network or screened subnet separating an internal network that is more trusted from an external network that is less trusted."
The goal: limit what an attacker can reach if they compromise one zone, and limit what any single system can see or affect inside the network.
Mental model
Think of a building with locked fire doors between wings. A fire (or attacker) in one wing cannot freely spread to others — each door is a policy enforcement point. The wings are segments; the doors are the controls (firewalls, VLANs, access policies) that define what traffic crosses a boundary.
This maps directly to the isolation principle the NIST glossary states for software: "the ability to keep multiple instances… separated so that each instance only sees and can affect itself" (NIST SP 800-190). Segmentation applies that same principle at the network layer.
When to use it
Candidates are commonly asked to choose the right segmentation mechanism for a given scenario. The table below shows the primary patterns and what distinguishes them.
| Mechanism | What NIST says | Primary boundary | Typical use case |
|---|---|---|---|
| VLAN | "A broadcast domain that is partitioned and isolated within a network at the data link layer" (NIST SP 1800-15B) | Layer 2 (data link) | Separating departments, IoT devices, or guest Wi-Fi on the same physical switch infrastructure |
| DMZ | "A perimeter network or screened subnet separating an internal network that is more trusted from an external network that is less trusted" (NIST glossary) | Perimeter / routing layer | Housing internet-facing servers (web, mail) away from the internal network |
| Security domain | "A domain that implements a security policy and is administered by a single authority" (NIST glossary) | Policy-defined | Organizing assets by classification level or regulatory scope |
Key decision rule: segmentation creates the boundary; separate controls (firewall rules, access control lists) define what crosses it. The two work together but are not the same thing.
COMMON MISCONCEPTION
The trap: Candidates often conflate network segmentation with access control, treating them as interchangeable or assuming that applying an access control list achieves segmentation.
They are not the same:
- Access control is "the process of granting or denying specific requests to obtain and use information and related information processing services" (NIST glossary). It governs who can cross or use a resource.
- Segmentation creates a physical or logical boundary — a separate security domain — that contains traffic before access control is even applied.
A network with no segments but a long ACL still allows lateral movement within the flat network, because traffic never crosses a policy-enforcement boundary. Segmentation limits the blast radius of a compromise; access control limits who can move through a boundary that already exists.
A related misconception is that a DMZ is only relevant for outward-facing services. The NIST definition frames it specifically as separating networks by trust level — any situation with a trust differential between two zones is a candidate for a DMZ pattern.
How it shows up on the exam
The cognitive target for segmentation questions at this level is application and analysis: given a scenario describing an environment (flat network, mixed-trust devices, internet-facing servers, regulatory scope), choose the segmentation approach that addresses the stated risk.
Candidates often confuse the mechanism with the goal. A VLAN isolates at layer 2; a DMZ isolates at a perimeter trust boundary. Selecting the wrong one for a described environment is the characteristic error. Similarly, choosing "apply an ACL" when the scenario calls for isolating a segment entirely misunderstands that access control presupposes a boundary to enforce at.
Signal phrases to watch for in scenario stems:
- "Limit the impact if a device is compromised" → points toward segmentation (containing lateral movement)
- "Internet-facing servers should not have direct access to the internal database tier" → points toward a DMZ or screened subnet
- "Devices on the same physical switch need separate broadcast domains" → points toward VLANs
- "Grant only necessary access between zones" → points toward access control applied to an already-segmented boundary
Related concepts
- Access Control Lists — define what traffic is permitted across a segment boundary; they enforce policy at the boundary segmentation creates
- Least Privilege — the principle that each entity receives the minimum necessary resources; segmentation operationalizes this at the network layer by restricting what a segment can reach by default
- System Hardening — reduces the attack surface of individual hosts; segmentation reduces the network-level blast radius if a hardened host is nonetheless compromised
Sources
Every claim on this page traces to the public exam blueprint and official documentation: