Flat Networks, Fast Breaches, and How Shared Services Undermine Internal Segmentation

Cyber Millennial
in ,

This article is part of a series unpacking the NSA and CISA’s Top Ten Cybersecurity Misconfigurations through the lens of real-world breaches and assessment findings.

This entry covers Misconfiguration 4: Lack of Network Segmentation, with a focus on internal segmentation. While many organisations define VLANs by function and deploy management or cloud vNets, the absence of internal firewalls, reliance on shared services, and inconsistent enforcement leave attackers with broad pathways once inside.

TL;DR

In posture assessments and incident response work I often found that internal segmentation looked effective on paper but was weak in practice. Attackers who gained a foothold could still map accounts, traverse VLANs with no internal firewalls, and pivot between environments through shared services. Cloud platforms have lifted the baseline somewhat, but most on-premises networks remain wide open to lateral movement.

Key patterns observed:

  • VLANs created by function but no internal firewalls or ACLs to enforce separation

  • Shared services like storage, Citrix, and management tiers bridging production and non-production

  • Identity-based controls (PAM, jump boxes) without enforced network paths

  • Site-to-site tunnels or management zones that collapsed environments together

  • Cloud vNets (Azure, AWS, GCP) applying ACLs, a relative bright spot but not consistent

First, Some Positive Observations

Many environments remain flat in practice, yet there are clear signs of progress. The examples below show how organisations are building a foundation for stronger internal boundaries, while also revealing the gaps that often remain.

  • Structured VLANs

    Most organisations separate users, servers, management, and wireless into distinct VLANs. This is a prerequisite for any further internal segmentation, and it is encouraging to see it already in place in most environments today.

  • Cloud baselines

    In cloud environments the picture is stronger. From what I observed, most organisations are actively using Azure VNets, AWS VPCs, and GCP VPCs with ACLs to control traffic. This provides a more consistent baseline for segmentation than is often seen in traditional on-premises networks.

  • Deep investment in segmentation

    One organisation committed fully to segmentation, spending more than five years replacing their entire network stack with Cisco TrustSec capable appliances and pairing this with host-level microsegmentation on critical systems. The programme was costly and disruptive, but it delivered a unique level of policy-based segmentation.

    Even here, gaps remained. Non-Cisco appliances and systems that could not support the microsegmentation agent, for example where root access was not available, became the weak spots adversaries would aim for.

  • Enterprise maturity with Zscaler, OT harder to enforce

    A global manufacturer deployed Zscaler ZPA and ZIA with cloud and branch connectors, and the configuration was solid. Our penetration tester struggled to make progress in the enterprise environment, which speaks to the value of a well tuned design.

    On the OT side, segmentation was assumed rather than fully enforced. Some OT devices still reached the internet directly, vendors had remote support tunnels into OT environments from the internet, and firewalls allowed RDP, SMB, LDAP, and SSH between IT and OT. The Purdue model was referenced, but gaps in enforcement reduced its effectiveness.

Internal Segmentation Gaps — Heatmap

Observed across posture assessments and incident response work. Risk increases toward the upper right of the grid, where low effort exploitation produces the largest blast radius.

High effort required → Low effort to exploit
  1. Flat internal networks with no internal firewalls.
    In several assessments, once attackers landed on a single machine, they could reach nearly every other system without crossing a boundary. The absence of internal enforcement points makes lateral movement trivial and fast, especially when combined with credential theft or stolen tokens.
  2. Site to site tunnels with any to any rules, including third parties.
    Broad rules on VPNs or MPLS connections are common, particularly with partners or subsidiaries. While convenient for operations, these configurations effectively merge two environments. A compromise on one side can spread unchecked to the other, so third-party exposures become your exposures.
  3. OT devices with direct access to IT or the internet.
    Although many organisations say they align with the Purdue model, reality often looks different. I have observed OT endpoints with direct internet reachability or uncontrolled access into IT zones. These gaps collapse intended layers and give attackers rapid paths into critical systems.
  4. VLANs with identical access policies.
    Most enterprises have created separate VLANs for users, servers, and management, which is a useful prerequisite. However, I often saw that once traffic entered the switch, the access rules were the same, effectively treating the network as flat. VLANs without ACLs or filtering provide the illusion of segmentation without real barriers.
  5. Identity only segmentation.
    A recurring theme in mature environments was the claim that access was “segmented by identity.” This meant relying on RBAC, ACLs, or application-level controls. While valuable, identity-only approaches do not stop network-level attacks such as lateral reconnaissance or pass-the-hash, leaving blind spots when accounts are compromised.
  6. Management networks shared across segments and environments.
    Nearly every organisation had some form of management VLAN, but it was often shared between production, development, and testing. This allows an attacker in a lower-trust environment, like Dev or UAT, to pivot into production by abusing the common management layer.
  7. Wireless, VPN, and wired zones treated equally in policy.
    Even when these were configured as separate zones, the applied firewall rules were identical. In practice, a device connecting via Wi-Fi, a remote VPN, or a LAN port ended up with the same access scope. This erodes the value of zoning and gives remote sessions the same reach as devices inside the office.
  8. Dev or UAT can route to production.
    Segregation of environments is expected, yet I regularly encountered cases where Dev or UAT networks could communicate directly with production. This was usually a result of shared infrastructure, legacy practices, or broad exceptions. Attackers exploit these connections to escalate from less-sensitive networks into core business systems.
  9. Jump servers across segments.
    Jump servers are meant to enforce segmentation, yet I observed them shared across multiple environments. A single compromise could unlock access to Dev, UAT, and Production alike. Instead of providing a hard checkpoint, shared bastions became a pivot that collapsed network boundaries.
  10. Cloud VNet or VPC segmentation with permissive ACLs.
    Cloud platforms almost always start with some level of segmentation, such as Azure VNets, AWS VPCs, or GCP projects. The challenge I saw was permissive ACLs that undermined this foundation. While still better than a flat LAN, misapplied ACLs meant segmentation existed in theory but failed in practice.
  11. Shared services without segmentation.
    File shares, virtualisation platforms, email servers, and storage clusters often sat in zones accessible from multiple segments. These “utility services” made sense operationally but gave attackers pivot points across the network. Once compromised, shared services can collapse multiple boundaries at once.
  12. IoT or meeting room devices not protected by NAC or firewall.
    Printers, cameras, and conference systems often sit on the corporate LAN with limited enforcement. While harder to exploit at scale, these devices are frequently unmanaged and underprotected, providing patient adversaries footholds to expand from.

How to Approach the Gaps

Internal segmentation gaps rarely disappear with a single control or purchase. In practice, progress comes from combining smaller quick wins with longer-term architectural changes. Quick wins help close obvious holes that attackers would exploit immediately, while long-term strategies build the layered defence needed to sustain resilience. The table below prioritises both, offering immediate actions to reduce exposure alongside structural improvements that require more planning and investment.

Gap "Quick Win" Long-Term Strategy
Flat Networks Implement internal firewalls or ACLs between user, server, and management VLANs to create basic separation. Design a tiered segmentation model (e.g., user, server, critical infrastructure), enforce traffic controls across segments, and integrate monitoring for East–West traffic.
Site-to-Site Any/Any Tunnels Audit existing tunnels and block unused or high-risk services. Restrict tunnels to explicit application flows, introduce segmentation for third-party connections, and enforce logging and monitoring.
OT Devices Bridging IT/Internet Block direct internet access for OT systems, restrict vendor connections to VPN with MFA. Align OT environments to Purdue model, separate IT and OT networks with firewalls, and use jump hosts or brokers for remote vendor access.
VLANs with Identical Access Review ACLs between VLANs, block unnecessary East–West traffic. Introduce policy-driven segmentation that enforces least privilege between VLANs, monitored and audited regularly.
Identity-Only Segmentation Restrict direct admin logins to critical systems, require jump hosts. Combine RBAC with network-level controls such as microsegmentation or application-aware firewalls for layered enforcement.
Management Networks Shared Restrict production access to dedicated management VLANs with ACLs. Implement separate management networks per environment (prod, dev, UAT), with routing restrictions between them.
Wireless/VPN/Wired Equal Access Apply separate ACLs to wireless and VPN traffic, limit access to backend systems. Architect distinct zones for remote and wireless access, with layered authentication and enforcement at aggregation points.
DEV/UAT Reachable to Prod Block direct routing from non-production to production environments. Create dedicated network segments for DEV, UAT, and PROD, enforce strict ACLs, and require change control for cross-environment access.
Jump Servers Shared Restrict jump hosts to single environments only. Deploy segmented, audited jump infrastructure per environment with enforced MFA and session recording.
Cloud VNet/VPC with Permissive ACLs Audit and tighten cloud ACLs, block broad any/any rules. Implement principle of least privilege in cloud networking (Azure VNet, AWS VPC, GCP VPC), enforce continuous compliance monitoring.
Shared Services Without Segmentation Restrict sensitive systems (AD, file shares, backup) to authorised subnets only. Build dedicated service zones (e.g., tier-0), enforce segmentation and access policies, and audit regularly to prevent creep.
IoT Devices Unprotected Place IoT and conference devices into isolated VLANs with restricted outbound access. Deploy NAC and device profiling to manage IoT at scale, enforce policies, and monitor for anomalous behaviour.
Rob Kehl
Rob Kehl is a Principal Cybersecurity Adviser and educator based in Aotearoa New Zealand. Originally from the United States, his career spans the U.S. Air Force and global consultancies like Sygnia and Cognizant. Rob specialises in architecture assessments, incident response, security operations, and AI security strategies. He applies his international experience to support cybersecurity resilience across sectors in New Zealand.

Get in touch