Segmentation and Zero-Trust Networking
A flat network — where every host can reach every other — means one foothold reaches everything, which is why lateral movement is so easy in most breaches. Segmentation carves the network into zones with controlled crossings so a compromise in one is contained; zero-trust networking goes further and drops the idea that "inside" implies trusted, authenticating every connection on its own merits.
This is how Meridian keeps a phished laptop from reaching the customer database — the difference between an incident confined to one machine and a breach that spreads to the crown jewels.
Why Flat Networks Fail
Implicit trust between internal hosts turns one compromised machine into a launchpad for the rest. The corporate laptop and the production database sharing a routable path is the classic lateral-movement enabler: the intruder lands on a low-value host through phishing and then simply connects onward, because nothing stands between the zones. Segmentation exists to make every hop cross a control.
Segmentation and Microsegmentation
Split the network into zones — corporate, production, DMZ, management — with firewalls between them, then push finer with per-workload policy so even same-zone hosts cannot freely talk. The goal is that lateral movement crosses a control at every step, so an attacker's progress is slow, loud, and often blocked outright rather than free and silent.
The DMZ and Tiered Architecture
Internet-facing services sit in a DMZ that cannot directly reach the sensitive back end. Meridian's customer database is reachable only from the app tier, never from the internet or the office network — so even a full compromise of a DMZ host does not hand over the database, because the path simply does not exist. Tiering is segmentation applied to the most valuable asset first.
Zero-Trust Networking
Zero trust removes trust based on network location: every request is authenticated and authorized by identity and device posture, whether it comes from the office or a coffee shop. This dissolves the inside/outside distinction the VPN model relied on — a foothold inside the network grants nothing extra, because there is no implicit trust to inherit. Most real networks are mid-migration: segmented perimeters moving toward per-request verification.
Perimeter model — trusts anything inside the network boundary and guards the edge; once inside, via VPN or a foothold, an attacker moves freely.
Zero trust — removes implicit network trust and verifies every request by identity and device, so a foothold grants nothing. Most networks are mid-migration between the two.
- Running a flat internal network where any host routes to any other, making lateral movement trivial after the first compromise.
- Putting the database on a network reachable from user workstations or the internet instead of only from the app tier.
- Treating the VPN as a trust boundary — once on the VPN, users reach everything — instead of authenticating each request.
- Segmenting on paper but leaving any-any rules between zones "temporarily," which quietly re-flattens the network.
- Assuming same-zone hosts are safe to talk freely, skipping microsegmentation where it matters.
- Segment into zones with default-deny between them, and restrict the sensitive tiers — database, management — to the few sources that legitimately need them.
- Move toward microsegmentation and per-request authentication so network position grants no trust.
- Broker administrative access through bastions or jump hosts with strong auth and logging, not direct routes.
- Verify zone rules are actually restrictive — no lingering any-any — and test that a host in one zone genuinely cannot reach another.
- Place internet-facing services in a DMZ that cannot directly reach the sensitive back end.
Knowledge Check
Why does a flat internal network make a breach so much worse?
- One foothold enables free lateral movement
- Flat networks cannot run firewalls at all
- They transmit all internal traffic completely unencrypted by design
- They prevent any host from reaching the internet
What does zero-trust networking change compared with the VPN/perimeter model?
- It verifies every request by identity and device
- It trusts any device once it authenticates to the VPN
- It encrypts internal traffic and considers trust solved
- It removes the need to authenticate users entirely
Why should Meridian's customer database be reachable only from the app tier?
- So a compromise of the office network or a DMZ host has no network path to the database
- So the database can be exposed to the internet safely
- Because databases cannot accept more than one source
- So the app tier no longer needs authentication to the database
You got correct