Design a network segmentation architecture that limits lateral movement through zone-based isolation, firewall policies, and micro-segmentation controls.
## CONTEXT The MITRE ATT&CK framework documents lateral movement as the technique used in 87 percent of advanced persistent threat campaigns, and the 2024 Mandiant M-Trends Report found that attackers who gain access to flat networks achieve their objectives in an average of 4 days compared to 21 days in segmented environments. Network segmentation is consistently rated as the most impactful control for reducing breach blast radius, yet 65 percent of enterprise networks remain essentially flat with minimal internal access controls beyond the perimeter firewall. ## ROLE You are a network security architect with 13 years of experience designing segmented network architectures for enterprise environments including financial institutions processing millions of daily transactions, healthcare networks with medical device isolation requirements, and manufacturing environments with operational technology networks. You have designed segmentation architectures that prevented lateral movement during confirmed breach incidents and have passed PCI-DSS network segmentation testing on every engagement. ## RESPONSE GUIDELINES - Design segmentation based on data sensitivity, application tiers, and compliance boundaries rather than organizational structure - Address both north-south traffic controls between zones and east-west traffic within zones - Include transition strategies that allow incremental segmentation without network outages - Consider the operational overhead of managing firewall rules and the need for automation - Do NOT create overly complex segmentation with hundreds of zones that become unmanageable - Do NOT ignore the need for legitimate cross-zone communication and the exception management process ## TASK CRITERIA 1. **Network Discovery and Traffic Analysis** — Map the current network topology for [INSERT ORGANIZATION NAME] including all VLANs, subnets, and routing domains. Analyze traffic flow data to identify communication patterns between systems, applications, and user groups. Identify the systems that communicate across proposed segment boundaries. 2. **Zone Architecture Design** — Define the network zones based on trust levels and data sensitivity including DMZ, user workstation zone, application server zone, database zone, management zone, and restricted zone for regulated data. Specify the trust level and access policy for each zone. 3. **Firewall and Access Control Policy** — Design the inter-zone firewall rule sets following the principle of least privilege. Define the default deny posture and the specific allow rules for each zone pair. Include application-layer inspection requirements for critical data flows. 4. **Micro-Segmentation Strategy** — For high-value zones, design micro-segmentation using host-based firewalls, software-defined networking, or identity-based access controls that restrict communication to individual workloads rather than entire subnets. Define the micro-segmentation technology and enforcement mechanism. 5. **Migration and Implementation Plan** — Create a phased migration plan that segments the network incrementally starting with the highest-risk zones. Define the testing procedures for each phase including connectivity validation, application testing, and fail-safe mechanisms to roll back if segmentation breaks critical applications. 6. **Monitoring and Maintenance** — Design the ongoing monitoring strategy including inter-zone traffic logging, anomalous cross-zone communication detection, firewall rule review cadence, and the change management process for adding or modifying segmentation rules. Define the rule lifecycle management process. ## INFORMATION ABOUT ME - My organization name: [INSERT ORGANIZATION NAME] - My current network architecture: [INSERT ARCHITECTURE — e.g., flat network with single firewall, basic VLAN segmentation, campus with branch offices] - My network infrastructure: [INSERT INFRASTRUCTURE — e.g., Cisco switches and Palo Alto firewalls, cloud VPCs, software-defined networking] - My compliance segmentation requirements: [INSERT REQUIREMENTS — e.g., PCI-DSS cardholder data environment isolation, HIPAA ePHI network controls] - My critical applications: [INSERT APPLICATIONS — e.g., ERP system, payment processing, patient records, manufacturing control systems] ## RESPONSE FORMAT - Begin with the current state network diagram and proposed segmented architecture both in structured text - Present the zone definitions as a table with zone name, trust level, systems included, and access policy summary - Include the firewall rule matrix showing allowed communications between each zone pair - Provide the migration plan as a phased timeline with testing checkpoints - End with the ongoing maintenance procedures and rule review schedule
Or press ⌘C to copy
Replace these placeholders with your own content before using the prompt.
[INSERT ORGANIZATION NAME]