What is a network security assessment?

A network security assessment is a structured evaluation of your IT network infrastructure to identify vulnerabilities, misconfigurations, and security gaps. It typically covers perimeter defences, identity and access controls, endpoint protection, data backup, and security awareness — producing a scored report with prioritised remediation recommendations.

How long does the VP Audit assessment take?

The VP Audit assessment takes approximately 5 minutes. You answer 15 targeted questions across 5 security domains. Once complete, your scored report is generated instantly — no waiting, no account required.

Is VP Audit free to use?

Yes. VP Audit is completely free. There is no account, subscription, or payment required. Your answers never leave your browser — the scoring happens entirely client-side.

What security domains does VP Audit cover?

VP Audit covers five security domains: Perimeter & Connectivity (firewall, VPN, remote access), Identity & Access Management (passwords, MFA, privilege), Endpoint Security (patching, AV, MDM), Data & Backup (backup frequency, encryption, recovery testing), and Awareness & Response (staff training, incident response, phishing).

Can I export my security assessment results?

Yes. VP Audit generates a personalised PDF report with your organisation name, score breakdown, findings by severity, and remediation recommendations. The PDF is generated in your browser and can be downloaded immediately.

Network Design

Network Segmentation Security Guide — Why VLANs Matter in 2026

3 May 2026 · 7 min read · VantagePoint Networks

Network segmentation is the practice of dividing a computer network into smaller subnetworks (segments or VLANs) to control traffic flow and limit the spread of a security breach. When an attacker compromises one device on a flat network, they can freely reach every other device — servers, backup systems, accounting software. Segmentation creates barriers: a breach in one zone cannot automatically become a breach everywhere. For SMBs, even basic VLAN design dramatically reduces the blast radius of an attack.

Why Flat Networks Are a Security Problem

The majority of SMB networks are flat: all devices share a single subnet and can communicate directly with each other. This is convenient to administer, but it means that a single compromised endpoint — a laptop infected by a phishing email, a printer with vulnerable firmware, a smart TV in the boardroom — can scan and attack every other device on the network without any barriers.

Ransomware operators specifically exploit flat networks. Once inside, they use tools like network scanners and credential dumping to identify backup servers, file servers, and domain controllers — and encrypt them all before anyone notices. A segmented network forces attackers to break through additional barriers, slowing them down and creating detection opportunities.

Recommended VLAN Design for SMBs

The following six VLANs cover the security segmentation needs of most businesses with 10–200 users. Adjust based on your specific environment.

VLAN 10

Servers & Infrastructure

File servers, domain controllers, application servers, NAS devices. Highest security zone — only workstations and admins need to reach this.

VLAN 20

Workstations

Employee laptops and desktops. Can reach servers and internet, but not management or IoT networks.

VLAN 30

Network Management

Switch management interfaces, firewall management, UPS management. Admin access only. Never accessible from workstation or guest networks.

VLAN 40

Printers & Peripherals

Networked printers and scanners. Isolated to prevent printer firmware exploits from reaching servers. Workstations can print; printers cannot initiate connections back.

VLAN 50

Guest / Visitor Wi-Fi

Internet access only. No access to any internal network. Separate SSID, rate-limited, isolated from all corporate resources.

VLAN 60

IoT Devices

Smart TVs, security cameras, building automation, meeting room equipment. Internet access as needed; no access to corporate network segments.

Inter-VLAN Traffic Rules

VLANs without inter-VLAN firewall rules are just labels — traffic can still flow freely if your switch or router allows it. The firewall (or Layer 3 switch with ACLs) must enforce rules between segments.

From → To	Servers	Workstations	Management	Printers	Guest	IoT
Servers	—	✓	✗	✗	✗	✗
Workstations	✓	—	✗	✓	✗	✗
Management	✓	✓	—	✓	✗	✓
Printers	✗	✗	✗	—	✗	✗
Guest	✗	✗	✗	✗	—	✗
IoT	✗	✗	✗	✗	✗	—

Common Network Segmentation Mistakes

⚠ VLANs without firewall rules between them

If your managed switch allows routing between VLANs without an ACL or firewall policy, segmentation is ineffective. Test by attempting to ping from the workstation VLAN to the server VLAN — if it responds, the barrier is not in place.

⚠ Guest Wi-Fi on the same VLAN as corporate devices

Guest visitors should never be able to reach internal systems. A separate SSID mapped to a guest VLAN with internet-only access prevents an attacker posing as a visitor from accessing corporate resources.

⚠ Printer VLAN with bidirectional server access

Printers often have outdated firmware with known vulnerabilities. They need to receive print jobs (workstation-to-printer) but should not be able to initiate connections to servers or other devices.

⚠ Forgetting IoT devices in segmentation design

Smart TVs, security cameras, building management systems, and meeting room hardware are all potential entry points. They receive infrequent security updates and should be isolated from corporate networks entirely.

Frequently Asked Questions

What is network segmentation?

Network segmentation is the practice of dividing a computer network into smaller subnetworks (segments or VLANs) to limit the spread of a security breach. If one segment is compromised, segmentation prevents an attacker from moving freely to other segments containing sensitive data or critical systems.

Do small businesses need network segmentation?

Yes. Even a 10-person business benefits from basic segmentation — at minimum, separating guest Wi-Fi from the corporate network and isolating servers from workstations. Flat networks mean a single compromised device can reach everything. Segmentation limits the blast radius of a breach without significant cost.

What VLANs should a small business have?

A typical SMB VLAN design includes: Servers/infrastructure (VLAN 10), Workstations (VLAN 20), Management/network devices (VLAN 30), Printers (VLAN 40), Guest/visitor Wi-Fi (VLAN 50), and IoT devices (VLAN 60).

Is Your Network Properly Segmented?

The VP Audit free assessment includes perimeter and connectivity questions that surface flat network risks and segmentation gaps.

Start Free Assessment →

← Back to Blog