AS-301b · Module 1

From Zones to Microsegments

4 min read

Good news, everyone! In AS-301a we covered zone-based segmentation — grouping agents by function into separate VLANs with firewall rules between them. That is the minimum viable approach. Now we go further. Microsegmentation isolates each individual agent into its own network segment with an explicitly defined whitelist of allowed connections. Agent A can reach the sales API and Agent B. Agent B can reach the CRM database and Agent C. Everything not on the whitelist is denied by default. The communication map is not a suggestion — it is enforcement.

The architectural shift from zones to microsegments changes the blast radius equation fundamentally. In zone-based segmentation, a compromised agent can reach every service and every other agent within its zone. In microsegmentation, a compromised agent can reach only the specific services on its whitelist. The blast radius shrinks from "everything in the zone" to "only the explicitly allowed endpoints." That reduction is the entire point. You are not preventing compromise — you are making compromise survivable.

Do This

Define per-agent communication whitelists that enumerate every allowed connection by destination and port
Deny all traffic by default — the whitelist is the only path through the network
Review whitelists quarterly and remove any connection not used in the past 30 days

Avoid This

Allow all traffic within a zone and control only zone-to-zone communication — that is zone segmentation, not microsegmentation
Build whitelists from what agents request rather than what they need — agents should not define their own access
Treat microsegmentation as a one-time deployment — drift happens as integrations change