AS-301a · Module 1

Network Segmentation

3 min read

A flat network where every agent can reach every service is an attacker's paradise. One compromised agent becomes a pivot point to every system on the network. Network segmentation limits the blast radius by isolating agent groups into separate network zones with controlled communication paths between them. An agent in the research zone cannot reach the billing database. An agent in the customer service zone cannot reach the internal HR system. Each zone only exposes the specific endpoints that the agents within it legitimately need.

Microsegmentation takes this further by isolating individual agents rather than groups. Each agent operates in its own network segment with explicitly defined allowed connections. Agent A can communicate with the sales API and Agent B, but nothing else. Agent B can communicate with the CRM database and Agent C, but nothing else. The communication map is a whitelist — anything not explicitly allowed is denied by default. This is more complex to manage than zone-based segmentation, but it reduces the blast radius of a single compromised agent from "everything in the zone" to "only the specific services this agent is allowed to reach."

  1. Zone-Based Segmentation Group agents by function — research, sales, customer service, administration — into separate VLANs or virtual networks. Traffic between zones passes through a firewall with explicit allow rules. This is the minimum viable segmentation for enterprise deployments.
  2. Microsegmentation Isolate each agent into its own network segment with a per-agent whitelist of allowed connections. Use service mesh technology (Istio, Linkerd) or cloud-native security groups to enforce the whitelist. More complex to manage but dramatically reduces blast radius.
  3. East-West Traffic Monitoring Monitor agent-to-agent and agent-to-service traffic for anomalies. A sudden spike in traffic from one agent to an unfamiliar endpoint is a signal. Deploy network detection and response (NDR) tools on internal traffic, not just at the perimeter.