CompTIA N10-009 Network Segmentation Guide

Segmentation questions are trust-boundary questions. CompTIA is not just asking whether you know what a VLAN is. It is asking whether you can decide which device populations should share a network, which should be isolated, and where convenience has to give way to containment and safety.

OT: Operational technology, the systems that monitor or control physical processes such as manufacturing or utilities.

BYOD: Bring your own device, a personally owned endpoint that is allowed to connect under defined policy.

IoT: Internet of Things, embedded devices such as cameras, sensors, printers, or controllers that often have limited security features.

What CompTIA is really testing

The strongest answers usually separate:

• guests from authenticated internal users
• user-owned devices from managed corporate devices
• ordinary office endpoints from constrained or safety-sensitive OT environments
• data access needs from broad lateral access

Segmentation is about reducing blast radius

    flowchart LR
	  A["Guest devices"] --> G["Guest zone"]
	  B["Managed staff devices"] --> H["Corporate user zone"]
	  C["IoT devices"] --> I["IoT zone"]
	  D["OT systems"] --> J["OT zone"]
	  G --> K["Internet only or tightly restricted access"]
	  H --> L["Approved internal services"]
	  I --> M["Only required controllers or services"]
	  J --> N["Strictly limited operational paths"]

What to notice:

• different populations do not need the same reachability
• the safest answer is usually the one with the fewest necessary paths
• OT often has the strongest isolation needs because safety and uptime are involved

Keep the trust zones distinct

Small segmentation example

1VLAN 10  Corporate users
2VLAN 20  Guest wireless
3VLAN 30  IoT cameras
4VLAN 40  OT controllers
5
6Guest -> internet only
7IoT -> NVR and update service only
8OT -> management jump host and required controllers only

What to notice:

• separate addressing and policy boundaries make intent visible
• “internet only” or “controller only” is stronger than vague broad access
• a shared flat network would make lateral movement much easier

Why this is an exam favorite

CompTIA likes scenarios where two answers both sound secure, but one is more precise:

• “put everything behind a firewall” is weaker than “separate guests, BYOD, IoT, and OT into distinct trust zones”
• “use VLANs everywhere” is weaker than “use segmentation plus policy that limits inter-zone traffic”
• “block internet access” is weaker than “allow only the exact required paths”

Common traps

• placing convenience over isolation
• treating all non-corporate devices as one identical zone
• assuming segmentation alone is enough without access-control policy
• forgetting that OT environments can have safety, availability, and vendor-support constraints

What strong answers usually do

• group devices by trust and operational need, not by convenience
• allow only the paths each population actually requires
• keep guest and unmanaged access away from trusted internal resources
• isolate OT and sensitive device populations more aggressively than normal office traffic

Decision order that usually wins

Boundary questions become easier if you classify the device group first. Guests usually need internet access, not trusted internal reachability. BYOD usually needs narrower access than managed corporate endpoints. IoT often needs only a small set of services. OT often needs the strongest isolation because safety and uptime matter. On Network+, the default good answer is usually more separation and fewer implicit trust paths.

Quiz

Continue with 4.7 Network Attacks to keep the domain flow intact.