Browse ISC2 Certification Guides

ISC2 CISSP Network Segmentation Guide

April 13, 2026

Study ISC2 CISSP Network Segmentation: key concepts, common traps, and exam decision cues.

On this page

This lesson is about controlling where traffic can go, how it is protected on the way, and which systems should be allowed to talk at all. CISSP prefers network designs that are deliberate, layered, and easy to defend.

Network-choice map

Requirement Better first instinct
limit east-west spread after compromise segmentation and internal filtering
protect traffic over untrusted networks authenticated and encrypted transport
isolate sensitive systems from broad user access separate zones and tightly controlled paths
expose a public service while protecting internal assets layered boundary controls and limited trust links

What the exam is really testing

If the stem says… Strong reading
“flat network” the real weakness is usually blast radius and weak trust boundaries
“data in transit” confidentiality, integrity, and endpoint trust all matter
“sensitive environment” separation of duties and network zoning may matter more than raw throughput

Decision order that usually wins

  1. Decide whether the primary problem is path trust or zone trust.
  2. Separate transport protection from segmentation and routing control.
  3. Identify which systems truly need to communicate.
  4. Reduce unnecessary connectivity and trust relationships first.
  5. Then add authenticated, encrypted transport where traffic crosses untrusted paths.

Strong CISSP answers usually simplify and constrain the network before adding more devices or complexity. Clean trust boundaries beat sprawling “secure” stacks.

Scenario triage

Scenario Better first move
malware moved laterally across many hosts improve segmentation and internal filtering
admins manage systems over the internet use authenticated, encrypted management channels
public-facing app needs backend access isolate tiers and tightly limit permitted flows
sensitive systems share a broad user zone redesign network zoning and trust boundaries
stem emphasizes “untrusted path” think transit protection and endpoint authentication

Common traps

Trap Better rule
treating encryption as a replacement for segmentation transport security and network separation solve different problems
choosing the most complex perimeter stack first start with clean trust boundaries and path control
assuming public-facing systems should share the same trust zone as internal systems exposed services should have constrained connectivity

Quiz

Loading quiz…
Revised on Sunday, May 10, 2026
4.2 Wireless & Zero Trust