Stop Lateral Movement: Network Segmentation, IDS/IPS, and NAC Your SMB Can Deploy This Week

Why Flat Networks Kill SMBs

A flat network treats every device as a trusted peer on the same broadcast domain. When an attacker compromises one endpoint — a receptionist's laptop, an IoT thermostat, a guest phone on the Wi-Fi — they immediately have a path to everything else: file servers, databases, domain controllers, backup shares. This is lateral movement, and it's how ransomware operators turn a single phishing click into a company-wide outage. NIST SP 800-207 (Zero Trust Architecture) explicitly calls out network segmentation as a foundational pillar — there is no Zero Trust without network-level isolation. CIS Controls v8 (Control 12: Network Infrastructure Management and Control 13: Network Monitoring and Defense) likewise require segmentation, continuous monitoring, and access control as baseline safeguards.

The good news: you don't need a six-figure refresh. Managed switches, open-source IDS, and free NAC platforms have matured to the point where an SMB with 20-100 endpoints can implement meaningful segmentation and monitoring in days, not months.

VLAN Segmentation on Managed Switches

VLAN segmentation is your first and highest-ROI control. A managed PoE switch with VLAN support starts at $200-$400 (Netgear ProSafe GS728TP, TP-Link Omada OC200/TL-SG2210MP, Ubiquiti EdgeSwitch). For a 50-person office, two 24-port managed switches (~$800 total) cover most deployments.

Start with a minimum four-segment architecture:

1. VLAN 10 — Corporate (Trusted): Workstations, laptops, domain-joined devices. Has access to server and management VLANs.
2. VLAN 20 — Servers/Infrastructure: File servers, databases, domain controllers. Accepts connections only from Corporate and Management VLANs.
3. VLAN 30 — IoT/Devices: Smart TVs, printers, HVAC controllers, cameras. No access to Corporate or Server VLANs; internet-only with egress filtering.
4. VLAN 40 — Guest: Wi-Fi guests, BYOD. Isolated; internet access only, client isolation enabled.

Inter-VLAN routing should go through your firewall (not the switch's L3 engine) so traffic between VLANs is inspected by firewall rules. On a pfSense/OPNsense box (free, runs on a $300 mini-PC), configure rules allowing Corporate→Servers on specific ports (SMB 445, RDP 3389, LDAP 389/636) and denying everything else. Block IoT and Guest VLANs from touching anything internal. Log all denied traffic.

For wireless, use WPA-Enterprise (802.1X) with VLAN assignment based on RADIUS attributes so employee devices auto-land in Corporate and guest devices in Guest — no manual SSID switching.

IDS/IPS with Suricata or Snort

Once traffic flows through a central firewall, you can inspect it. Suricata and Snort are the two dominant open-source IDS/IPS engines. Both run signature-based detection with regularly updated rule sets (Emerging Threats Open, ET Pro for paid subscriptions). Suricata adds multi-threaded performance and protocol-aware parsing, making it the better choice for SMBs with limited hardware.

Deployment options:

• Inline IPS on pfSense/OPNsense: Suricata runs natively as a package. Enable on the WAN and inter-VLAN interfaces. Use the ET Open ruleset (free, updated daily). Hardware: a $500-$800 mini-PC (Intel N100/i3, 16GB RAM, dual NIC) handles 1Gbps inspection comfortably for 50-100 endpoints.
• Standalone IDS (passive): Configure a switch SPAN/mirror port to a Suricata sensor on a dedicated NIC. No inline risk, no throughput impact. Good for detection-only deployments where you're not ready to block.
• Snort on Linux: Same ruleset ecosystem, slightly older architecture. Viable if you already run Snort and don't want to migrate.

Total cost: $0 software + $500-$800 hardware (if you need a dedicated sensor). If you already have pfSense, Suricata is a checkbox install.

Key configuration steps: enable the ET Open ruleset, disable noisy rules in the first 48 hours (alert but don't drop), review alerts daily, then promote stable rules to drop mode after a tuning period. Monitor false positives on internal DNS and DHCP traffic — common source of noise.

Network Monitoring with Zeek

Zeek (formerly Bro) is a network security monitoring framework that goes beyond signatures. Where Snort/Suricata match known attack patterns, Zeek logs everything — every DNS query, every TLS handshake, every file transfer — into structured logs you can query and correlate. This makes it invaluable for incident response and threat hunting.

For SMBs, Zeek shines in three scenarios:

1. DNS monitoring: Log every DNS query. Feed into a blocklist (e.g., feed Zeek DNS logs to a script checking against known C2 domains from AlienVault OTX or MISP feeds).
2. TLS certificate tracking: Zeek logs every TLS certificate seen on the network. Alert on self-signed certs, expired certs, or certs from suspicious CAs — indicators of MITM or rogue services.
3. File analysis: Zeek extracts file hashes. Pipe them to VirusTotal or a local hash database for malware detection.

Zeek runs on a $400-$600 mini-PC with a SPAN port from your core switch. Pair with Elastic Security (free tier) or Wazuh for log aggregation and alerting. Total cost: $0 software + $500 hardware. The learning curve is steeper than Suricata, but the visibility is unmatched — you'll discover devices and traffic patterns you didn't know existed.

Network Access Control with PacketFence or Portnox

NAC answers the question: "What is allowed on my network, and what can it reach?" Without NAC, anyone who plugs into a wall jack or joins an SSID gets whatever access that port's VLAN provides — regardless of whether the device is corporate-owned, patched, or even known.

PacketFence (open-source, by Inverse) is the SMB-friendly NAC choice. It supports 802.1X, MAC-based authentication, captive portal for guest registration, VLAN assignment via RADIUS, and device profiling (OS fingerprinting, DHCP sniffing). It runs on Linux (Debian/Ubuntu) and integrates with Active Directory / LDAP for identity-based policies. Cost: $0 software + $300-$500 for a dedicated VM or mini-PC. Support contracts available from Inverse if you want professional backing.

Portnox is the commercial alternative — cloud-delivered NAC with zero infrastructure to deploy. Pricing starts around $3/device/month, so a 50-device network runs ~$150/month. Easier to manage than PacketFence, no server to maintain, good for SMBs without dedicated network engineering staff. Includes risk scoring, posture checks (antivirus installed? OS patched?), and automated remediation (quarantine VLAN for non-compliant devices).

NAC deployment steps:

1. Enable 802.1X on your managed switches (most support it natively).
2. Configure PacketFence/Portnox as your RADIUS server.
3. Start in monitor mode — log what connects, profile devices, identify rogues.
4. After a 1-2 week profiling period, switch to enforcement mode: unknown devices go to a quarantine VLAN, non-compliant devices get remediation instructions.

Quick-Win Checklist: Audit Your Network Exposure This Week

• Map every device on your network — run arp-scan or nmap -sn 10.0.0.0/24 across all subnets. Document IPs, MACs, and owners.
• Identify your broadcast domains — are all endpoints on one /24? That's your #1 risk.
• Check switch configurations — are ports configured with VLANs or is everything default VLAN 1?
• Count open SMB shares accessible from workstation VLANs — crackmapexec smb 10.0.0.0/24 -u guest -p '' --shares (with permission).
• Audit RDP exposure — is 3389 open between VLANs? Disable RDP on workstations; use a jump server with MFA.
• Review wireless security — is guest Wi-Fi isolated? Does employee Wi-Fi use WPA-Enterprise or shared WPA2-PSK?
• Verify inter-VLAN firewall rules — log denied traffic for 48 hours and review. You'll find unexpected cross-VLAN traffic.
• Check for default credentials on network devices (switches, APs, IP cameras). Change them.
• Enable logging on your firewall and ship logs to a SIEM (Wazuh, Elastic Security, or even a simple syslog server).
• Deploy Suricata on your firewall in alert-only mode. Review alerts after 48 hours.

FAQ

Conclusion

Lateral movement is the difference between a contained incident and a business-ending breach. The controls that stop it — VLAN segmentation, IDS/IPS, network monitoring, and NAC — are not exotic or expensive. A managed switch, a pfSense box, Suricata, and PacketFence together cost less than a single day of downtime. Start this week with the audit checklist, segment your network, and layer on monitoring as you build confidence. Every VLAN you create is a wall an attacker has to breach separately; every IDS alert is a tripwire that tells you they're moving.

Visit consult.lil.business for a free cybersecurity assessment — we'll map your network exposure, identify lateral movement paths, and prioritize the fixes that matter most for your environment.

References

1. NIST SP 800-207: Zero Trust Architecture
2. CIS Controls v8 — Center for Internet Security
3. Suricata IDS/IPS Engine — Open Source
4. Zeek Network Security Monitor — Documentation
5. PacketFence NAC — Inverse Inc.
6. Australian Cyber Security Centre: Essential Eight Maturity Model

Verifier warning: verifier could not run (PluginLlmTrustError).