TL;DR
Most SMB networks are too flat: one compromised laptop can often reach file shares, printers, servers, backups, and admin interfaces. This week, a business can reduce lateral movement risk by creating VLANs, monitoring east-west traffic with Zeek and Suricata or Snort, and starting basic Network Access Control with RADIUS, PacketFence, or a managed NAC service such as Portnox.
Why Flat Networks Are an SMB Risk
A flat network is convenient until something goes wrong. If staff laptops, guest Wi-Fi, VoIP phones, servers, security cameras, printers, and backup systems all sit in the same address range, malware or stolen credentials can move sideways with very little friction.
Network segmentation is the practical SMB version of Zero Trust. NIST SP 800-207 describes Zero Trust Architecture as removing implicit trust based only on network location and continuously evaluating access. For SMBs, that does not mean buying a huge enterprise platform immediately; it means separating systems by business function, limiting which VLANs can talk to each other, and watching the traffic that crosses those boundaries.
CIS Controls v8 supports the same direction. CIS Control 12 focuses on network infrastructure management, while CIS Control 13 focuses on network monitoring and defense. Together, they translate into a simple business goal: know what is connected, separate what matters, restrict unnecessary paths, and detect suspicious traffic quickly.
1. Segment the Network With VLANs First
The fastest practical win is VLAN segmentation on a managed switch and firewall. Many SMBs already have gear capable of VLANs but have never enabled them.
A simple first-week segmentation model looks like this:
- VLAN 10: Staff workstations
- VLAN 20: Servers and NAS devices
- VLAN 30: VoIP phones
- VLAN 40: Printers and scanners
- VLAN 50: Guest Wi-Fi
- VLAN 60: Cameras, smart TVs, and IoT devices
- VLAN 99: Network management interfaces
The goal is not complexity. The goal is to stop everything from talking to everything else.
Start with these firewall rules:
- Guest Wi-Fi can reach the internet only, not internal systems.
- IoT and camera devices can reach only required cloud services or the recording server.
- Printers can receive print traffic from staff devices but cannot initiate connections to staff laptops.
- Staff devices can reach business applications, but not switch, firewall, hypervisor, or backup admin interfaces.
- Management VLAN access is limited to named admin devices or VPN users.
- Servers can be reached only on required ports, such as HTTPS, RDP through a gateway, SMB where justified, or application-specific ports.
Cost estimate: a small managed switch with VLAN support may cost around $200-$600. A business-grade firewall or router with VLAN routing and rule management may cost $300-$1,500. If you already own suitable gear, the first phase may cost mostly time: usually 3-8 hours of configuration and testing.
Practical warning: do not move everything at once. Start with guest Wi-Fi and IoT because they are usually low-risk to isolate. Then segment printers. Then servers and management interfaces. Document every VLAN, subnet, DHCP scope, and firewall rule as you go.
2. Add IDS/IPS Visibility With Suricata or Snort
Segmentation limits movement. IDS/IPS helps you see attempted movement.
Snort and Suricata are widely used open-source intrusion detection and prevention tools. They inspect network traffic and alert on suspicious patterns such as exploit attempts, command-and-control traffic, malware signatures, port scanning, and policy violations.
For an SMB, the practical deployment is usually one of these:
- Run Suricata or Snort on a firewall distribution such as pfSense or OPNsense.
- Mirror switch traffic from core VLANs to a small monitoring box.
- Deploy IDS first in alert-only mode, then enable IPS blocking later for high-confidence rules.
Suricata is often a strong default for modern SMB deployments because it supports multi-threading and performs well on commodity hardware. Snort remains widely documented and familiar to many security teams.
This week’s realistic IDS/IPS scope:
- Monitor traffic between staff VLAN and server VLAN.
- Monitor outbound DNS and HTTP/S metadata from staff and server networks.
- Alert on port scans, SMB enumeration, known malware indicators, and suspicious outbound connections.
- Keep blocking disabled for the first few days unless you have someone reviewing alerts.
Cost estimate: if your firewall already supports IDS/IPS, software may be free. A small dedicated appliance or mini PC with two or more NICs can cost $300-$900. Commercial rule feeds or managed monitoring can raise the cost, but a basic SMB deployment can stay under $1,500.
The biggest cost is not software; it is tuning. Untuned IDS alerts become noise. Start with a limited rule set, review daily, suppress false positives carefully, and escalate only what matters.
3. Use Zeek for Network Monitoring, Not Just Alerts
IDS tools are useful, but they do not replace network visibility. Zeek is a network security monitoring tool that creates rich logs of what happened on the network: connections, DNS requests, HTTP activity, TLS certificates, files observed, notices, and protocol metadata.
For SMBs, Zeek is valuable because it answers operational questions quickly:
- Which device contacted this suspicious domain?
- What internal systems are talking over SMB?
- Are printers or cameras making unexpected outbound connections?
- Did a workstation connect to many internal hosts in a short time?
- What DNS names did a compromised device resolve before detection?
A practical Zeek deployment can run on the same monitoring box as Suricata if traffic volume is modest. Send logs to a simple dashboard or SIEM if available. If you do not have a SIEM, even retained Zeek logs on disk are better than having no evidence after an incident.
This week’s Zeek quick wins:
- Capture DNS logs for all internal VLANs.
- Capture connection logs between VLANs.
- Review the top internal talkers daily.
- Look for workstations connecting to many peers, especially over SMB, RDP, WinRM, SSH, or database ports.
- Keep at least 14-30 days of logs if storage allows.
Cost estimate: Zeek is open source. A mini PC or small server with adequate storage may cost $400-$1,200. Storage requirements depend on traffic volume and retention, but many small environments can begin with 1-2 TB.
ISO 27001 SMB Starter Pack — $147
Everything you need to start your ISO 27001 journey: gap assessment templates, policy frameworks, and implementation roadmap built for SMBs worldwide.
Get the Starter Pack →4. Start NAC With RADIUS, PacketFence, or Portnox
Network Access Control is how you stop unknown or unhealthy devices from joining trusted networks. NAC can be simple or sophisticated, but SMBs should start with controlled access for high-risk areas.
The building blocks are:
- 802.1X authentication on switches and Wi-Fi.
- RADIUS for authentication decisions.
- Device groups or certificates for trusted endpoints.
- Quarantine or guest VLANs for unknown devices.
- Logging of who or what connected, where, and when.
PacketFence is an open-source NAC option that can provide registration, 802.1X, VLAN assignment, captive portal workflows, and device isolation. It is powerful, but it requires careful setup. Portnox is a commercial cloud-managed NAC option that may be easier for lean teams that want less infrastructure to maintain.
A first-week NAC target should not be “perfect NAC everywhere.” Start smaller:
- Enable WPA2/WPA3 Enterprise with RADIUS for staff Wi-Fi.
- Put unknown wired devices into a restricted VLAN.
- Require admin laptops to authenticate before reaching the management VLAN.
- Log switch port connections and MAC address changes.
- Create an exception register for printers, cameras, and legacy devices.
Cost estimate: a basic RADIUS setup using FreeRADIUS may cost little beyond labour. PacketFence may fit into a $500-$2,000 deployment if using existing switch hardware and internal expertise. Commercial NAC such as Portnox may be subscription-based and can fit the $1,000-$3,000 range for smaller environments, depending on device count and support needs.
Quick-Win Checklist: Audit Network Exposure This Week
Use this checklist before buying anything:
- List every switch, firewall, wireless access point, server, NAS, printer, camera, and IoT device.
- Identify whether switches support VLANs and 802.1X.
- Export current firewall rules and find “allow any” rules between internal networks.
- Confirm guest Wi-Fi cannot reach internal IP ranges.
- Confirm backup systems are not reachable from all staff devices.
- Move firewall, switch, hypervisor, and NAS admin interfaces to a management VLAN.
- Block workstation-to-workstation SMB unless there is a documented business need.
- Review DHCP leases for unknown devices.
- Check whether DNS logs are retained.
- Run a basic internal scan from a staff VLAN and record exposed services.
- Enable IDS in alert-only mode on the most important network boundary.
- Decide who reviews alerts daily and what triggers escalation.
FAQ
Yes. VLANs are one of the cheapest ways to reduce blast radius. Even a 15-person company may have staff laptops, guest devices, printers, cameras, cloud-managed equipment, and a NAS. Those should not all share the same trust level.
Deploy IDS first. Alert-only mode lets you understand normal traffic and tune rules without accidentally blocking business systems. Move to IPS blocking only for high-confidence threats and well-tested network paths.
Full NAC can be complex, but partial NAC is achievable. Start with staff Wi-Fi authentication, unknown-device quarantine, and management VLAN protection. You do not need every device under certificate-based control on day one.
If you already have managed switches and a capable firewall, the first week may cost $0-$500 plus labour. If you need hardware, expect around $200-$3,000 depending on switch count, firewall capability, monitoring hardware, and whether you choose open-source or managed NAC.
Conclusion
SMBs do not need to build a bank-grade network in one week, but they can make lateral movement much harder. Start by separating guest, IoT, printers, servers, and management interfaces with VLANs; monitor key boundaries with Suricata or Snort; retain useful Zeek logs; and introduce NAC gradually through RADIUS, PacketFence, or Portnox.
The best next step is a short exposure audit: map devices, find flat network paths, block unnecessary access, and turn on monitoring where compromise would hurt most. Visit consult.lil.business for a free cybersecurity assessment.
References
- NIST SP 800-207: Zero Trust Architecture
- CIS Critical Security Controls v8
- Australian Cyber Security Centre: Essential Eight
- Suricata User Guide
- Zeek Documentation
- PacketFence Network Access Control
Verifier warning: verifier could not run (PluginLlmTrustError).
Work With Us
Ready to strengthen your security posture?
lilMONSTER assesses your risks, builds the tools, and stays with you after the engagement ends. No clipboard-and-leave consulting.
Book a Free Consultation →