TL;DR

Network segmentation stops attackers from roaming freely after they breach one device. For $200 to $3,000, any small business can deploy VLANs, set up IDS/IPS monitoring, and enforce Network Access Control. This article gives you the exact tools, costs, and a checklist you can start using this week.


Lateral movement is how a minor breach becomes a disaster. Attacker gets into the receptionist's desktop via a phishing email. That desktop sits on the same flat network as your accounting server, your customer database, and your backup NAS. The attacker doesn't need to breach those targets. They just walk sideways.

Network segmentation builds walls between your systems. Even if someone breaks in, they're trapped in a single room. Here's what you can actually implement this week, with real tools and real prices.

What Network Segmentation Actually Means for a Small Business

Most small business networks are flat. Every device, every server, every printer, every IoT camera sits on the same subnet. One compromised device gives attackers access to everything. This is the single biggest network security mistake SMBs make, and it costs almost nothing to fix.

The core idea: divide your network into zones based on trust and function. Corporate workstations in one zone. Servers in another. Guest WiFi in a third. IoT devices, payment terminals, and security cameras each get their own. Traffic between zones gets inspected and restricted. If something in the guest zone tries to talk to your accounting server, the network blocks it by default.

NIST SP 800-207 (Zero Trust Architecture) calls this the network environment pillar. The principle is simple: no device gets trust just because it's inside your building. Every connection gets verified. Every zone gets isolated. CIS Controls v8, specifically Control 4 (Secure Configuration of Enterprise Assets and Software) and Control 12 (Network Infrastructure Management), mandates network segmentation and traffic filtering between network segments.

Step 1: VLAN Segmentation on Managed Switches ($200-$1,500)

VLANs (Virtual LANs) are the cheapest, fastest win in network security. They let you split one physical network into multiple logical networks, each isolated from the others. You don't need new cabling. You don't need new internet connections. You need a managed switch and about 2 hours.

What to buy:

A basic managed switch with VLAN support starts around $200. The Ubiquiti UniFi Switch Lite 8 PoE runs about $110 and handles 4 VLANs. For larger offices, a UniFi Switch 24 PoE ($400) or a MikroTik CRS326-24G-2S+ ($200) gives you 24 ports with full VLAN tagging. These aren't enterprise-grade Cisco Catalyst switches at $3,000+. They're SMB hardware that does the job.

What to segment:

At minimum, create 4 VLANs:

  • Corporate LAN (VLAN 10): Workstations, laptops, trusted devices. This is where your staff works.
  • Server LAN (VLAN 20): File servers, application servers, domain controllers. Lock this down tight.
  • Guest WiFi (VLAN 30): Visitors, phones, untrusted devices. Zero access to internal resources.
  • Management/IoT (VLAN 40): Printers, cameras, smart TVs, building controls. These devices are rarely patched and get compromised often.

How to deploy this week:

  1. Log into your router or firewall and create the 4 VLAN subnets (192.168.10.0/24, 192.168.20.0/24, etc.)
  2. Log into your managed switch and assign each port to the correct VLAN based on what's plugged in
  3. Set up firewall rules: Corporate LAN can reach Server LAN on specific ports only. Guest WiFi can reach nothing internal. IoT can only reach the internet.
  4. Test: plug a laptop into a Guest port and try to ping your file server. It should fail.

This is a Saturday morning project. Total cost: $200-$400 if you need a managed switch. Zero cost if you already have one.

Real numbers: SMBs that segment their networks reduce breach impact by an average of 48%, according to IBM's 2025 Cost of a Data Breach Report. Containment time drops from 73 days to 29 days when segmentation is in place.

Step 2: IDS/IPS — See Attacks Before They Spread

VLANs create the walls. IDS/IPS puts guards at every gate. An Intrusion Detection System watches traffic and alerts you when something looks malicious. An Intrusion Prevention System goes further and blocks it automatically.

Snort 3 (Free, Open Source):

Snort is the most deployed IDS/IPS on the planet, maintained by Cisco. Snort 3 (released 2020, stable since 2023) is a complete rewrite with better performance and multi-threading. It runs on any spare Linux box or VM.

Deploy Snort on a machine with 2 network interfaces. Place it inline between your firewall and your core switch. Enable the community ruleset (free) or subscribe to the Talos registered rules ($30/month for individuals, $400/year for business). The community rules cover the top threats. The registered rules give you same-day coverage for new exploits.

## Install Snort 3 on Ubuntu 24.04
sudo apt install snort3
sudo snort -c /etc/snort/snort.lua -i eth0 --daq afpacket

Suricata (Free, Open Source):

Suricata is Snort's main competitor. It's multi-threaded by design, handles 10 Gbps on commodity hardware, and includes protocol parsing for HTTP, TLS, DNS, and SMB out of the box. If your office pushes more than 100 Mbps, Suricata will handle the load better than Snort.

Zeek (Free, Open Source):

Zeek (formerly Bro) is different from Snort or Suricata. It doesn't just match signatures. It builds a complete transcript of every network connection: who talked to whom, what protocol, what files were transferred, what SSL certificates were presented. When an alert fires from Snort, Zeek gives you the full context to investigate. It's the difference between "something bad happened" and "a workstation on VLAN 10 uploaded 47 MB to an IP in Russia at 3:14 AM."

Deploy Zeek on the same hardware as your IDS. Point it at a mirror port on your switch. Total cost: $0 for software. Hardware cost: $0 if you have a spare desktop. $500-$800 for a refurbished Dell OptiPlex or Lenovo ThinkCentre with an extra NIC.

What you get:

  • Snort/Suricata: Blocks known attacks (exploit kits, C2 callbacks, ransomware signatures)
  • Zeek: Shows you everything that happened before and after the alert
  • Together: Detection plus investigation capability on a $500 budget

Step 3: Network Access Control — Unknown Device? No Entry

VLANs segment the network. IDS/IPS watches for attacks. NAC enforces who gets on the network in the first place. Network Access Control checks every device before it gets an IP address. Unknown device? Guest network only, or blocked entirely.

PacketFence (Free, Open Source):

PacketFence is the leading open-source NAC. It integrates with your existing switches and WiFi access points using 802.1X, MAC authentication, or captive portals. When a device connects, PacketFence checks it against your policies. Compliant corporate laptop with the right certificates? Corporate VLAN. Unknown phone? Guest VLAN with internet only. Device missing security patches? Quarantine VLAN until it's updated.

Deploy PacketFence on a dedicated server or VM. It supports Ubiquiti, MikroTik, Cisco, HPE, Aruba, and most managed switches that speak SNMP or RADIUS. Full feature list: device registration portal, BYOD onboarding, compliance checks (AV running, patches current), automated VLAN assignment, and integration with your existing SIEM.

## PacketFence install on Debian/Ubuntu
wget https://packetfence.org/downloads/PacketFence-13.1.0.iso
## Deploy the ISO to a VM with 4GB RAM, 2 vCPUs, 40GB disk

Portnox (Cloud, $2-$5/device/month):

If you don't want to manage another server, Portnox CLEAR is a cloud-native NAC. No on-premise hardware. It uses certificate-based authentication and integrates with Azure AD, Google Workspace, or Okta for identity. Each device gets a certificate during onboarding. No certificate = no network access. Pricing starts around $2 per device per month for basic features. The full compliance and risk-scoring tier runs $5 per device per month. For a 30-person office, that's $60-$150 a month.

RADIUS with FreeRADIUS (Free, Open Source):

If you just need basic 802.1X authentication without the full NAC feature set, FreeRADIUS on a Linux box handles it. Configure your WiFi access points and switches to require RADIUS authentication. Users log in with their directory credentials. Unknown credentials get bounced to a guest VLAN. Total cost: $0 for software, about 4 hours to configure.

Cost breakdown for an SMB deployment:

Component Free/DIY Basic SMB Full-featured
Managed Switch $200 (8-port) $400 (24-port) $1,500 (PoE+)
IDS/IPS Hardware Spare desktop $500 (refurb server) $800 (new mini-PC)
IDS Rules Feed Free (community) $30/mo (registered) $400/yr (Talos)
NAC Software PacketFence ($0) Portnox ($60/mo) Portnox ($150/mo)
Total Year 1 $200 $1,360 $2,700

Quick-Win Audit: Find Your Exposure This Week

Before buying anything, audit what you already have. Most SMBs discover they're far more exposed than they realized.

The 6-point network exposure checklist:

  1. Map every device on your network. Run nmap -sP 192.168.1.0/24 from any workstation. Count the devices. If you find 50 devices and only 20 are staff computers, you've got shadow IT and orphaned IoT to deal with.

  2. Check if your guest WiFi can reach internal resources. Connect your phone to the guest network. Try to access \\fileserver\share or http://192.168.1.10. If it works, your guest network isn't segmented.

  3. Scan for open management ports. Run nmap -p 22,23,80,443,3389,8080,8443 192.168.1.0/24. Find printers, cameras, and switches with web interfaces exposed. These are attack surface.

  4. Check if any IoT devices are on the corporate network. Security cameras, smart TVs, thermostats, door controllers. If they share a subnet with your workstations, they're a pivot point. One unpatched camera is the attacker's entry to your entire network.

  5. Audit your switch's VLAN table. Log into your switch. Is there more than one VLAN configured? If the only VLAN is VLAN 1 (default), you have no segmentation.

  6. Test lateral movement yourself. From any workstation, run nmap -sS 192.168.1.0/24 and note which servers respond on ports 445 (SMB), 3389 (RDP), and 3306 (MySQL). If your receptionist's PC can reach your SQL server, attackers can too.

This audit takes 2 hours. It shows you exactly where you're exposed. The results will tell you whether you need VLANs first, IDS first, or both.

FAQ

Do I need all three (VLANs, IDS/IPS, NAC) at once?

No. Start with VLANs. They're the foundation, the cheapest, and the fastest win. Add IDS/IPS as step two once your zones are defined. NAC comes last because it's the most complex to tune. A 5-person office with VLANs and a basic IDS is dramatically more secure than a 50-person office with a flat network.

Will this slow down my network?

VLANs don't add latency. A properly-sized IDS/IPS on adequate hardware adds less than 1ms of latency. The main bottleneck is throughput: a basic Suricata instance on a $500 server handles 500 Mbps of inspection. If your internet connection is 100 Mbps, you'll never notice it.

Can I do this if I don't have an IT team?

VLAN setup takes an afternoon with YouTube tutorials. IDS/IPS takes a weekend to set up and about 2 hours a week to review alerts. NAC (PacketFence) takes a full weekend for initial setup, then mostly runs itself. If you're a solo business owner, hire an MSP or consultant for the initial setup and learn to review the dashboards yourself.

What if I use cloud apps and have no on-premise servers?

Network segmentation matters more if you're cloud-only because your endpoints are the only thing left for attackers to pivot through. If 15 laptops share a flat network, one phishing compromise exposes all 15. VLANs isolate each device group. IDS catches callbacks to attacker infrastructure. NAC blocks rogue devices. Cloud or on-prem, the perimeter moved to the endpoint. Protect it.

Conclusion

Network segmentation is not an enterprise luxury. It's a weekend project that costs between $200 and $3,000 and permanently reduces your breach impact. Start with the 6-point audit this week. If you find a flat network with guest WiFi touching your servers, you know what to fix first. Buy a managed switch. Set up 4 VLANs. Deploy Suricata on a spare machine. Lock down access between zones. Every hour you spend segmenting now saves weeks of incident response later.

Need help figuring out where to start? Visit consult.lil.business for a free cybersecurity assessment. We'll map your network exposure and give you a prioritized action plan, no obligation.

References

  1. NIST SP 800-207 — Zero Trust Architecture
  2. CIS Controls v8 — Network Infrastructure Management
  3. PacketFence Open Source NAC — Deployment Guide
  4. Snort 3 IDS/IPS — Official Documentation
  5. Suricata — Open Source Threat Detection Engine
  6. Zeek Network Security Monitor — Documentation

Need to prove security trust?

Start with qualified triage. We verify authority, minimise access, define scope, and focus on evidence that helps with insurers, customers, tenders, boards, auditors, and AI governance reviewers.

Start Qualified Triage