Task 13: Segment Your Small Business Network

Now that you understand the importance of network segmentation, it’s time to implement it. One of the most important topics that we covered is that there are a few common ways to segment a network, but a hardware firewall is generally the most secure and flexible choice for small businesses.

Managed (“smart”) switches can also help create VLANs and segment traffic – and they may be required by your network design – but they lack the full inspection, access control, and monitoring capabilities of a firewall. When it comes to small business cybersecurity, we consider a hardware firewall to be essential and one of the first investments that we encourage for many businesses. Let’s get into the details of how to segment your small business network!

Step 1 – Identify Your Network Segments

Before making changes, decide which groups of devices need to be isolated. Examples:

  • Guest Wi-Fi (customers, visitors, contractors)
  • Business workstations (day-to-day employee use)
  • Servers and storage (critical business data)
  • IoT / smart devices (printers, security cameras, thermostats)
  • Payment systems (POS devices, card readers)

Step 2 – Create Segments on Your Hardware Firewall

Log into your firewall’s admin interface and look for options to create VLANs or LAN interfaces. For each segment:

  1. Create the VLAN/interface.
  2. Assign it a unique subnet (e.g., 192.168.10.0/24 for business PCs, 192.168.20.0/24 for guest Wi-Fi).
  3. Enable DHCP for each network, or configure static addressing if needed.

Step 3 – Apply Access Rules

For each segment, decide what it can and can’t communicate with:

  • Business network → Internet + specific internal resources as needed
    Use your firewall’s “allow/deny” or “access control” rules to enforce this.
  • Guest Wi-Fi → Internet only (no access to other segments)
  • IoT devices → Internet + only the specific services they require (e.g., printer network may access workstations but not servers)

Step 4 – Connect Devices to the Correct Segment

You can connect devices directly to firewall ports assigned to a VLAN or use a managed switch connected to a VLAN-enabled port to expand the segment.

  • If using a managed switch, configure the VLAN tagging to match the firewall’s settings.
  • Make sure Wi-Fi networks are mapped to the correct VLANs on your access points.

Step 5 – Test Your Segmentation

From each segment, try to “ping” or access devices in other segments — they should be blocked unless you’ve specifically allowed the connection. Confirm internet access is still working where intended.

Step 6 – Maintain and Review

Whenever you add new devices, make sure they’re assigned to the correct segment. Review firewall logs periodically to ensure segmentation rules are still effective and not being bypassed.