Understanding where your network architecture fails — and why physical isolation is no longer optional
Executive Summary
Modern enterprises rely heavily on logical segmentation to defend their networks. On paper, it provides structure and control: VLANs, access control lists (ACLs), firewalls, and policy zones offer a manageable way to divide digital environments. It’s scalable, software-defined, and cost-effective. For years, it’s been the backbone of network security strategy.
But there’s a growing problem: logical segmentation isn’t enough anymore.
Today’s threat landscape doesn’t play by the rules logical segmentation assumes. Attackers operate inside the perimeter. They escalate privileges, hijack infrastructure, and bypass access controls — all using techniques that the MITRE ATT&CK framework documents extensively. Once an adversary is inside the network, logical boundaries often crumble.
The failure isn’t in configuration. It’s in the model itself. Logical segmentation assumes the infrastructure underneath — switches, routers, identity stores, and policies — can be trusted. But when those assumptions fall apart, so does your security architecture.
This insight paper explores the limits of logical segmentation, the lessons embedded in the MITRE ATT&CK matrix, and why physical isolation — through programmable, on-demand disconnection — is now a critical control. We propose a layered approach to segmentation where trust is earned, not assumed, and where truly critical systems can be made unreachable by design.
Assumed Safe: How We Got Here
Network segmentation was never designed to stop nation-state actors or ransomware-as-a-service. It was built to manage complexity.
As networks scaled, administrators needed tools to create boundaries: isolate environments, enforce rules, restrict access. Logical segmentation met that need — allowing networks to be divided without the cost or complexity of physical separation. It enabled the rise of virtualisation, multi-tenancy, cloud-native models, and remote work.
Over time, logical segmentation became the de facto standard. VLANs, firewalls, subnets, and ACLs became synonymous with segmentation. Architects embedded them into every design; auditors referenced them in every compliance review.
But with this came a dangerous assumption: that software-defined boundaries were as effective as physical ones.
That assumption held while breaches were rare and attacker sophistication was low. It worked when “keeping them out” was a viable strategy. But in today’s landscape — where attackers are often already inside — it simply doesn’t hold up.
The Reality of Breach: What MITRE ATT&CK Tells Us
The MITRE ATT&CK framework maps the tactics and techniques that real-world adversaries use once inside your network. It’s not theoretical — it’s based on observation and threat intelligence. And its structure tells a story: a methodical, repeatable sequence of steps attackers use to compromise, explore, and exploit systems.
What makes ATT&CK so important is that it doesn’t care what your architecture should do — it documents what actually happens.
Here’s what it exposes:
Lateral Movement (T1021, T1570)
Adversaries move from one system to another using remote services like RDP, SMB, SSH, and tool transfers. Logical segmentation might restrict access — but once a credential is compromised, shared infrastructure allows the attacker to walk through segments as if the walls didn’t exist.
Credential Access (T1003, T1552, T1110)
Dumping credentials, accessing password stores, or brute-forcing logins allows attackers to escalate and authenticate laterally. Logical boundaries that rely on trusted identity can be undermined by stolen trust.
Defense Evasion (T1036, T1055, T1027)
Masquerading as legitimate processes, injecting code, obfuscating payloads — all these allow attackers to operate invisibly within segmented environments.
The common thread? These techniques exploit the very assumptions that logical segmentation is built on.
Once an attacker gains access to a system or service within a logical zone, they inherit trust — often enough to pivot to others. MITRE doesn’t just document attacks — it reveals the structural weaknesses that make them possible.
The Break Point: Where Logical Segmentation Fails
Logical segmentation has three fatal weaknesses:
1. Shared Infrastructure
Regardless of how many VLANs or zones you create, most segmented networks still rely on the same underlying hardware. The same switches. The same routers. The same firmware. If an attacker compromises the network layer, they compromise all segments built on it.
2. Inherited Trust
Segmentation is typically enforced through policy and identity. But identity is fragile. If credentials are stolen or elevated (a common attacker objective), the segmentation collapses. The attacker now has the same rights as a trusted user.
3. Assumed Control
Logical segmentation assumes policies are always correctly configured, that rules are enforced, and that controls work perfectly. But misconfigurations are common, controls can be bypassed, and monitoring gaps are frequent.
The result? Once inside, attackers move freely — not because the segmentation was misapplied, but because it wasn’t designed to survive compromise.
Redefining Segmentation: The Case for Physical Isolation
To truly contain modern threats, segmentation must be more than a logical concept. It must become a physical control — a mechanism that cuts access at the root.
This doesn’t mean returning to disconnected data centres or isolated terminals. Modern physical segmentation is programmable, dynamic, and business-aware. It’s not about blocking users — it’s about removing the infrastructure attackers depend on.
Case in Point: FireBreak™
Solutions like Goldilock’s FireBreak™ allow for non-IP, hardware-level disconnection of critical assets. That means:
• Critical systems are physically unreachable by default.
• Isolation can be triggered automatically via API, policy, or threat detection.
• Attackers can’t discover, pivot to, or attack what isn’t connected.
This redefines segmentation from a virtual boundary to a real one.
In this model, logical segmentation is still valuable — but it sits above a hardened physical layer that acts as the last line of defence. If all else fails, the attacker hits a wall — not a configuration file.
Strategic Application: Where and How to Start
You don’t need to physically segment everything. That would be both impractical and unnecessary. But you do need to prioritise the assets and pathways that attackers target most.
Start With:
• Backup and disaster recovery environments
• Domain controllers and privileged identity infrastructure
• Industrial control systems (OT)
• Encryption key vaults and critical IP assets
• Remote access management systems
Build the Strategy:
1. Map ATT&CK Techniques to Infrastructure
• Identify where your current segmentation would fail based on MITRE tactics.
2. Isolate Where it Matters
• Physically disconnect systems that should never be accessed from general-purpose networks.
3. Automate Disconnection
• Use programmable solutions to bring systems online only when needed, and only through secure pathways.
4. Test for Resilience
• Don’t assume segmentation works — simulate lateral movement and test pivot paths.
This isn’t just a technical shift. It’s a mindset shift: from assuming things will work as designed, to designing for when they don’t.
Conclusion: A Final Shift in Thinking
MITRE ATT&CK gives us the blueprint. It tells us what attackers do, how they move, and what they exploit.
The logical response is to align our architecture to that reality.
Yet many organisations still build networks on old assumptions — that perimeter controls and VLANs are enough, that compromise is preventable, and that labels equal protection.
They aren’t. It isn’t. And they don’t.
It’s time to recognise that logical segmentation is only as strong as the infrastructure it sits on — and that attackers don’t respect policies, they exploit pathways.
Real segmentation means making those pathways disappear.
When critical systems are physically unreachable, they are physically unexploitable.
And in a world where the attacker is already inside, that’s the only guarantee that matters