PRACTITIONER GUIDE | NETWORK SECURITY
Practitioner GuideUpdated 12 min read

Network Segmentation Audit: How to Review Firewall Rules and VLAN Configurations to Find the Paths That Defeat Your Segmentation Design

Any-any
firewall rules (source: any, destination: any, port: any, action: permit) completely defeat segmentation -- they are the single most common finding in firewall audits
East-west
traffic (lateral movement between servers or workstations in the same tier) is the primary attack path in ransomware incidents -- most traditional firewalls focus on north-south (internet-facing) traffic
Unused rules
can be identified by checking rule hit counters -- a rule with zero hits in 90 days may be dead weight that adds complexity without providing any function
Micro-segmentation
applies firewall-equivalent controls at the individual workload level (host-based firewall or SDN policy) rather than at the network perimeter -- required for effective east-west control in modern data centers

SponsoredRetool

Retool's new app builder is where AI-generated code ships safely

Building apps with AI is easy. Getting them to production safely is another story.

Start building for free today

Network segmentation provides meaningful security only if the firewall rules enforcing it match the intended design. In practice, firewall rule sets grow over years of operational changes: emergency exceptions that were never removed, overly broad rules added to fix an application issue, and legacy rules from decommissioned systems that remain active. The audit process reviews the actual rule set against the segmentation design documentation, then validates with connectivity testing.

Building the Segmentation Inventory Before Auditing Rules

Before reviewing individual rules, document what the segmentation design intends:

  1. Zone map: List every network zone (DMZ, production servers, workstations, management, OT/ICS, guest WiFi, PCI scope). For each zone, document the VLAN IDs, IP ranges, and the trust level.

  2. Permitted flow matrix: For each zone pair, document what traffic should be permitted and what must be blocked. Example:

| Source Zone      | Destination Zone  | Permitted Ports           | Direction |
|-----------------|-------------------|--------------------------|----------|
| Workstations    | Production Servers| 443, 8443 (HTTPS)        | Outbound  |
| Workstations    | Production Servers| 445, 3389, 22            | BLOCKED   |
| Production Srv  | Database          | 1433 (SQL), 5432 (Postgres) | Outbound |
| Database        | Internet          | ALL                       | BLOCKED   |
| Management      | All zones         | 22, 3389, 443, 161        | Both      |
  1. Enforcement points: Identify every device enforcing segmentation -- perimeter firewalls, internal firewalls between zones, host-based firewalls (Windows Firewall, iptables), cloud security groups, and network ACLs on switches.

The audit cross-references the actual rule set at each enforcement point against the permitted flow matrix.

Firewall Rule Analysis: Finding Overpermissive Rules

Export the rule set from your firewall platform and analyze for high-risk patterns:

Finding any-any rules (Palo Alto example):

# Palo Alto Panorama/NGFW -- show rules matching any-any
show running security-policy | match "any"
# Or via API:
curl -k -G "https://firewall/api/" \
  --data-urlencode "type=op" \
  --data-urlencode "cmd=<show><running><security-policy></security-policy></running></show>" \
  --data-urlencode "key=$API_KEY"

For Cisco ASA, export the running config and parse:

# Extract all permit-any rules from ASA config
grep -n "permit any any" running-config.txt
grep -n "access-list.*permit ip any any" running-config.txt

For iptables (Linux host-based):

# Find any ACCEPT rules with broad scope
iptables -L -n -v | grep -v ESTABLISHED | grep ACCEPT
# Look for rules with 0.0.0.0/0 source or destination in ACCEPT chains

For each overpermissive rule found, determine:

  1. When it was added (check firewall change logs or git history if rules are in version control)
  2. What application or operational need it was created for
  3. Whether a narrower rule can replace it
  4. Whether the original need still exists
Free daily briefing

Briefings like this, every morning before 9am.

Threat intel, active CVEs, and campaign alerts, distilled for practitioners. 50,000+ subscribers. No noise.

Rule Hit Counter Analysis: Finding Dead and Unused Rules

Rules with zero hits in 90+ days are candidates for removal (after verification they are not needed for rare traffic patterns):

Palo Alto (PAN-OS):

# Show hit counts for all security policies
show rule-hit-count vsys vsys1 security pre-rulebase security rules all

# Rules with zero hits
show rule-hit-count vsys vsys1 security pre-rulebase security rules all | match " 0 "

Fortinet FortiGate:

# Show policy hit counts
get firewall policy | grep -A5 "policyid"
diagnose firewall iprope show 100004  # Shows hit counts per policy

Cisco ASA:

show access-list | include access-list.*[0-9] hitcnt=0
# Rules with hitcnt=0 have never matched traffic since last counter reset

For each zero-hit rule:

  1. Check whether traffic that the rule was designed to permit is actually flowing through the firewall via a different path (the rule may be shadowed by a broader rule above it)
  2. Check with application owners whether the use case the rule was created for is still operational
  3. Create a cleanup ticket with a 30-day hold period -- disable the rule first, monitor for any application breaks, then remove

Document every rule removed with the original ticket that created it (if known), the removal date, and the approver.

Testing Segmentation Effectiveness with Connectivity Tests

Documentation review is insufficient -- validate actual network connectivity matches the intended design:

From a workstation in the workstation VLAN, test that these connections are blocked:

# Test-NetConnection verifies TCP connectivity
Test-NetConnection -ComputerName 10.10.20.5 -Port 445  # SMB to server -- should FAIL
Test-NetConnection -ComputerName 10.10.20.5 -Port 3389  # RDP to server -- should FAIL
Test-NetConnection -ComputerName 10.10.30.5 -Port 1433  # SQL to DB -- should FAIL

# Test that permitted connections work
Test-NetConnection -ComputerName 10.10.20.5 -Port 443   # HTTPS to server -- should SUCCEED

From a production server, test that internet access is blocked if intended:

# On Linux server
curl -m 5 https://api.ipify.org  # Should fail if internet access is blocked
nc -zv 8.8.8.8 53 2>&1  # DNS to Google -- should fail if external DNS is blocked

Testing east-west controls between servers in the same subnet: East-west traffic within the same VLAN typically does not traverse the firewall at all. If host-based firewall or micro-segmentation (NSX-T, Calico, Azure NSG) is the east-west control, test directly between two servers:

nmap -sS -p 445,3389,22,5985 10.10.20.0/24  # Scan the server subnet from another server
# Any open port that is not in the permitted flow matrix is a finding

Document the test date, the testing account, and the results in a test matrix table. Run the same tests after each major firewall change.

Segmentation Controls for Ransomware Containment

Ransomware lateral movement uses SMB (port 445) and WMI/RPC to spread from an initial foothold. Effective ransomware containment through segmentation requires:

1. Block workstation-to-workstation SMB (east-west) Most environments allow workstations to communicate freely within the workstation VLAN. This enables ransomware to spread from one infected workstation to every other workstation on the segment.

Fix: Deploy Windows Defender Firewall via GPO to block inbound SMB on all workstations except from the IT management subnet:

GPO: Computer Configuration > Windows Settings > Security Settings > Windows Firewall
Inbound rule: Block TCP 445 from source = Any, except management VLAN IP range

2. Block workstations from reaching backup storage directly Ransomware encrypts backup shares if the workstation tier can reach the backup VLAN. Ensure:

  • Backup storage VLAN has a perimeter firewall rule blocking all access from the workstation VLAN
  • Backup agent pull model (backup server pulls from workstation) rather than push model (workstation pushes to backup server) eliminates the need for inbound connectivity to backup storage

3. Segment OT/ICS from IT If IT and OT networks share a firewall, verify that the OT network cannot be reached from the workstation VLAN at all. OT network compromises via lateral movement from IT have caused multiple critical infrastructure incidents.

The bottom line

Network segmentation audits reveal the gap between the architecture diagram and the operational reality. Start with the permitted flow matrix, then compare it against the actual firewall rule set looking for any-any rules, overly broad source or destination ranges, and zero-hit legacy rules. Validate with actual connectivity tests from representative hosts in each zone. For ransomware containment specifically, east-west SMB controls between workstations and blocking workstation-to-backup-storage connectivity are the highest-priority items that most segmentation designs leave unaddressed.

Frequently asked questions

How often should firewall rules be audited?

For perimeter firewalls protecting high-value zones (PCI scope, production databases, OT), audit annually as a minimum with a quarterly review of any rules added in the previous quarter. For internal segmentation firewalls, annual audits are typically sufficient, combined with a change management process that requires security review for any new rule that crosses a zone boundary. Organizations subject to PCI DSS are required to review firewall rules at least every six months (Requirement 1.3.2).

What is the difference between network segmentation and micro-segmentation?

Network segmentation divides a network into zones separated by firewall devices or VLANs, controlling traffic at the zone boundary. Micro-segmentation applies policy at the individual workload level -- each VM, container, or server has its own set of allowed ingress and egress connections enforced by a software-defined policy (VMware NSX, AWS security groups, Azure NSGs). Micro-segmentation controls east-west traffic between workloads in the same zone without requiring them to traverse a physical firewall, which makes it effective for ransomware containment within a tier that traditional network segmentation does not address.

How do I handle legacy applications that require broad firewall rules to function?

Legacy applications that require any-any or very broad firewall rules should be isolated in a dedicated network zone that limits their blast radius. If the application must talk to 'any destination' due to poorly documented dependencies, deploy it in an isolated VLAN, permit its outbound traffic to the application tier only (not to workstations, backup, OT, or management), and monitor its network activity closely with flow logs or packet capture. Use this as the business case for application modernization that removes the dependency on broad network access.

Does VLAN separation provide real security isolation or just logical separation?

VLANs provide logical isolation enforced by switch software. They are not equivalent to physical network separation. VLAN hopping attacks (double tagging, switch spoofing) can bypass VLAN isolation under certain misconfigured conditions. For high-assurance security boundaries (separating compliance scope from non-scope, IT from OT, Internet DMZ from internal), physical separation or firewall enforcement between VLANs is required. VLANs alone are appropriate for organizational separation, not for security-critical isolation.

What is the most efficient way to audit firewall rules across a large enterprise with hundreds of policies?

Use network security policy management (NSPM) tools such as Tufin, AlgoSec, or FireMon rather than manual review. These tools parse firewall configurations from multiple vendors, identify shadowed rules (rules that are never matched because a prior rule already covers the traffic), find overly permissive rules that cover excessive IP ranges or port ranges, and flag rules with no usage traffic for a defined period. For organizations without NSPM tooling, prioritize the audit by impact: review rules with 'any' source or destination first, then review rules for highest-risk zones (Internet DMZ to internal, OT network access). Document and remediate the highest-risk findings before reviewing lower-risk configurations.

How do I validate that network segmentation is actually working and not just documented?

Documentation of firewall rules does not guarantee enforcement. Validate segmentation with active testing: use a scanning tool (Nmap, Nessus, Masscan) from within each network zone to probe what services are reachable from that zone. Compare the observed connectivity to the documented design -- any service reachable that is not in the design is a segmentation gap. For East-West traffic between internal segments, test from compromised-host simulation scenarios: can a workstation in the user VLAN reach the server VLAN on management ports (SSH, RDP, WMI)? Can a server in the application tier reach the database tier directly, or only through the API layer? Schedule segmentation validation tests quarterly, document the results against the expected baseline, and track deviations. A single host with an incorrect VLAN assignment or a firewall rule created for a temporary project that was never removed is enough to break segmentation.

Sources & references

  1. NIST SP 800-125B: Secure Virtual Network Configuration
  2. CIS Controls v8: Control 12: Network Infrastructure Management
  3. CISA: Ransomware Guide: Network Segmentation

Free resources

25
Free download

Critical CVE Reference Card 2025–2026

25 actively exploited vulnerabilities with CVSS scores, exploit status, and patch availability. Print it, pin it, share it with your SOC team.

No spam. Unsubscribe anytime.

Free download

Ransomware Incident Response Playbook

Step-by-step 24-hour IR checklist covering detection, containment, eradication, and recovery. Built for SOC teams, IR leads, and CISOs.

No spam. Unsubscribe anytime.

Free newsletter

Get threat intel before your inbox does.

50,000+ security professionals read Decryption Digest for early warnings on zero-days, ransomware, and nation-state campaigns. Free, daily, no spam.

Unsubscribe anytime. We never sell your data.

Eric Bang
Author

Founder & Cybersecurity Evangelist, Decryption Digest

Cybersecurity professional with expertise in threat intelligence, vulnerability research, and enterprise security. Covers zero-days, ransomware, and nation-state operations for 50,000+ security professionals every morning.

Black Hat Giveaway

Win a $2,495 Black Hat pass.

Full-access to Black Hat USA 2026 in Las Vegas. Subscribe free to enter.

Joins Decryption Digest daily briefing. Unsubscribe anytime.

Giveaway: Black Hat USA 2026 Full-Access Pass ($2,495 value)

Details →
Daily Briefing

Subscribe to enter the giveaway

Every subscriber is automatically entered. You also get daily threat intel every morning: zero-days, ransomware, and nation-state campaigns. Free. No spam.

Already subscribed? You're already entered.

Giveaway

Win a $2,495 Black Hat USA 2026 pass.