A review finds the network is flat — finance servers share a broadcast domain with guest Wi-Fi. What do you recommend first?
Short answer
Flat networks let one compromised guest device reach crown-jewel systems directly. Segment by trust level and enforce least-privilege traffic between zones so lateral movement is contained and monitored. An edge firewall does nothing for east-west traffic between hosts already inside. Re-IPing the finance servers is security-by-obscurity that any scan defeats. Endpoint AV is one detective layer, not a substitute for the architectural control of isolating sensitive systems.
A flat network is one of the most common — and most dangerous — architectural findings. The senior signal here is recognizing that the threat is lateral movement, and that only segmentation addresses it.
Why segmentation is the right first move
When finance servers share a broadcast domain with guest Wi-Fi, any visitor's compromised laptop sits on the same layer-2 segment as your most sensitive systems. There's nothing between them — no policy enforcement point, no inspection, no choke point. An attacker who lands on a guest device can directly reach, scan, and attack the finance servers. Segmentation breaks the network into zones by trust level and forces traffic between them through controlled paths (VLANs/subnets with firewall rules or ACLs enforcing least-privilege, ideally moving toward micro-segmentation and zero-trust). That contains a breach, shrinks the blast radius, and gives you a place to monitor and block east-west movement.
Why the distractors are wrong
- Buy a perimeter NGFW and call it done. A perimeter firewall governs north-south traffic crossing the boundary. It is blind to the east-west traffic between the guest VLAN and finance servers that already share a segment. It does nothing for the actual problem.
- Hide the servers by changing their IPs. Pure security-by-obscurity. Anyone on the same broadcast domain can ARP-scan or sweep the subnet and find them in seconds. Renumbering changes nothing about reachability.
- Install antivirus on the finance servers. Endpoint AV is a single detective/preventive layer on the host. It doesn't isolate the systems, doesn't stop reconnaissance and lateral movement, and isn't an architectural control. Useful as defense-in-depth, useless as the first fix.
What the interviewer is probing
They want to see you diagnose the real risk — unrestricted lateral movement — and reach for the structural control that fixes it. The tell of a strong answer is naming east-west versus north-south, rejecting perimeter-only and obscurity thinking, and treating AV as one layer rather than the solution. Bonus for sketching a phased rollout and a path toward zero-trust segmentation.
Likely follow-ups
- What's the difference between perimeter (north-south) and lateral (east-west) controls?
- How would you phase segmentation in without breaking production traffic?
- Where do micro-segmentation and zero-trust fit beyond VLANs and ACLs?