Network segmentation is one of the most important operational controls available to a crypto firm, and one of the most consistently overlooked. When security professionals focus on smart contract audits and blockchain-layer risks, they often neglect the network architecture that connects every internal system together. That flat, unsegmented network is precisely where attackers spend the majority of their time after gaining initial access.
The attack pattern is straightforward. A developer receives a convincing spear-phishing email, opens a malicious attachment, and their workstation is compromised. On a flat network, that compromised laptop has direct access to the key management server, the signing infrastructure, the hot wallet node, and every internal API. The attacker does not need to break through any further controls. They simply navigate the network as if they own it, because in practice, they do.
On a properly segmented network, that same compromise is contained. The developer workstation lives in the office zone. The key management system lives in a completely isolated zone with no path from the office zone. The attacker has a foothold, but they have no route to what they actually want.
This guide is written for CISOs, infrastructure engineers, and security-conscious CTOs at crypto exchanges, DeFi protocols, custody providers, and Web3 infrastructure firms. It covers the architecture, the controls, the most common failure modes, and the regulatory requirements that now mandate proper network segmentation.
What Is Network Segmentation
Network segmentation is the practice of dividing a single physical or logical network into multiple isolated sub-networks, each with defined boundaries and controlled inter-zone communication. A device in one segment cannot communicate with a device in another segment unless a firewall rule explicitly permits that specific traffic.
There are several technical approaches to segmentation, each with different security properties and cost profiles.
VLANs (Virtual Local Area Networks) are the most common approach. A managed switch assigns each port or connected device to a VLAN, which is a logical broadcast domain. Traffic between VLANs must pass through a router or layer-3 switch where firewall rules can be applied. VLANs are cost-effective and widely deployed, but they share physical infrastructure. A misconfigured switch or VLAN hopping attack can break logical isolation. VLANs are appropriate for most zone boundaries in a crypto firm, but not for the highest-sensitivity zones like key management.
Physical segmentation uses entirely separate physical hardware: separate switches, separate cables, and no shared infrastructure between zones. This provides the strongest isolation guarantee because a software misconfiguration cannot bridge the physical gap. The trade-off is cost and operational complexity. Physical segmentation is the appropriate approach for key management systems and HSMs that hold private keys or root signing material.
Microsegmentation is a software-defined approach typically used in cloud and virtualised environments. It applies policy controls at the individual workload or application level rather than at the network perimeter. With microsegmentation, two virtual machines in the same cloud account can be prevented from communicating unless there is an explicit policy rule permitting it. Products such as VMware NSX, Illumio, and cloud-native security groups provide microsegmentation capabilities.
The underlying principle across all approaches is the principle of least connectivity: every network path that is not explicitly required for a legitimate operational function should be blocked by default. This is the network equivalent of least privilege. Most organisations start from the opposite position, a flat network where everything can reach everything, and then attempt to add restrictions. The correct approach is to start from default deny and add permitted paths only where operationally justified.
From an attacker's perspective, a flat network is extraordinarily valuable. Once inside, the attacker conducts lateral movement: the process of moving from the initial compromise point to higher-value targets. They use credential harvesting, pass-the-hash attacks, Kerberoasting, and other techniques to escalate privileges and reach their target. The Lazarus Group's repeated intrusions into crypto firms consistently follow this pattern: a spear-phishing email compromises a single endpoint, and a flat network then provides an unobstructed path to signing infrastructure.
Why Crypto Firms Need Network Segmentation
Every organisation benefits from network segmentation. For crypto firms, the stakes are categorically higher.
In a conventional business, a successful breach might result in the theft of customer data, financial records, or intellectual property. These losses are serious, but they are recoverable over time through legal remediation, insurance, and reputational repair. In a crypto firm, a breach that reaches signing infrastructure can result in the immediate, permanent, irreversible transfer of assets to an attacker's wallet. There is no transaction reversal. There is no fraud recovery mechanism. There is no central authority to appeal to. The loss is final.
This irreversibility transforms network segmentation from a best practice into a critical control. The key management system, the HSM, the signing server, and the hot wallet node are not merely sensitive systems; they are direct equivalents of a vault containing cash. Network segmentation is the digital equivalent of ensuring the vault room has a locked door that cannot be reached from the lobby without passing through multiple guarded checkpoints.
Key management systems and HSMs must be network-isolated. These systems hold the cryptographic material that authorises on-chain transactions. Any device that can reach them over the network is a potential attack vector. The network path to a key management system should be restricted to a tiny set of explicitly authorised hosts, with all other traffic blocked at the firewall.
Validator nodes are high-value targets on proof-of-stake networks. A compromised validator can be used for double-signing attacks, equivocation, or the theft of staking rewards. Validator nodes have specific network requirements: they need to communicate with the peer-to-peer network of other validators and with consensus infrastructure, but they should not be reachable from the office network or developer workstations.
Hot wallet infrastructure must be separated from the office network. Hot wallets hold spendable balances for operational purposes: exchange withdrawals, protocol treasury operations, and liquidity management. Developer machines in the office zone are the highest-risk entry point to an organisation because developers are the most targeted individuals in a crypto firm. Their workstations connect to external development resources, they receive communications from the broader ecosystem, and they are targeted by highly sophisticated spear-phishing campaigns. Ensuring that a compromised developer workstation cannot reach hot wallet infrastructure is a basic control that too few firms implement.
"In a flat, unsegmented network, a single compromised developer laptop is a compromised key management system. Network segmentation converts a catastrophic breach into a contained incident."
Designing a Network Architecture for Crypto Firms
A well-designed network architecture for a crypto firm organises infrastructure into a set of zones, each with a defined security classification and strict rules governing what can communicate with it. The following zone model is appropriate for most crypto exchanges, custody providers, and DeFi protocol operators.
Internet DMZ (Demilitarised Zone). This zone contains all internet-facing infrastructure: web servers, API gateways, load balancers, and public-facing services. Systems in the DMZ can receive inbound connections from the internet and can communicate with the production zone on specific permitted ports. They cannot initiate connections to the office zone, the key management zone, or the management zone. The DMZ is the highest-exposure zone and must be hardened accordingly.
Office and Corporate Zone. This zone contains employee workstations, printers, internal collaboration tools, and general business systems. It has outbound internet access and access to internal corporate services. It has no direct access to the production zone, no access to the development zone outside of specific approved paths, and absolutely no access to the key management zone. This zone should be assumed to be regularly compromised and designed accordingly.
Development Zone. Developer workstations and build infrastructure live in this zone. Developers need access to source code repositories, development databases, testing environments, and build systems. They do not need direct access to production infrastructure. The development zone communicates with the CI/CD build zone through controlled interfaces. It has no access to the production zone or key management zone.
Production and Infrastructure Zone. This zone contains running application servers, databases, blockchain nodes, and RPC infrastructure. Access to this zone from the office or development zones is prohibited. The only path to production is through the deployment pipeline. Administrative access is available only from the management and monitoring zone through a privileged access workstation. This zone communicates with the DMZ for web traffic and with the key management zone through narrowly defined interfaces for signing operations.
Key Management and HSM Zone. This is the most restricted zone in the architecture. It contains HSMs, signing servers, and key management systems. The only permitted inbound traffic comes from a small number of explicitly authorised production hosts that require signing capability. All other inbound traffic is blocked. Where possible, this zone should be physically isolated, not merely VLAN-separated. Outbound traffic from this zone is restricted to monitoring and logging endpoints only.
Management and Monitoring Zone. This zone contains privileged access workstations (PAWs), monitoring systems, log aggregators, and SIEM infrastructure. It has read-only visibility into all other zones for monitoring purposes. Administrative access to all zones is available from this zone, but only from hardened PAWs with multi-factor authentication. This zone itself must be tightly controlled: access to the management zone is the highest-privilege capability in the architecture.
The firewall policy governing traffic between these zones follows a strict default-deny posture. Rules are written explicitly for each required path: which source zone, which destination zone, which protocol, which port, and which specific hosts within those zones where possible. Permissive rules that allow broad access between zones are not acceptable. Rules are documented with a business justification, an owner, and a review date. Rules that cannot be justified are removed.
Separating Key Management and Signing Infrastructure
The key management zone deserves specific and detailed attention because the controls required for it go beyond a well-configured VLAN.
For on-chain signing operations that occur at high frequency, such as automated hot wallet withdrawals on an exchange, the signing infrastructure needs to be network-accessible from a narrow set of production hosts. The HSM or signing service receives signing requests from the authorised production application, performs the cryptographic operation, and returns the signature. The signing keys never leave the HSM. The network path from the production zone to the key management zone is permitted for this specific signing protocol on a specific port from specific source IP addresses only.
For cold signing operations, air-gap consideration is critical. A truly air-gapped signing device has no network connection at all. Signing requests are transferred via physically controlled media, typically a one-way transfer using a read-only USB drive or QR code. The signed transaction is transferred back out via the same controlled channel. Air-gapped cold signing is the strongest control available for low-frequency, high-value signing operations such as treasury movements or multi-signature governance transactions. See our detailed guide on hardware security modules and cold signing infrastructure for implementation details.
USB and removable media controls apply to all devices in the key management zone. USB ports on HSMs and signing servers should be disabled at the hardware level or via endpoint policy except where specifically required for maintenance operations, which themselves require dual-person authorisation. The risk of BadUSB attacks and firmware-level USB exploits is real and relevant for high-value signing environments.
Monitoring for unexpected connections to the key management zone is essential. Any connection attempt from a host that is not on the authorised source list should generate an immediate alert. This is not routine traffic analysis; it is a potential indicator of active compromise in progress. The monitoring alert for unexpected key management zone access should be the highest-priority alert in the security operations process.
Segmenting Validator and Node Infrastructure
Validator nodes occupy a unique position in a crypto firm's network architecture. They need to communicate with the public peer-to-peer network of the blockchain they validate, but they must be isolated from internal office and development infrastructure.
The production zone should contain validator nodes in their own sub-segment, separated from general application servers. The validator node's peer-to-peer networking ports are the only inbound internet-facing ports that should be open, and even these should be restricted where the protocol permits it. Some protocols allow validators to use trusted peer lists rather than accepting connections from arbitrary internet nodes, which significantly reduces the attack surface.
The RPC endpoint of a validator node should never be directly internet-accessible. Where RPC access is required for operational purposes, it should be provided through an API gateway or proxy layer that enforces authentication and rate limiting. Direct exposure of a validator node's RPC interface to the internet is one of the most common and damaging configuration errors in Web3 infrastructure. Our guide on API security for crypto infrastructure covers the controls required for RPC endpoint security in detail.
A separate monitoring network for validator nodes allows health monitoring, log collection, and performance metrics to be collected without traversing the production zone. Monitoring agents on validator nodes should communicate only with the monitoring zone, not with the office zone or development zone.
For cloud-hosted validators, VPC (Virtual Private Cloud) segmentation provides the primary isolation mechanism. Validators should be deployed in a dedicated VPC or subnet with security group rules that explicitly permit only the required peer-to-peer and management ports. Cloud-native tools such as AWS Security Groups, GCP Firewall Rules, and Azure Network Security Groups can implement microsegmentation between individual instances, providing finer-grained control than traditional VLAN-based approaches.
Developer and CI/CD Network Security
Developer workstations represent the highest-risk entry point to a crypto firm's network. Developers are heavily targeted by advanced persistent threat groups because they have elevated privileges, they frequently interact with external code repositories and package ecosystems, and they often receive communications from unknown parties in the normal course of their work. A developer's workstation is a far more likely initial compromise vector than a hardened production server.
Placing developer workstations in a separate, restricted development zone limits the consequences of a compromise. A developer workstation in the development zone can reach development databases, test environments, source code repositories, and the CI/CD pipeline interface. It cannot reach production infrastructure directly. It cannot reach the key management zone. It cannot reach the management and monitoring zone.
The CI/CD pipeline lives in its own build zone, separate from both the development zone and the production zone. The build zone receives code from the source code repository, runs automated tests and security scans, builds deployment artefacts, and pushes those artefacts to the production zone through a controlled deployment interface. Developers do not have direct access to the build zone infrastructure; they interact with the CI/CD system through its API or web interface. Production deployments happen only through the pipeline, never through a developer running a deployment script from their workstation.
This architecture means that even a fully compromised developer workstation cannot directly deploy malicious code to production. The attacker would also need to compromise the CI/CD system itself and bypass the automated security gates in the build pipeline. Our guide on DevSecOps for Web3 organisations covers the pipeline security controls in detail, including how to secure the build zone against supply chain attacks.
Dependency and package management deserves specific attention in the developer zone. Developers regularly install packages from public repositories, and those repositories are an active attack surface for supply chain attacks. Network controls should restrict developer workstations from pulling packages from arbitrary sources without review. An internal package mirror or allowlist of approved repositories reduces the risk of malicious package installation.
Zero Trust and Microsegmentation
Traditional network segmentation is a perimeter-based approach: it assumes that devices inside a zone can be trusted once they have been admitted, and that the zone boundary is the primary control point. Zero trust architecture challenges this assumption at its foundation. In a zero trust model, no device, user, or network flow is trusted by default, regardless of whether it originates inside or outside the network perimeter.
Our detailed guide to zero trust security for Web3 organisations covers the full framework. From a network segmentation perspective, zero trust introduces two important enhancements.
The first is identity-based access controls at the network layer. Rather than permitting traffic from a source IP address or VLAN, a zero trust network enforces authentication of the identity of the connecting device or service. Even if an attacker manages to place a device in the production zone, that device cannot communicate with other production zone services without presenting a valid, current certificate or authentication token. The identity plane provides an additional layer of control that is independent of the network position of the device.
The second is microsegmentation within zones. Traditional segmentation creates broad zones; microsegmentation creates fine-grained policies between individual workloads. In a cloud-native crypto environment, microsegmentation means that the order processing service, the withdrawal service, and the account management service are each isolated from one another, even though they may be in the same VPC. A compromise of the order processing service does not give the attacker access to the withdrawal service because an explicit policy rule is required for that communication path.
For on-premises environments, service mesh technologies such as Istio or Linkerd can provide microsegmentation at the application layer, enforcing mutual TLS (mTLS) authentication between services and applying traffic policies at a fine-grained level. For cloud environments, cloud-native tools including AWS Security Groups at the instance level and GCP VPC Service Controls provide equivalent capability.
Monitoring Segmentation Effectiveness
A segmented network that is not monitored is only marginally safer than a flat network. Network controls degrade over time: firewall rules accumulate, exceptions are added under time pressure, and misconfigurations are introduced during maintenance windows. Without continuous monitoring, an organisation may believe its segmentation is intact when it has been eroded to the point of ineffectiveness.
Network traffic analysis tools collect and analyse flows between zones, identifying patterns that deviate from the expected baseline. A connection from a developer workstation to a key management zone host should never appear in traffic logs. If it does, it represents either a misconfigured firewall rule or an active intrusion in progress. Either case requires immediate investigation.
Intrusion detection systems (IDS) placed at zone boundaries provide signature-based and anomaly-based detection of cross-zone traffic that matches known attack patterns. Network-based IDS is a complementary layer to firewall rules: the firewall blocks what is explicitly prohibited, and the IDS detects anomalous patterns within permitted traffic. Our security operations centre guide for crypto firms covers the monitoring stack and alert triage process in detail.
Periodic segmentation testing is a critical operational practice. A qualified security team should test the segmentation architecture at least annually to verify that zone boundaries are intact, that firewall rules match the documented policy, and that there are no undocumented paths between zones. This testing should include attempting to traverse from the office zone to the production zone and from the production zone to the key management zone, to verify that these paths are genuinely blocked. Our red team and blue team guide covers how to structure internal and external network security testing for crypto organisations.
Alerting on unexpected zone boundary traversal should be automated. Any connection attempt from a source that is not on the approved list for a given destination should generate a real-time alert to the security operations team. This is not an alert that should be reviewed in a daily report; it is an alert that warrants immediate investigation during business hours and an on-call response outside them.
Common Segmentation Failures in Crypto Firms
Understanding the most common ways that network segmentation fails in practice is as important as understanding how to implement it correctly. These failures appear repeatedly in security assessments of crypto and Web3 organisations.
Management interfaces accessible from the office network. Server management interfaces, including IPMI, iDRAC, iLO, and hypervisor management consoles, are frequently left accessible from the general office network for convenience. These interfaces often have their own authentication mechanisms, but they represent a direct path to servers that should be in the production or key management zone. Management interfaces must be accessible only from the management and monitoring zone, through hardened privileged access workstations.
Overpermissive firewall rules accumulated over time. Firewall rules are added under operational pressure and rarely reviewed or removed. A rule that was added to allow a developer temporary access to a production database for debugging purposes five years ago may still be in place, creating a permanent path that circumvents the intended segmentation architecture. Firewall rule reviews should be a quarterly operational task, with every rule justified, owned, and expiry-dated where possible.
VPN configurations that bypass segmentation. A remote access VPN that grants full network access to all internal zones on connection effectively flattens the network for any VPN user. A compromised VPN credential provides an attacker with the same access as a device physically on the internal network. Remote access should be provided through a split-tunnel VPN that grants access only to the specific zone required by that user, or through a zero trust network access (ZTNA) solution that enforces per-resource authentication.
Cloud security groups that allow all internal traffic. Cloud environments are frequently configured with a security group rule of "allow all traffic from within the VPC" for convenience. This recreates a flat network inside the cloud environment, negating the benefit of cloud-native microsegmentation. Every cloud security group rule should be as specific as possible: a defined source, a defined destination, a specific protocol, and a specific port.
Unmonitored legacy paths. Old network connections established years ago and never removed. Legacy systems that predate the current segmentation architecture and were never integrated into it. Undocumented network interfaces on virtual machines. These are common findings in security assessments of mature organisations. A network topology audit, including automated discovery of all active network paths, is an essential first step in any segmentation improvement programme.
Regulatory Requirements
Network segmentation has moved from a best practice recommendation to an explicit regulatory requirement for many crypto firms, driven by DORA, MiCA, and existing standards frameworks.
DORA (Digital Operational Resilience Act) applies to crypto asset service providers operating in the EU under MiCA and to financial entities using crypto-related services. DORA's ICT security requirements under Article 9 mandate that firms implement network security controls, including network segregation, to protect ICT systems. Article 9(4)(b) specifically requires the implementation of "network segmentation policies" as part of the ICT security framework. Firms subject to DORA that have not implemented formal network segmentation are in direct non-compliance. Our DORA compliance guide covers the full requirements in detail.
ISO 27001 Annex A.8.22 (in the 2022 revision) addresses network segmentation as a control. It requires that groups of information services, users, and information systems be segregated on networks. ISO 27001 certification requires demonstrable implementation of this control with documented policy, technical implementation evidence, and audit trail.
MiCA operational resilience requirements require crypto asset service providers to implement ICT risk management frameworks that include network security controls. The European Banking Authority (EBA) guidelines under MiCA reference network segmentation as a component of ICT security.
PCI DSS is relevant for crypto exchanges that process card payments. Requirement 1 of PCI DSS mandates the installation and maintenance of network security controls, and Requirement 1.3 specifically requires the restriction of inbound and outbound traffic to what is necessary for the cardholder data environment. PCI DSS's network segmentation requirements apply to the cardholder data environment specifically, but the underlying architecture principles are directly transferable to the broader crypto infrastructure.
Beyond compliance, network segmentation is a fundamental component of cyber insurance underwriting. Insurers increasingly require evidence of network segmentation as a condition of coverage, and a flat network with no segmentation may result in coverage denial for a breach that involved lateral movement.
Frequently Asked Questions
What is network segmentation?
Network segmentation is the practice of dividing a computer network into smaller, isolated sub-networks called segments or zones. Each zone has defined boundaries enforced by firewalls or access controls, so that traffic must be explicitly permitted to cross from one zone to another. This limits the blast radius of a breach: an attacker who compromises a device in one zone cannot automatically reach devices in other zones without passing through additional controls.
Why is network segmentation especially important for crypto firms?
Crypto firms hold private keys and signing infrastructure that, if reached by an attacker, can result in irreversible and unrecoverable asset loss. Unlike a traditional business where a breach might expose data that can be remediated, a successful lateral movement attack that reaches a crypto firm's key management system or hot wallet infrastructure can result in immediate, permanent theft. Network segmentation ensures that even if an attacker gains initial access via a phishing attack or compromised workstation, they cannot reach the critical signing infrastructure.
What is the difference between VLANs and physical network segmentation?
VLANs (Virtual Local Area Networks) are logical network segments enforced by managed switches and routers. They are cost-effective and widely used for separating office, production, and development traffic. Physical segmentation uses entirely separate network hardware with no shared switches or cables, providing stronger isolation at higher cost. For key management systems and HSMs holding high-value signing keys, physical segmentation is the gold standard. VLANs are appropriate for most other zone boundaries when properly configured with strict inter-VLAN firewall rules.
How does microsegmentation differ from traditional network segmentation?
Traditional network segmentation divides networks into broad zones at the perimeter, typically enforced by firewalls between VLANs or physical networks. Microsegmentation applies policy controls at the individual workload or application level, typically in cloud environments using software-defined networking. With microsegmentation, even two servers in the same cloud region can be prevented from communicating unless there is an explicit rule permitting it. This is particularly valuable for cloud-native crypto infrastructure where traditional perimeter approaches do not apply.
What are the most common network segmentation failures in crypto firms?
The most common failures are: management interfaces for servers and network devices being accessible from the office network; overpermissive firewall rules that were added for temporary purposes and never removed; VPN configurations that bypass segmentation by granting full network access on connection; cloud security groups configured with overly broad internal access rules; and legacy network paths that were never documented or removed when infrastructure was updated. Regular network penetration testing and firewall rule audits are essential to identify these issues before attackers do.