# Network Segmentation and NAC One-sentence definition: Restrict lateral movement and enforce device posture at network entry points. ## Key Facts - Segment by sensitivity and function; micro-segment critical zones. - NAC enforces identity/posture (802.1X) before access. - Use ACLs, firewalls, SDN policies; default deny between segments. - Monitor inter-segment flows; log/alert unusual communications. - **Verify:** check official (ISC)² CBK and current exam outline. ## Exam Relevance - Choose segmentation + NAC to contain breaches. **Mnemonic:** “**Divide** to **defend**.” ## Mini Scenario Q: Workstation reaches DB subnet—allowed? A: Likely no; enforce app-tier mediation and ACLs. ## Revision Checklist - NAC purpose. - Default policy. - Monitoring point. ## Related [[Intrusion Detection and Prevention (NIDS NIPS HIDS HIPS)]] · [[DDoS Mitigation and Resilience]] · [[Secure Administration and Out-of-Band (OOB) Access]] · [[Network Vulnerability Scanning (Internal External)]] · [[Endpoint Hardening and Baselines (Servers and Workstations)]] · [[Domain 7 - Index]]