What is Cato LAN Segmentation

The primary goal of LAN segmentation is to limit implicit trust within the local network. By dividing the LAN into segments with explicit access controls, organizations can reduce lateral movement, contain compromised systems, and enforce least-privilege communication between devices, applications, and services.

LAN segmentation also improves operational clarity by making access paths intentional and reviewable. Instead of relying on flat networks and broad connectivity, admins define which systems are allowed to communicate and under what conditions.

In hybrid and cloud-first environments, security controls are often concentrated at the network edge, protecting traffic entering or leaving the organization. As a result, east–west LAN traffic may receive less inspection and enforcement, creating a blind spot for lateral threats.

Without segmentation, a single compromised endpoint can access a wide range of internal resources. LAN segmentation closes this gap by applying consistent inspection and policy enforcement to internal traffic flows, improving both security posture and visibility within the local network.

LAN segmentation is a practical extension of Zero Trust principles into the local network. Zero Trust assumes no implicit trust based on network location and requires explicit policy evaluation for each access attempt.

Within the Cato SASE Cloud Platform, LAN segmentation applies these principles locally by enforcing policy-driven controls on the Socket. This lets organizations extend Zero Trust consistently across LAN, WAN, and Internet traffic using a single management plane.

Cato LAN segmentation is implemented through the following core components:

Cato LAN segmentation is implemented as logical segmentation enforced by the Socket. It does not rely on physically separate networks or dedicated segmentation hardware.

VLANs and IP ranges can be used to define segmentation scope, but they do not enforce isolation by themselves. In the Cato platform, these network attributes are used as matching criteria within LAN firewall and microsegmentation policies, while the Socket performs the actual enforcement. This approach allows administrators to adapt segmentation as the environment changes without redesigning network topology or introducing additional hardware.

Segmentation policies are defined centrally in the CMA and enforced locally on the Socket at each site. The Socket acts as the enforcement point for all LAN traffic that crosses a defined trust boundary. This model provides centralized control with local enforcement, ensuring consistent policy behavior across Socket sites while maintaining local traffic inspection even if cloud connectivity is temporarily unavailable.

Once segmentation policies are in place, you can further enhance LAN security by enabling IPS enforcement on the Socket. The Socket can inspect east–west traffic for threats as it is evaluated against LAN Firewall rules.

The Socket is the enforcement point for LAN segmentation at each site. All LAN traffic that crosses a segmentation boundary is inspected and controlled directly on the Socket, including traffic between VLANs. In addition, when you enable microsegmentation, traffic between hosts within the same VLAN is also inspected.

By enforcing segmentation locally, the Socket ensures that east–west traffic is evaluated with minimal latency and does not depend on round trips to PoPs in the Cato Cloud. This is especially important for latency-sensitive applications and environments where uninterrupted local connectivity is required.

Segmentation policies are defined once in the CMA and automatically distributed to all relevant Sockets. Administrators manage segmentation using a single policy framework that easily scales to large numbers of sites and supports gradual onboarding of sites to the Cato platform.

This centralized model simplifies change management and auditing. Policy updates are applied consistently across the environment, reducing configuration drift and eliminating the need for site-specific firewall rule settings.

The Socket LAN Firewall performs Layer 7 inspection on LAN traffic that crosses a policy-defined trust boundary. Rather than relying solely on IP addresses, ports, or VLAN identifiers, the firewall identifies applications and protocols within the traffic stream and evaluates them against policy.

Applying segmentation decisions based on application identity and traffic attributes allows administrators to enforce least-privilege access between systems while maintaining simple network designs. Segmentation decisions are expressed in security terms and enforced consistently at the Socket, reducing reliance on complex ACLs and minimizing the risk of over-permissive lateral access.

The Socket LAN Firewall also supports segmentation using device and user context. You can define rules based on device attributes such as OS version, manufacturer, or device type (for example, security cameras or printers), and restrict access accordingly. In addition, LAN Firewall rules can include user-based conditions, such as user identity or attributes like risk score, to enforce access policies based on who is initiating the traffic. This allows segmentation policies to combine network, device, and user context for more precise control over east–west traffic.

Cato microsegmentation is implemented without deploying agents on endpoints or introducing dedicated segmentation appliances. Enforcement is performed by the Socket, using policy-defined controls rather than host-based software or complex network redesign.

This agentless approach allows microsegmentation to be applied uniformly across managed, unmanaged, and non-user devices, including servers, IoT, and OT systems. It also simplifies operations by avoiding endpoint lifecycle management and compatibility constraints.

When microsegmentation is enabled, hosts within a VLAN are logically isolated using /32 addressing. Each device is treated as its own isolated endpoint, removing default peer-to-peer reachability within the subnet.

This model ensures that devices cannot communicate directly with one another unless explicitly permitted by policy. Any lateral communication attempt must be evaluated and allowed by the Socket, enforcing least-privilege access at the host level.

Restrict access to LDAP and Active Directory servers to only an IT admin user group. Enforce this on the Socket by allowing traffic to the LDAP/AD servers only from designated IT admin users or devices, and block all other access. This is an example set of LAN Firewall rules that to allow LDAP/AD access to IT admins while blocking acces for other sources:

Operational technology (OT) and IoT devices often lack built-in security controls and cannot support endpoint agents. Cato enables isolation of these devices by enforcing LAN firewall and microsegmentation policies directly on the Socket, allowing OT and IoT assets to be placed into dedicated segments with tightly controlled communication paths.

For example, configure microsegmentation for the security camera VLAN, and create a LAN Firewall rule that restricts access to the IP camera device type to only security personnel.

The following image shows a VLAN for security cameras configured with microsegmentation.

Segmentation is used to restrict access to critical servers and workloads that host sensitive data or business-critical applications. Cato enables this by enforcing LAN firewall and microsegmentation policies on the Socket, allowing access to be defined using application-based controls where applicable and IP-based controls at the host level.

For example, restrict access to a payment processing server to only application servers that require it. Enforce this on the Socket by allowing traffic to the payment server only from designated application server IPs or segments, and block all other access.

This is an example set of LAN Firewall rules that allow access to the payment server from a designated application server while blocking access for other sources: