Network segmentation is the act of splitting a computer network into subnetworks, each being a network segment, which increases security and can also boost performance. It is a security best practice that is recommended (but not required) by PCI DSS and it makes the top 20 list of critical security controls suggested by SANS. Due to the ongoing investigation, the world doesn't have the full details on the Target breach yet, but there are strong indications that network segmentation could have considerably reduced the impact of that breach.


It appears that the attackers entered through an HVAC company that supplied heating/cooling systems to Target stores. While it was first speculated that this external  partner had remote access to the HVAC systems for maintenance, it was later disclosed that it was their EDI/Billing integration that turned out to be Target's soft spot.


While network segmentation cannot help you keeping attackers out, it can help you contain the impact of a breach to one part of the network. With solid network segmentation between the billing and the POS systems, Target may have avoided the attackers from reaching their pot of gold - the POS systems.

To help our customers audit if their network segmentation is effective, we are updating Metasploit Pro to test the connection between any two network segments, testing open ports between the Metasploit Pro instance and a network segmentation testing server.

In addition to this very quick and easy network segmentation test, you can use Metasploit Pro to conduct a penetration test from any network segment and try to reach another, such as the cardholder data environment (CDE). Metasploit Pro's VPN pivoting can help you traverse network segments connected by multi-homed machines.

The new Network Segmentation Testing MetaModule will be available soon - watch this space!