Architecture 20 min read

Zero Trust Segmentation Blueprint

A practical guide to implementing Zero Trust network controls with open-source tools—written for junior SOC analysts building real-world skills.

Published December 7, 2025

Zero Trust flips traditional network security on its head. Instead of trusting everything inside your perimeter and blocking everything outside, you trust nothing by default. Every user, device, and workload has to prove it should have access—every single time. The mantra is “never trust, always verify.”

Why does this matter for SOC work? When attackers get past your perimeter (and they will), Zero Trust limits how far they can move. Segmentation shrinks the blast radius of any breach. This guide breaks down how to implement these controls step by step, with open-source tools you can actually deploy in a homelab or production environment.

What Zero Trust actually means

Before diving in, let’s clear up what Zero Trust is and isn’t:

Zero Trust is:

  • Verifying identity before granting access (not just once—continuously)
  • Limiting access to only what’s needed (least privilege)
  • Assuming attackers are already inside your network
  • Segmenting resources so a breach in one area can’t spread everywhere

Zero Trust is NOT:

  • A single product you can buy
  • Just a firewall or VPN
  • Something you implement overnight

Think of it like a building with locked doors between every room, security badges required everywhere, and cameras watching everything—even for employees who “should” be trusted.

Phase 1: Map what you have

You can’t protect what you don’t know exists. Start by building visibility into your environment.

What to inventory

  • Users: Who has accounts? What groups are they in? Who has admin privileges?
  • Devices: Workstations, servers, IoT devices, network equipment, BYOD phones
  • Applications: What’s running? What talks to what? Where does sensitive data live?
  • Network flows: How does traffic actually move between systems?

Baseline normal behavior

Once you know what exists, you need to understand what “normal” looks like. This becomes critical later when you’re trying to detect anomalies.

Open-source tools for discovery and visibility

Security Onion (https://securityonionsolutions.com) This is your all-in-one platform for network visibility. It bundles:

  • Zeek - Generates detailed logs of network connections, protocols, and file transfers
  • Suricata - Signature-based intrusion detection (catches known bad stuff)
  • Stenographer - Full packet capture for forensics

Security Onion gives you dashboards to see traffic patterns across your network. You can identify which systems talk to each other, spot unusual connections, and establish baselines.

Wazuh (https://wazuh.com) Open-source XDR/SIEM that runs agents on your endpoints. It collects:

  • Windows Event Logs
  • Linux auth logs
  • File integrity monitoring
  • Vulnerability scanning results

Wazuh helps you see what’s happening on hosts, not just on the network. Deploy agents on your critical systems and you’ll quickly learn what “normal” looks like for each one.

nmap / Angry IP Scanner Basic but essential for asset discovery. Run regular scans to catch new devices appearing on your network.

Phase 2: Lock down identity (this is the foundation)

Here’s a key insight: identity is the new perimeter. Network location doesn’t matter as much when your users are remote, your apps are in the cloud, and your devices are everywhere.

Before you segment your network, make sure you can verify who (and what) is accessing resources.

What good identity management looks like

  1. Centralized authentication - One place that handles all logins
  2. Strong MFA everywhere - Passwords alone are not enough
  3. Phishing-resistant authentication - Even MFA can be bypassed if it’s SMS or push-based

Why SMS and push MFA aren’t good enough anymore

Attackers have gotten really good at bypassing weak MFA:

  • SIM swapping steals your SMS codes
  • MFA fatigue attacks spam push notifications until someone clicks “approve” to make it stop
  • Adversary-in-the-middle (AiTM) proxies capture both passwords and one-time codes in real-time

Phishing-resistant MFA uses cryptographic keys that can’t be phished:

  • FIDO2/WebAuthn - Hardware security keys (like YubiKeys) or built-in passkeys
  • PKI/Smart cards - Certificate-based authentication

The private key never leaves your device, so even if you’re tricked into visiting a fake login page, attackers can’t steal credentials they can replay.

Open-source identity tools

Keycloak (https://www.keycloak.org) The heavyweight champion of open-source IAM. It handles:

  • Single Sign-On (SSO) across applications
  • SAML, OAuth2, OpenID Connect protocols
  • User federation with LDAP/Active Directory
  • WebAuthn/FIDO2 support for passkeys

Keycloak is complex but extremely powerful. It’s a CNCF project with strong community support. If you’re in an enterprise environment, this is often the go-to.

Authentik (https://goauthentik.io) A more modern, user-friendly alternative to Keycloak. Great for homelabs and SMBs. Features:

  • Clean UI with visual “flow” designer for authentication journeys
  • Built-in support for passkeys and passwordless auth
  • GeoIP blocking for suspicious logins
  • Easier to set up than Keycloak

Authelia (https://www.authelia.com) Lightweight option that acts as a security gateway in front of your apps. Good for self-hosted setups where you want SSO without the complexity of a full IdP.

Device trust

A valid user on a compromised device is still a threat. You need to verify device posture too.

osquery (https://osquery.io) Lets you query your endpoints like a database. Check patch levels, installed software, running processes—anything you need to verify a device is healthy before granting access.

Wazuh (mentioned above) Also handles device posture checks. You can create rules that flag non-compliant endpoints.

Phase 3: Segment the network

Now we get to the actual segmentation. The goal: break your network into smaller zones so attackers can’t move freely if they compromise one system.

Layer 1: VLANs (macro-segmentation)

VLANs are your starting point. They separate broadcast domains and give you basic isolation:

  • User VLAN - Regular workstations
  • Server VLAN - Production servers
  • Management VLAN - Network equipment, hypervisors
  • IoT VLAN - Cameras, printers, smart devices (never trust these)
  • Guest VLAN - Isolated internet access only

Limitations of VLANs:

  • They only control traffic between VLANs, not within them
  • Static configuration—rules don’t follow workloads
  • An attacker inside a VLAN can move laterally to other systems in the same VLAN
  • Don’t work well in cloud/hybrid environments

VLANs are table stakes, not the finish line.

Layer 2: Microsegmentation (the real Zero Trust move)

Microsegmentation creates policies around individual workloads, not network segments. If VLANs are walls between rooms, microsegmentation is a security guard at every desk.

Key difference: Traditional segmentation controls north-south traffic (in/out of zones). Microsegmentation controls east-west traffic (between systems within zones).

Open-source microsegmentation tools

Calico (https://www.tigera.io/project-calico/) The go-to for Kubernetes environments. It enforces network policies at the pod level:

  • Namespace isolation (dev can’t talk to prod)
  • Workload-to-workload rules
  • Works with or without Kubernetes

Example: Your web frontend pods can only talk to your API pods, which can only talk to the database. Everything else is denied by default.

Cilium (https://cilium.io) eBPF-based networking and security for Kubernetes. More advanced than Calico:

  • Layer 7 visibility (sees HTTP/gRPC traffic, not just IP/port)
  • Can enforce policies based on API calls, not just network connections
  • Excellent observability with Hubble

If you’re doing container security, Cilium is worth learning.

OpenZiti (https://openziti.io) Open-source software-defined perimeter. This is next-level:

  • Makes your services invisible to unauthorized users
  • Identity-based connectivity (not IP-based)
  • Works across cloud, on-prem, edge, IoT
  • Embeddable SDKs for apps

OpenZiti is what happens when you take Zero Trust to its logical conclusion—resources don’t even have public IPs. You can’t attack what you can’t see.

pfSense / OPNsense For traditional on-prem networks, these open-source firewalls let you create internal segmentation with firewall rules between VLANs. Not true microsegmentation, but better than nothing.

Layer 3: Application-level access (ZTNA)

Zero Trust Network Access replaces VPNs with per-application access:

  • Users don’t get “on the network”—they get access to specific apps
  • Each connection is authenticated and authorized individually
  • No lateral movement because there’s no network access to move through

Open-source ZTNA options:

OpenZiti (mentioned above) - Full ZTNA platform

Teleport (https://goteleport.com) - Open-source access plane for SSH, Kubernetes, databases, and web apps. Provides certificate-based access with audit logging.

Pomerium (https://www.pomerium.com) - Identity-aware proxy that puts authentication in front of any app

Phase 4: Enforce least privilege

Segmentation only works if you’re actually limiting access. The principle of least privilege means giving users and systems the minimum access they need to do their job—nothing more.

Network access control

You want to verify devices before they even get an IP address.

PacketFence (https://www.packetfence.org) Open-source NAC that handles:

  • 802.1X authentication (RADIUS-based)
  • Guest registration portals
  • Device profiling and compliance checks
  • Automatic quarantine for non-compliant devices

When a device connects, PacketFence checks: Is this a known device? Is the user authenticated? Is the device compliant? Based on answers, it assigns the device to the appropriate VLAN or quarantines it.

FreeRADIUS (https://freeradius.org) If you just need the RADIUS server for 802.1X without the full NAC suite. Integrates with Keycloak/Authentik for centralized auth.

Firewall rules that make sense

Default deny everything, then whitelist what’s needed:

# Example: Web server can only reach database on specific port
iptables -A FORWARD -s 10.0.1.10 -d 10.0.2.20 -p tcp --dport 3306 -j ACCEPT
iptables -A FORWARD -s 10.0.1.10 -j DROP

Document every rule. If you can’t explain why a rule exists, it probably shouldn’t.

Phase 5: Monitor everything

Zero Trust assumes breach. You need to detect when something’s wrong.

What to monitor

  • Authentication events - Failed logins, unusual login locations, MFA bypasses
  • Network flows - New connections, traffic spikes, connections to known-bad IPs
  • Endpoint activity - Process execution, file changes, privilege escalation
  • User behavior - Access patterns that deviate from baseline

Open-source monitoring stack

Security Onion (your network visibility layer)

  • Zeek logs every connection with rich metadata
  • Suricata alerts on known attack signatures
  • Full packet capture for deep forensics

Wazuh (your host visibility layer)

  • Collects logs from endpoints
  • Built-in rules for common attacks
  • File integrity monitoring
  • Active response capabilities

TheHive + Cortex (https://thehive-project.org) Incident response platform:

  • Case management for investigations
  • Cortex automates enrichment (check IPs against threat intel, query VirusTotal, etc.)
  • Integrates with Wazuh/Security Onion via n8n or custom scripts

Grafana + Prometheus For dashboards and alerting on metrics. Visualize trends, set thresholds, get notified when things go sideways.

Detection examples for lateral movement

Things that should trigger alerts:

  • Admin tools (PsExec, WMI, PowerShell remoting) used between workstations
  • SMB connections from user VLANs to server VLANs
  • RDP from unexpected sources
  • Service accounts authenticating from new hosts
  • DNS queries to random domains (potential C2)

Putting it all together

Here’s a realistic implementation order:

Month 1-2: Visibility

  • Deploy Security Onion to monitor network traffic
  • Install Wazuh agents on critical systems
  • Build asset inventory and document network flows
  • Establish behavioral baselines

Month 3-4: Identity

  • Deploy Keycloak or Authentik for centralized auth
  • Enable MFA everywhere (start with TOTP, plan for FIDO2)
  • Integrate with existing directory services
  • Audit privileged accounts

Month 5-6: Basic segmentation

  • Implement VLANs for major zones (users, servers, IoT, guests)
  • Deploy pfSense/OPNsense for inter-VLAN firewalling
  • Default deny between zones, whitelist required traffic

Month 7-8: Advanced segmentation

  • Deploy Calico/Cilium for container workloads
  • Implement microsegmentation for critical systems
  • Evaluate OpenZiti for high-value applications

Ongoing: Iterate and improve

  • Tune detection rules based on false positives
  • Add more restrictive policies as you understand traffic patterns
  • Practice incident response scenarios
  • Document everything

Lab it up

The best way to learn this stuff is to build it. Spin up a homelab with:

  • Proxmox or VMware for virtualization
  • pfSense/OPNsense as your router/firewall
  • Security Onion for network monitoring
  • Wazuh for endpoint monitoring
  • Keycloak or Authentik for identity
  • A few vulnerable VMs (VulnHub, HackTheBox) to practice detecting attacks

Break things. Watch the traffic. Trigger alerts. That’s how you learn what “normal” and “abnormal” actually look like.

Zero Trust isn’t a destination—it’s a direction. You won’t implement everything overnight, and that’s okay. Start with visibility, lock down identity, segment what you can, and keep improving. Each layer you add makes life harder for attackers and gives you more chances to catch them.

Still thinking?

Have more questions? Feeling overwhelmed?

If these guardrails feel complex, reach out and I’ll translate the blueprint for your stack. Consultations are tailored, practical, and jargon-free.