Network segmentation divides a network into isolated zones — controlling traffic between zones with firewalls. Limits lateral movement and contains breaches to their originating segment.
Segmentation is the most impactful network security control. Flat networks = attacker can reach everything from any compromised host. Recommended segments: DMZ, Production, Dev/Test, Management, IoT, Guest. Each segment crosses a firewall/ACL to reach others.