Overview

To understand how attackers move inside a network, we first need to look at how networks are designed.

In a flat network, all devices can communicate directly with each other. There are no meaningful internal boundaries. From an attacker’s perspective, this is the ideal environment.

If an attacker compromises just one system in a flat network, they often gain visibility or access to many other systems immediately. There is little resistance to lateral movement, and internal traffic usually flows freely.

Because of these risks, flat networks are rarely used in real-world enterprise environments today.

Most modern networks are segmented. This means the network is divided into multiple subnets, and each subnet contains devices with similar roles or purposes. For example:

• User workstations in one subnet
  
• Servers in another
  
• Databases in a highly restricted subnet
  

This design limits how far an attacker can go after an initial compromise. Even if a single machine is breached, access to other parts of the network is restricted by design.

From a defensive standpoint, segmentation reduces blast radius.
From an offensive (red team) standpoint, it creates obstacles that must be bypassed.

Segmentation is usually enforced using firewalls. These can exist in different forms:

• Host-based firewalls, such as:
  
  • iptables on Linux
    
  • Windows Defender Firewall on Windows
    
• Network or hardware firewalls placed between subnets
  

Firewalls control traffic between networks based on rule-based filtering, typically using:

• IP addresses
  
• Ports
  
• Protocols
  

For example, a firewall may allow web traffic (TCP port 80/443) but block everything else between two subnets.

Attackers don’t ignore firewalls — they abuse the rules that already exist.

Two common techniques used during post-exploitation are port redirection and tunneling.

Port Redirection (Port Forwarding)

Port redirection means altering the flow of network traffic so that data sent to one socket is forwarded to another socket.

In practice, an attacker may compromise a system that is allowed to communicate with multiple networks. By forwarding ports through that system, the attacker can:

• Pivot from one subnet to another
  
• Access internal services that should not be reachable directly
  
• Reuse allowed firewall rules instead of breaking them
  

From the firewall’s perspective, the traffic looks legitimate — it is using permitted IPs and ports.

Tunneling: Hiding One Protocol Inside Another

Tunneling takes this idea even further.

Tunneling means encapsulating one type of traffic inside another allowed protocol. A common example is:

• Sending HTTP traffic through an SSH connection
  

Externally, defenders only see SSH traffic. Internally, the attacker is moving web requests, database queries, or even full remote shells through that tunnel.

This technique is powerful because:

• It hides malicious traffic inside trusted protocols
  
• It bypasses strict firewall rules
  
• It enables stealthy lateral movement

Network segmentation and firewalls are cornerstone defensive controls designed to contain breaches and limit an attacker's reach. While flat networks offer virtually no resistance to lateral movement, modern segmented architectures—enforced by host-based and network firewalls—significantly raise the bar by restricting communication between subnets based on IP, port, and protocol rules.

From a red team perspective, however, these controls are not impenetrable barriers but rather obstacles to be navigated. Attackers exploit the very rules meant to protect the network: they identify dual-homed systems that straddle multiple segments and leverage them as pivot points. Through port redirection (or port forwarding), they reuse legitimate firewall allowances to reach otherwise isolated services. With tunneling, they go further—encapsulating prohibited traffic inside permitted, trusted protocols to evade detection entirely.

Key Takeaways

• Flat networks are rare in enterprises today due to their inherent lack of containment; segmentation is the norm.
• Firewalls don’t block everything—they allow necessary business traffic, and skilled attackers abuse those exceptions.
• Pivoting techniques (port forwarding and tunneling) turn defensive segmentation against itself by piggybacking on allowed paths.
• Understanding permitted traffic flows is often more valuable than searching for new vulnerabilities.
• Effective red teaming—and strong blue team defense—requires thinking in terms of network trust boundaries rather than individual hosts.

Mastering these concepts transforms segmentation from a roadblock into a solvable challenge. For learners and practitioners alike, recognizing that firewalls protect by permitting is the key insight: attackers don’t always break rules—they follow the ones that already exist, in ways defenders didn’t anticipate.

Practice mapping network segments, enumerating firewall rules, and chaining pivoting techniques in labs. This knowledge is essential for realistic penetration testing, adversary emulation, and building truly resilient defenses.