Home / Solutions / Industrial Networking & Datacom / Ransomware Protection & Network Segmentation
DOMAIN 02 · INDUSTRIAL NETWORKING

Ransomware Protection & Network Segmentation: Designed for the Day It Is Already Inside

Every other security page assumes you can keep it out. This one assumes you could not — because for somebody, eventually, that is what happens. The design question becomes narrower and much more useful: when one machine is taken, does the company lose that machine or lose everything? Production, office and backup separated into zones; a backup path that cannot be walked from an office PC, with an offline copy behind it; gateway and endpoint detection reporting to one place; logs that survive long enough to reconstruct the timeline.

Four Sentences We Hear After the Fact

Not hypotheticals — this is the order in which a bad week actually unfolds:

One machine was hit, and the whole plant was encryptedThe network was flat, so the infected PC could reach every share in the building. The infection was one desk wide. The damage was the whole company wide.
The backups were on the same network, so they went tooThe backup server had a normal address on the normal LAN. It was found and encrypted before anyone knew there was a problem. The insurance policy was inside the fire.
By the time anyone noticed, it had been in for three daysThe encryption is the last step, not the first. Days of quiet mapping, credential harvesting and finding the backup system came first — with nobody watching and no logs kept to look at afterwards.
They paid, and still did not get everything backPaying buys a promise from a criminal. Sometimes the tool works, often it works partially, sometimes it does not arrive. It is not a recovery plan — it is what you do when you have no recovery plan.

Architecture: Limit the Reach, Protect the Way Back

Two questions decide the size of the invoice — how far can it move, and can it reach your backups. The architecture answers both structurally, not with hope:

INTERNET phishing arrives anyway so does the bad USB stick EDGE gateway inspection + sandbox blocks callbacks it recognises this page assumes it got past — the rest is damage control ZONE 1 · PRODUCTION line controllers · production servers reachable from office only where a written rule says so — nothing else ZONE 2 · OFFICE email · desktops · where it starts an infected desk reaches its own zone and stops there — that is the whole point ZONE 3 · BACKUP — ISOLATED backup targets: reached only by the backup server, one direction, one port plus an offline copy: removable media or tape, off the network entirely a backup an attacker can reach is a target, not an insurance policy if this zone survives, you rebuild instead of negotiate DETECTION LINKAGE & LOG RETENTION gateway, sandbox and endpoint agents report to one place — the alert worth having is the one that fires while someone is still exploring logs kept long enough to reconstruct the timeline: when it arrived, which account, what it touched, what it never reached honest limit: dwell time is measured in days, not seconds — see the notes below

Architecture drawn by AtlasCommTech following carrier-grade network-security design practice. Diagram labels are kept in English for engineering clarity.

How this differs from our Enterprise Internet Edge Security solution — read this first. That page is about keeping things out: the firewall at your gateway, zones facing the internet, intrusion prevention, flood control. It is a real layer and it stops a great deal of what is thrown at you every day. This page starts one step later, from a less comfortable assumption: it got in. Somebody clicked, or a password was reused, or a contractor's laptop arrived already infected. Prevention is a probability, not a guarantee, and a design that only prevents has no answer for the day the probability lands. So the questions here are different ones — how far can it move once it is inside, can it reach the machine holding your backups, how many days before anyone notices, and can you rebuild without negotiating with a criminal. Most companies need both pages. Neither one covers the other, and we will not imply otherwise.

Why us: our founder spent 13 years inside the Huawei partner ecosystem delivering carrier networks, where isolation between planes is not a feature request — it is the reason a fault in one place does not become an outage everywhere. That is the same reflex a segmentation design needs, applied to a factory or an office instead of a backbone.

Equipment Options

The solution is sized to your requirements and budget first — the same architecture can be delivered on several vendors' product lines. We help you choose by supply availability in your destination country, budget and your team's operating habits.

Huawei — enterprise campus, WAN and security linesMature ecosystem with a global service network.
ZTE & Wantone — comparable datacom linesPrice-performance direction; supply runs smoother in some markets.
H3C — campus and data-center linesWidely deployed campus and data-center portfolio.
Atlas industrial switches — industrial-scenario access layerOur own industrial line — compatible with any brand's core layer.

What the Design Delivers

Six controls, all of them answering one question: after the click, what is still standing?

Three-zone segmentationProduction, office and backup separated with default-deny between them; traffic crosses only where a written rule says it may. The rules are short enough to read aloud, which is the test of whether they are real.
A backup path that cannot be walkedBackup targets reachable only by the backup system, one direction, one port. An office PC has no route there at all — not a blocked route, no route.
An offline copy behind the isolated oneRemovable media, tape or a genuinely disconnected repository. Slow, inconvenient, and the only copy that a network intruder cannot touch. Never skip it, and we will keep saying so.
Gateway and endpoint reporting to one placeInspection and sandboxing at the boundary, agents on the machines, alerts landing in one console instead of three nobody reads. The useful alert is the early one — mass file access, odd account behaviour — not the ransom note.
Lateral-movement containmentEast-west control between zones and, where it matters, within them: the remote-management ports and file-sharing paths an intruder walks are the ones the design closes first.
Logs that outlive the incidentRetained off the machines that generate them, for your regulator's period. The difference between knowing what happened and guessing — and between an insurance claim that pays and one that argues.

Three Sizes, One Design Logic

Segmentation is sized by what you must keep separate, not by user count — here is how the tiers differ:

Numbers we design around:
Recovery target: how many hours may rebuild take, and how much work may you lose — this decides the backup design, not the box
Zone count: start at three (production / office / backup) and add only zones you can explain
Log retention: match your regulator and your insurer — 90 / 180 / 365 days changes the storage design
Scale tierTypical organisationWhat the design includes
Small businessSingle office · clinic · workshop · small trading companyThe minimum that actually changes the outcome, and no theatre on top: office and backup separated at the existing gateway, backup targets unreachable from any desk, one offline copy with a written rotation, endpoint protection on every machine, and logs kept somewhere other than the server being backed up. Small does not mean unprotected — it means fewer zones, honestly drawn.
Mid-size companyFactory · hotel group · hospital department · distributorFull three-zone design with a segmentation gateway between production and office, backup zone reachable one-way from the backup system only, gateway inspection with sandboxing, endpoint agents feeding one console, retained logs on a dedicated store, and a written recovery procedure that has been tested rather than filed.
Multi-sitePlant group · chain · multi-campus institutionSegmentation per site plus containment between sites — so a compromised branch does not become a corporate event. Central detection and log platform, a backup design with one copy off-site and one offline, per-site recovery targets agreed in writing, and a policy structure that survives the person who wrote it leaving.

Equipment Roles (Categories, Not Models)

The solution is built from these product categories — the brand is chosen with you at design stage. Exact models depend on your zone count, throughput between zones, retention rules and destination country — so we spec models after your requirements list, not before.

RoleWhat it does
Segmentation gateways / next-gen firewallsSit between zones and enforce default-deny with a short, readable rule set. Sized by the traffic that legitimately crosses zones — which is usually far less than people assume, and that is what makes the tier affordable.
Core & access switches with segmentation capabilityCarry the zones and enforce the separation at the physical and VLAN layer. The drawing is only real if the switch configuration matches it — that is where segmentation projects usually quietly fail.
Gateway inspection & sandboxingDetonates unknown attachments and files in isolation before they reach a desktop, and blocks callbacks to known command-and-control destinations. Catches a great deal; catches neither everything nor the insider.
Endpoint agents (detection & response)The layer that sees what the network cannot: process behaviour, mass encryption, credential theft. Necessary, not sufficient — it runs on the machine the attacker is trying to own, and we say so.
Backup infrastructure & offline mediaThe isolated repository, plus removable media or tape for the copy that lives off the network. Frequently the least glamorous line in the budget and always the one that decides whether you rebuild or negotiate.
Log & detection platformCollects from gateways, switches and endpoints, keeps the record for your retention period, and gives the timeline someone will need at 3 a.m. Kept off the systems it is watching — a log store inside the blast radius is not a log store.

Send us your requirements list — what must stay separate, what your recovery target is, how long logs must live, how many sites — and the model list follows. That order keeps the design honest.

Design Notes & Honest Limits

Read this before you commit:
  • Network segmentation will not stop a phishing email — but it decides whether you lose one machine or the whole plant. That sentence is the entire honest claim of this page. Anyone selling segmentation as prevention is selling. It is damage control, it is the best damage control there is, and it is worth buying for exactly that reason.
  • An offline backup is the last line of defence. However expensive it looks, do not save money there. A backup reachable over the network is a target — ransomware crews look for the backup system first, precisely because destroying it is what makes you pay. Removable media or tape, rotated on a written schedule, restored from at least once as a test: unglamorous, and the reason some companies have a bad week instead of a closed business.
  • Detection is not instant, and we will not claim a number for your network. Intruders typically sit inside for days before the encryption starts, and the value of this design is that the evidence exists and the alerts have somewhere to land. Detection rates quoted in brochures are laboratory figures; your figure depends on your staff, your hours and who is actually watching the console at night.
  • We design and supply the network layers. We are not an incident-response retainer, a forensics firm or a negotiator — and the time to know that is now, not during the incident. Where your plan needs those, we say so at design stage so you can arrange them while nothing is on fire.
  • Licensing policy and product availability differ by brand and destination country, and for detection functions the signature and sandbox subscriptions matter as much as the hardware. We check and confirm both for your country at the design stage, before you commit.

FAQ

Will network segmentation stop ransomware?
No — and that is not what it is for. Segmentation does not stop a phishing email, a stolen password or a bad USB stick. What it decides is what happens next. On a flat network, one infected PC can reach every share in the company, and the ransom note lands on all of them at once. On a segmented network, that same PC can reach its own zone and nothing else. The infection is identical; the invoice is not. Segmentation is a damage-control control, and we describe it as one.
How is this different from your Enterprise Internet Edge Security solution?
That solution is about keeping things out: firewall zones, NAT, intrusion prevention, DDoS handling at the point where your network meets the internet. It is a necessary layer and it stops a great deal. This solution starts from the assumption that it failed — because eventually, for somebody, it does. Here the questions are different: once something is inside, how far can it move, can it reach the backup server, how long before anyone notices, and can you rebuild without paying. Different question, different design. Most companies need both, and we will not pretend either one covers the other.
Why must backups be offline if the backup network is already segmented?
Because segmentation is a configuration, and configurations can be wrong, drifted or deliberately changed by someone with credentials. Modern ransomware crews look for backup systems first and encrypt or delete them before touching anything visible — a backup reachable over the network is a target, not an insurance policy. An offline copy — removable media, tape, a genuinely disconnected repository — cannot be encrypted by an attacker who is only on the network. It is slower, it is inconvenient, it costs money. It is also the one control that decides whether you rebuild or negotiate. Do not save money here.
How long does ransomware sit in a network before it fires?
Usually days, sometimes far longer. The encryption everyone remembers is the last step: before it, the intruder is quietly mapping shares, harvesting credentials and finding the backup system. This is why detection and log retention matter as much as blocking — the alert you want is the one that fires while someone is still exploring, and the logs you want are the ones that survive long enough to tell you when they arrived and what they touched. Honest limit: we design so the evidence exists and the alerts have somewhere to go. We are not an incident-response retainer, and we say so before you need one.
We already have antivirus on every PC. Is that enough?
It is necessary and it is not enough. Endpoint tools catch known families and increasingly catch behaviour — mass file rename, mass encryption — but they run on the very machine the attacker is trying to control, and a new variant gets its window. The layers that do not depend on the endpoint being right are the ones this design adds: zones that limit reach, a backup path that cannot be walked from an office PC, and logs that live somewhere else. Keep the antivirus. Do not let it be the whole plan.

Tell us what must stay separate and how fast you must be back

An engineer replies with a zone drawing, a backup and log design and the equipment-category list — including the parts you should buy from someone else. Send us your requirements list; the model list follows.

WhatsApp an engineer →

Related Solutions