Network Assessment Guide
Assessment Approach
A network segmentation assessment maps what can reach what. The goal is not to find vulnerabilities in individual services but to determine whether network boundaries exist, whether they are enforced, and whether they match the organization's security requirements.
The approach is systematic: for every pair of system types in the network, test whether one can reach the other. This produces a connectivity matrix -- a table showing every connection that exists and every connection that should not exist.
Systematic connectivity testing
For each building (or building simulation), test connectivity from every system type to every other system type:
- Identify all system types in the network: tenant Wi-Fi, building management systems (BMS), CCTV, access control, management/monitoring
- From each system type, run port scans against all other system types
- Record what is reachable: IP/hostname, port, protocol, service name
- Classify each connection: expected (legitimate business need), unexpected (no business justification), critical (safety-relevant system accessible from untrusted zone)
The scans run from the perspective of a device in each zone. Nmap from inside a tenant Wi-Fi container shows what a compromised tenant device could reach. Nmap from inside the CCTV container shows what a compromised camera could reach.
Connectivity Matrix Template
Record findings in a connectivity matrix:
| Source | Destination | Port | Protocol | Service | Status | Classification |
|---|---|---|---|---|---|---|
| tenant-wifi-1 | bms-doha | 8080 | TCP | HTTP (BMS) | Open | Critical |
| tenant-wifi-1 | cctv-manager | 9090 | TCP | HTTP (CCTV) | Open | High |
| tenant-wifi-1 | access-control | 7070 | TCP | HTTP (ACL) | Open | Critical |
| tenant-wifi-1 | grafana | 3001 | TCP | HTTP (Grafana) | Open | Medium |
| bms-doha | tenant-wifi-1 | -- | -- | -- | Filtered | Expected |
| ... | ... | ... | ... | ... | ... | ... |
Fill this matrix for every source-destination pair. The matrix is your primary assessment artifact.
Findings Classification
| Classification | Criteria | Example |
|---|---|---|
| Critical | Life-safety system accessible from untrusted zone | Tenant Wi-Fi can reach BMS (HVAC, fire suppression, access control) |
| High | Cross-zone access without business justification | CCTV management accessible from tenant network |
| Medium | Excessive permissions within a zone or management access too broad | Management zone reaches all ports on all services (should be restricted to monitoring ports) |
| Low | Documentation or configuration hygiene | No network architecture documentation exists |
Documentation Standards
Every finding must include:
- Source zone: Where the connection originates (e.g., tenant Wi-Fi)
- Destination zone: Where the connection reaches (e.g., building management)
- Ports and protocols: Specific ports and protocols observed
- Business impact: What could happen if this connection were exploited (in terms the COO can present to the board)
- Evidence: Nmap output, connection test results, or other proof
- Recommendation: Specific remediation with estimated effort
The findings documentation serves three audiences: the insurance company (compliance evidence), the board (risk and cost), and the IT team (implementation details). Write findings once but structure them so each audience can extract what they need.