For instance it is very wise to NEVER have client workstations on the same segment as your servers. This is asking for a compromise. Workstations even with endpoint protection are generally the most dangerous devices on the network since end-users are using them for email and general Internet browsing. Instead you want to have something like the following. Below all traffic between PCs and Servers is scrutinized for various traffic types and network communication and clients and servers exist on different networks
Creating pfSense allow and deny firewall rules to control traffic