Carve-out network separation is the work of giving Newco its own network identity, perimeter, and connectivity model so that nothing on Newco depends on the seller's network past TSA exit. The track is one of the heaviest infrastructure workstreams inside the broader carve-out advisory program because every other technology cutover assumes the network is in place. Underestimate it, and ERP cutover, application migration, and email migration all stall behind it. Plan it as a first class workstream from Day One and the rest of the technology exits ramp on time.
Network separation covers the full stack: wide area connectivity between Newco sites and to the internet, local area networks inside each site, wireless coverage, remote access for users, segmentation between Newco and the rest of the world, DNS, IP address allocation, firewalls, and the operational tooling around all of it. The seller usually delivers most of this as a TSA service on Day One, then Newco builds its own and cuts over before TSA exit.
The scope reveals itself differently depending on how the seller's network is built. A flat enterprise network that runs everything on one address space requires heavy re addressing work for Newco. A network already segmented along business unit lines may allow Newco to inherit a clean segment, simplifying the lift. The buyer-side advisor scopes the actual state inside the first month and sizes the work against the TSA timeline.
Network separation is also where the carve-out perimeter gets enforced at the technical layer. Every flow that crosses between the seller and Newco environments is a candidate for a firewall rule, an inspection point, or a removed connection. The TSA service catalog should list the legitimate flows; everything else gets blocked once Day One stabilizes.
The Newco target network architecture decides cost, operational complexity, and exit speed. Three design choices dominate. First, the WAN model: dedicated MPLS, SD WAN, or pure internet with overlay. Second, the perimeter model: enterprise grade firewalls, cloud delivered security stack, or a managed service. Third, the operational model: internal team, managed service provider, or a hybrid.
Smaller carve-outs almost always end up on cloud delivered security and SD WAN because the per site economics and the time to stand up favor that path. Larger carve-outs with regulatory constraints sometimes still pick traditional MPLS plus on premise firewalls, but only when the operating model can sustain it. The buyer-side advisor pressure tests the architecture against the Newco run rate forecast so the network design fits the standalone P and L.
The target architecture also drives the vendor choices for routers, firewalls, monitoring, and identity. Vendor selection should be locked by month two so procurement and shipping can happen in time for the cutover wave. Late vendor selection is one of the most common reasons for network exit slips.
On Day One, very few carve-outs have their own network ready. The usual pattern is that Newco rides the seller's network under a TSA service while Newco builds its own. The buyer-side advisor negotiates the network TSA scope so Newco gets pass-through connectivity, monitoring, and a defined service level, with clear demarcation on what Newco can change and what stays under seller control.
A small number of carve-outs go for a Day One independent network. This works when the carve-out perimeter is small, the geographic footprint is contained, or the seller is unwilling to provide network services under TSA. The Day One independent path is faster to exit but heavier on Day One readiness work and requires more upfront capital. The trade off is documented in the cost case for the operating partner before the design is locked.
A third pattern is the hybrid: Newco builds its own internet edge and security stack on Day One but consumes site connectivity from the seller. This preserves Newco autonomy on policy and inspection while postponing the heavier site by site migration work. The hybrid model pairs with carve-out Day One readiness.
Network cutovers run in waves. Pilot site first to validate the architecture and the operational tooling. Then the smallest sites, where the operational impact of any glitch is contained. Then progressively larger sites, with the headquarters or the primary data center as the last wave. The wave plan is locked at the end of the design phase and tracks against the TSA exit milestone.
Each wave has a rehearsal, a cutover window, and a stabilization period. Rehearsals run on a representative subset of users at the site, validating WAN failover, security policy, and application reachability. The cutover window is usually a maintenance weekend with clearly defined rollback criteria. Stabilization runs for one to two weeks with elevated support coverage, after which the wave is signed off and the next wave begins.
Sites with manufacturing, healthcare operations, or trading floors need additional rehearsal because the cost of a network outage is high. The buyer-side advisor builds extra contingency into the schedule for these sites and confirms the recovery time objective with the operating leadership before the cutover. The work pairs with TSA exit IT separation.
A common trap is to copy the seller's security policy wholesale into Newco. The policy was built for the seller's risk profile, regulatory footprint, and operational scale. Newco needs a policy sized for the standalone business. Carrying over rules that were appropriate for the seller can leave Newco both over invested in some controls and under invested in others.
The right approach is a baseline derived from the Newco target operating model. Standard segmentation for production, corporate, and untrusted zones. Access controls aligned with the identity model coming out of the directory migration. Egress inspection sized for the Newco user population. Vendor remote access locked down to the legitimate set. The buyer-side advisor reviews the policy with the Newco CISO and the operating partner before cutover.
Segmentation also needs to enforce the carve-out perimeter. Any flow between Newco and the seller environments must terminate at a controlled boundary, with logging and the ability to terminate the flow at TSA exit. Leaving open trust relationships behind is one of the most common security findings in post exit audits. The work pairs with carve-out cybersecurity Day One.
Three failure modes account for most network exit slips. The first is late vendor selection, where procurement of routers, firewalls, or circuits did not start in time to support the cutover wave plan. The fix is to lock vendor decisions inside month two and treat procurement lead times as binding constraints on the schedule.
The second is hidden application dependencies on the seller's network. Applications that rely on the seller's DNS, internal certificate authorities, or directory services break when the network cuts over. The fix is a discovery sweep that maps application dependencies to network services before the cutover wave begins. The buyer-side advisor pushes this work into month three at the latest.
The third is insufficient testing of failover and recovery. Sites cut over without proven recovery paths and the first incident becomes a crisis. The fix is rehearsal discipline: every wave runs failover scenarios before the cutover is signed off. The combination of these three disciplines moves network separation from a high risk track to a manageable one. The work pairs with carve-out active directory migration and carve-out endpoint management.
How Newco moves to its own email domain without breaking customer and supplier communications.
Read the article →The directory and identity choices that decide how cleanly Newco separates from the seller.
Read the article →How Newco stands up perimeter security before any application or workforce cutover begins.
Read the article →The 90-day governance, IT, finance, HR and procurement separation plan we run on live carve-outs. Get the playbook plus the bi-weekly Day One Letter — short, signal-heavy, buyer-side.
No spam. Unsubscribe in one click. · Read the overview first →

Fixed-fee proposal in 48 hours. Senior team on day one. The first conversation is always free.
Seven buyer-side moves to exit a Transition Services Agreement on time and below budget. The mark-up, the extension-fee curve, exit sequencing, and the 11-month calendar.
Stand up standalone IT before the TSA meter and the seller's dependencies compound against you.
One tactic, one benchmark, or one pattern from a recent buyer-side engagement. Short. Signal heavy. Free.
Subscribe to The Day One Letter →