Base Architecture with One Gateway.
Deploy the Access Gate connected to your Edge Gateway, alongside your existing router-firewall-switch stack. Adds Zero-Trust enforcement without touching the existing perimeter.
Architecture Overview.
The one-layer architecture is the simplest entry point for Access Gate deployment. The existing network stack — router, firewall, switch — remains untouched. The Access Gate connects to the Edge Gateway and creates a secure overlay across all subnets.
Existing Stack Preserved
Router, Firewall, and Switch remain in place. No re-cabling or IP changes.
Inline on Core Bus
Access Gate connects directly to the Core Bus, intercepting traffic across all VLANs.
IT & OT Domains
Covers both IT and OT subnets in a single deployment. Subnets A and B protected.
Overlay Security
Bidirectional NAT and routing create a virtual security layer. No agents on endpoints.
Base Topology.
The base topology shows the Access Gate connected to the Edge Gateway. Key traffic, both north-south and east-west, can routed through the overlay for a "security loop".
Connection to Edge Gateway
Access Gate connects to the Edge Gateway with Ethernet cable.
Secure Traffic Loop
Traffic destined for sensitive assets is looped through the Access Gate for inspection and enforcement.
Route Creation
Routes are added at the Edge Gateway to direct critical traffic through the Access Gate.
VPN Flows (North-South).
North-south flows cover inbound VPN traffic destined for IT or OT assets. The Access Gate intercepts these sessions, applies authentication and permission policies, and logs actions.
VPN to IT (North-South)
VPN client connects to Access Gate and Access Gate build a second connection with local IT. Access Gate acts as a bastion with double NAT and session logging.
VPN to OT (North-South)
Remote OT access follows the same enforcement path — authentication enforced before reaching any OT subnet - with a bastion architecture.
Authentication & Permissions
MFA can be enforced as an authentication mechanism. Access policy are scoped to specific resources, protocol and action. Full audit trail maintained.
Protocol Analysis
Access Gate performs protocol-level inspection and breaks the session for analysis before forwarding.
East-West Flows.
East-west flows control lateral movement between assets within the LAN. It allows to apply a Zero-Trust architecture inside the local network. Can be deployed for Critical Assets only.
IT-OT (East-West)
IT to OT traffic routed through Access Gate. Protocol break enforced — no direct L2 path between domains.
OT-OT (East-West)
Lateral traffic between OT assets controlled via overlay. Each asset-to-asset session is authenticated and logged.
Double NAT & Session Logging
Access Gate applies double NAT at both ends of each connection, creating a full session-level audit trail.
Protocol Break
Sessions are broken and re-established through the Access Gate — enabling DPI, logging, and enforcement at the application layer.
Download the One Firewall Architecture.
Get all five diagrams — base topology, VPN flows, and east-west flows — as a single downloadable architecture pack.
Double Firewall Architecture
Need coverage for both IT and OT with separate enforcement zones? The double firewall architecture adds a second layer of protection for critical OT environments.
Multi-Site Architecture
Deploying across multiple facilities? The multi-site architecture shows how enclaves extend between sites over secure tunnels.
Common Questions About the One Gateway Architecture.
Access Gate required. The One Gateway architecture deploys a single appliance connected to your Edge Gateway.
No. Your current router, firewall, and switching infrastructure remain unchanged. Access Gate operates alongside them, and a single additional route is created to form the secure loop, directing only selected traffic through Access Gate for identity-based control and inspection without altering existing policies.
The secure loop is a single routed path created at the Edge Gateways to direct selected traffic through the Access Gate for authentication, verification, and logging before it reaches its destination. It acts as a controlled checkpoint rather than a network redesign.
Yes. The one-firewall architecture covers both IT and OT subnets simultaneously from a single Access Gate deployment. You can start with OT-only enforcement and extend to IT incrementally.
Traffic not explicitly routed through the Access Gate continues on its existing path, unmodified. You control exactly which flows are enforced — you can migrate incrementally without disrupting production.