Architecture with Two Gateway Layers. Defense in Depth.
Two architecture possible in this scenario. Protect both IT and OT subnets independently, or focus enforcement on the OT domain. Detailed traffic flows for every path.
Architecture Overview.
The Two Gateway architecture extends the one-firewall approach with two distinct coverage modes. In IT+OT mode, both domains are protected by the Access Gate. In OT-only mode, the Access Gate focuses enforcement exclusively on operational technology assets.
IT + OT Coverage
Single Access Gate enforces policy across all subnets — IT and OT domains protected simultaneously.
OT-Only Coverage
Access Gate focused on OT Bus traffic. IT traffic continues through the existing firewall without modification.
Existing Stack Preserved
Router, Firewall, and Switch remain unchanged. Access Gate adds enforcement via a 'secure loop'.
Flexible Traffic Routing
Non-critical traffic can bypass the Access Gate. Only sensitive flows can be enforced, reducing overhead.
Base Topologies.
Two base topologies cover different scopes of enforcement. Choose IT+OT coverage for full perimeter enforcement, or OT-only when the IT domain is already handled by existing tools.
Connection to existing Gateway
Access Gate connects to the Edge or OT Gateway. No changes required on existing infrastructure.
Route Creation
Routes added at the Edge or OT Gateway. Traffic for sensitive assets directed through the Access Gate.
IT + OT Mode
Both IT and OT subnets covered. All cross-domain and VPN traffic enforced through the Access Gate.
OT-Only Mode
Only OT traffic routed through Access Gate. IT traffic unaffected.
VPN Flows (North-South).
North-south flows enforce access for inbound VPN traffic. The Access Gate intercepts both IT-bound and OT-bound VPN sessions, applying authentication and protocol analysis before building the second leg of the communication.
VPN to IT Assets
IT VPN traffic routes through Access Gate. Double NAT applied. Session logged and analyzed before reaching destination.
VPN to OT Assets
OT VPN access enforced via Access Gate. MFA can be required. Scoped to specific OT resources only.
Bastion with Double NAT
Access Gate acts as a bastion host with double NAT at both connection endpoints. Encryption & Session recording possible.
Scoped LAN Access
Access within the LAN is granted to specific assets (or group of), protocols and actions.
East-West Flows.
Three east-west flow diagrams cover lateral traffic across the network. IT-to-OT, OT-to-OT across subnets, and OT-to-OT within the same VLAN — each enforced differently by the Access Gate.
IT-OT (East-West)
Cross-domain traffic from IT to OT enforced via Access Gate. Access Gate acts as Proxy between the two assets.
OT-OT (East-West)
Lateral OT traffic between subnets routed through Access Gate. Each session authenticated and logged.
OT-OT Within Same VLAN
Intra-VLAN OT traffic controlled using overlay addresses. Access Gate can inject a proxy even within a single VLAN.
Non-Critical Traffic Bypass
Non-sensitive traffic can optionally bypass the Access Gate. Only critical and CUI flows are enforced.
Download the Double Firewall Architecture.
Get all seven diagrams — base topologies, VPN flows, and east-west flows — as a single downloadable architecture pack.
One Firewall Architecture
Starting with a simpler deployment? The one-firewall architecture covers both IT and OT from a single inline Access Gate with no changes to your existing perimeter.
Multi-Site Architecture
Need to extend protection across multiple facilities? The multi-site architecture shows how enclaves extend between sites over secure inter-site tunnels.
Common Questions About the Double Firewall Architecture.
deployment options — IT+OT for full enforcement, or OT-only when IT is already handled.
In IT+OT mode, the Access Gate enforces policy on all subnets — both IT and OT. In OT-only mode, only the OT Bus traffic is routed through the Access Gate. IT traffic continues through the existing firewall without modification. OT-only is common when IT already has mature security controls.
Yes. Route configuration at the Core Bus and OT Bus level controls which flows pass through the Access Gate. You can keep a portion of non-critical traffic on the existing path while enforcing only sensitive or CUI-related traffic through the overlay.
The Access Gate uses overlay addresses to enforce traffic between assets that share a physical VLAN. By routing via the overlay, the Access Gate can 'break' the broadcast domain and apply per-session policies.
No. A single Access Gate appliance handles both IT and OT coverage in the double firewall architecture. The 'double firewall' refers to the two enforcement zones (IT and OT), not to two physical devices.