TroutTrout
Back to Glossary
Micro-DMZIndustrial DMZOT segmentation

Micro-DMZ

2 min read

A micro-DMZ is a narrow demilitarized zone scoped to a single asset or data path rather than an entire network zone. It sits between an untrusted segment and a protected OT device, terminating transport, authenticating the session, and enforcing a policy check before any traffic reaches the device.

How micro-DMZ differs from industrial DMZ

An industrial DMZ (iDMZ) is a Purdue-model construct: a horizontal zone between the enterprise network (Level 4/5) and the process-control network (Level 2/3) that brokers shared services — historians, jump servers, patch relays. It is typically a whole subnet with multiple hosts and dozens of flows.

A micro-DMZ is vertical and small. It protects one asset or one protocol. The scope is a single PLC, a single file transfer endpoint, or a single Modbus TCP session. Inside the micro-DMZ, the proxy terminates encrypted transport and re-emits traffic to the protected device in whatever plaintext protocol the device speaks. Outside the micro-DMZ, nothing reaches the device directly.

Why this matters for CMMC

Many OT assets cannot implement MFA, TLS, or audit logging natively. The iDMZ pattern does not solve this — it segments broadly but still exposes the asset to any authenticated host inside the control zone. A micro-DMZ closes the last hop: even authenticated hosts must traverse the proxy, and the proxy enforces per-session identity, encryption termination, and logging.

This turns the OT asset into a compensating-control target. The SSP can document that the asset itself cannot authenticate, but that every session reaching it has been authenticated, encrypted, and logged at the micro-DMZ boundary.

Deployment shape

A micro-DMZ is typically implemented as a proxy appliance or overlay-network enforcement point with three properties:

  • Per-asset policy. Rules bind to the asset, not the subnet.
  • Protocol-aware termination. The proxy understands the application protocol (Modbus, DNP3, SFTP, HTTP) enough to enforce command-level restrictions, not just port-level allow/deny.
  • Deny-by-default. Unlisted flows are dropped and logged.

Related terms

Access Gate connection

Access Gate creates micro-DMZs around individual OT assets — a per-device proxy boundary that terminates transport, enforces identity, and logs every session without modifying the protected device. See Industrial DMZ Design Patterns.

Other Terms

Industrial DMZOT network architecture

Industrial DMZ

An industrial DMZ is a demilitarized zone between IT and OT networks that controls and inspects all traffic crossing the boundary, designed to prevent direct communication between enterprise systems and industrial control systems.

Access controlIdentity access management

Access Control

Access Control is a fundamental component of cybersecurity that determines who is allowed to access and interact with resources within a network. In the context of OT/IT cybersecurity, access control...

ACLAccess control list

Access Control List

An Access Control List (ACL) is a set of rules that determines which users or systems are granted or denied access to specific resources within a network. ACLs are crucial for managing permissions and...

News & Insights

Resources & Insights.

Securing Modbus whitepaper
WhitepaperWhitepaper

Securing Modbus in Modern Industrial Environments

Zero Trust OT webinar
WebinarWebinar

Zero Trust for OT Networks

OT network architecture diagram
ArchitectureGuide

Reference Architectures for OT Security

All articles