TroutTrout
Industrial DMZ

Segment IT From OT Without Network Redesign

As the IT and OT boundary blurs, deploy granular micro-segmentation with proxy bastions. No VLAN restructuring, no firewall rewrite, no downtime.

Trusted by leading companies

John CockerillOrange CyberdefenseElna MagneticsThales
Permission Matrix
HistoryEdit principals
Principals
Code Repository
tcp:3690tcp:443
Alice
Blocked
Blocked
Bob
Advanced
Blocked
Marc Hoover (microsoft)
Advanced
Blocked
Code Repository
What is actually happening

Why flat OT networks fail at the IT/OT boundary.

Most plants still run a flat or lightly segmented network: the historian, the engineering workstation, the SCADA server, and the PLCs sit where a single compromised host can reach the control layer directly. That is what years of adding connectivity to a network built for reliability, not security, leaves behind.

An industrial DMZ is meant to sit between enterprise IT and OT at Level 3.5, brokering only the few flows that legitimately cross: the historian feed, patch distribution, remote access. In practice it accumulates services and exceptions until it becomes another trusted zone, and the boundary quietly erodes.

That is the risk surface attackers use. Most OT incidents start not on a PLC but on a phished workstation or an over-permissioned vendor connection, then move down into the control network. Closing the gap is less about another firewall than about controlling which zones may talk to which, with an identity behind every session.

The standard

IEC 62443 zones and conduits, applied to the iDMZ.

IEC 62443 makes the DMZ enforceable. A zone is a group of assets sharing a security level; a conduit is the controlled path between zones that defines exactly which traffic may cross. An industrial DMZ is the conduit between the enterprise and OT zones, and the standard is clear that naming the zones is the easy part.

The hard part is implementing the conduits on a network that is already running. Traditionally that means a VLAN redesign: re-addressing equipment, reconfiguring switches, and taking production down for the cutover. For most operators that downtime is the blocker that keeps a flat network flat, and the iDMZ stays a diagram rather than an enforced boundary.

Reference architecture: Access Gate adjacent to the site core, between the IT subnet and the OT zones (SCADA, PLCs, HMIs), enforcing the IT/OT boundary as a conduit.
Access Gate sits adjacent at the Level 3.5 boundary. The firewall, switching, and VLAN topology stay unchanged; the gate adds the identity and policy plane that enforces the zones.
How Access Gate deploys

An industrial DMZ without re-architecting the network.

PHASE 1

Adjacent deployment, zero disruption.

Access Gate deploys alongside the existing network at the Level 3.5 boundary and creates a proxy-mediated DMZ overlay across the zones. No VLAN changes, no agents on PLCs or OT endpoints, no production downtime. Cross-zone traffic is brokered through authenticated proxies, and visibility and identity-based access control are live in hours.

PHASE 2

Consolidate to a Zero Trust fabric.

The overlay becomes the enforcement layer. Systems migrate behind the gate through its proxy, with no forklift replacement of switches, and Access Gate becomes the iDMZ: deep packet inspection on industrial protocols, policy per user, device, and protocol, and a tamper-evident session log. Days, not the months a traditional consolidation project takes.

Compliance mapping

NIS2 Article 21 and IEC 62443, evidenced continuously.

The proxy-mediated DMZ maps directly onto NIS2 Article 21 technical measures: network segmentation (zones and conduits without rewiring), access control (identity-based, MFA enforced at the proxy, least privilege per asset and protocol), and logging (every cross-zone session recorded with user, timestamp, and protocol in a tamper-evident trail).

IEC 62443 zone-and-conduit architecture is the recognised technical implementation of those obligations, and ANSSI and equivalent national guidance treat it as the route to demonstrating segmentation. Access Gate produces that evidence continuously, from the first session, instead of reconstructing it the week before an audit.

Benefits at a Glance

Create Secure & Agile IT/OT Boundaries

The Trout Access Gate makes industrial DMZ deployment practical, no network redesign, no production impact, no specialized expertise required.

Logical Segmentation Overlay

Establish DMZ controls without redesigning the LAN.

Proxy Protection

All cross-zone traffic routed through authenticated proxies. Asset cloaking hides resources from unauthorized users.

Deep Packet Inspection

Inspect and govern industrial communications precisely.

Legacy Compatible

Protects PLCs, HMIs, SCADA, and DCS without requiring any changes to the equipment itself.

Deterministic Data Flows

Enforce explicit, directional, auditable communication paths.

Permission Matrix

Granular access control per user, device, and protocol. Define exactly who can reach what across zone boundaries.

The second layer of value

Access Gate secures your assets first, then exposes the simple services your teams and vendors actually want, so they run through the sanctioned path, not around it.

OT runs through you, not around you.

Datasheet

Download the Access Gate Datasheet.

Get the complete product overview with technical capabilities, deployment model, compliance alignment, and customer references.

Done

What's Inside

Product architecture, deployment model, key capabilities (proxy enforcement, micro-DMZs, identity-based access), compliance alignment, and real-world customer deployments.

4 pages

See It in Action

Request a live demo to see how the Access Gate deploys on your network without rewiring or downtime.

FAQ

Questions and Answers

0

Network changes required. The Access Gate creates segmentation boundaries at the application layer without touching VLANs, firewalls, or physical infrastructure.

No. The Access Gate creates logical segmentation at the application layer, overlaying your existing network. There's no VLAN restructuring, no firewall reconfiguration, and no production impact. You can deploy and enforce zone boundaries without any downtime.

Traditional firewalls segment at the network layer and require topology changes. The Access Gate segments at the application layer, it can enforce per-user, per-device, per-protocol policies without changing your physical or logical network design. This makes it practical to deploy in brownfield environments.

Yes. The Access Gate protects devices without installing anything on them. PLCs, HMIs, SCADA systems, and DCS controllers are protected through proxy bastions that mediate all access, the legacy equipment doesn't need to support modern security protocols.

A proxy bastion is an authenticated gateway that mediates all traffic crossing a zone boundary. Users and devices must authenticate before traffic is forwarded. The bastion also performs deep packet inspection on industrial protocols and records full session logs for audit.

Yes. The Access Gate operates entirely on-premise with no cloud dependency. It's designed for air-gapped, hybrid, and classified environments where data cannot leave the network perimeter.

The proxy-mediated DMZ delivers the network segmentation, access control, and logging that NIS2 Article 21 requires, and it implements the IEC 62443 zone-and-conduit model directly. Every cross-zone session is brokered by identity and recorded in a tamper-evident log, so audit evidence is generated continuously rather than reconstructed before an inspection.