Overlay Networks Explained

How Software-Defined Security Works in Industrial Networks

One of the first question we hear when presenting Access Gate to IT professional is "Really, how do your overlay networks work”?

Being able to migrate assets to a secured network without rewiring is pretty appealing, right? Might even sound a bit like magic, or even marketing oversell?

The reality is much simpler, and relies on very standard IP network facilities (namely routing and bidirectional NAT). Let’s demystify how this works, and, if you are interested in installing Access Gate to secure your site, our team is just a click away.

Step 1: Traditional Industrial Network

Most industrial networks prioritize uptime over security. They typically rely on flat Layer 2 or VLAN-based architectures with minimal segmentation.

Key traits:

Flat networks: Devices from multiple zones share subnets, increasing lateral movement risk.
Static trust boundaries: VLANs and firewalls define access but are error-prone and hard to scale.
Legacy protocols: OT traffic (Modbus, DNP3, S7) runs unencrypted and unauthenticated.
No identity enforcement: Access is granted by IP or MAC, with limited visibility or auditability.

Step 2: Deploy an Access Gate

The Access Gate automatically assigns address in the network overlay to every device, no impacting the existing - underlay network. No VLAN redesign, no production downtime.

Dynamic overlay creation: Builds a virtual network layer (e.g. 100.64.0.0/16) that scales independently of VLAN size limits or physical layout.
Gateway intelligence: Access Gate mirrors the physical network by building a secure virtual overlay, which is later used for routing traffic.
Zero-touch device integration: DNS automatically resolves overlay addresses — no need to reconfigure assets or install agents.

🔎 Note: The overlay network uses the 100.64.0.0/16 address space, which falls within the CGNAT range. This ensures it won't interfere with public IP routing or internet access.

Step 3: Secure Overlay Communications

Communications start to be routed through the Access Gate, which acts as an intelligent control point — enforcing security and visibility without altering the physical infrastructure.

Security enforcement: Traffic flows through Access Gate, where real-time authentication, access control, and logging are enforced.
Flexible trust model:
- When supported, the Access Gate establishes two-legged proxy communication between assets—enabling fine-grained, protocol-aware control.
- If proxying isn’t possible, the system defaults to end-to-middle encrypted tunnels, still providing stronger isolation and encryption than the underlying network.
Zero-downtime migration path: Assets can transition incrementally to the overlay, avoiding disruptions or changes to existing wiring or configurations.

🏭 Using a dual DNS naming scheme simplifies migration: each device is accessible via both its original IP (in our example 10.0.1.8.fabcore.tr-sec.net) and a human-readable alias (asset4.fabcore.tr-sec.net). This approach maintains backward compatibility while enabling clear, structured overlay addressing.

Step 4: Lock Down the Underlay

Once communications shift to the secure overlay, the physical network — the underlay — can be locked down. By applying port isolation and targeted firewall rules, it becomes a controlled layer that only allows authenticated overlay traffic.

Switch-level isolation: Enable port isolation features to create physical barriers that prevent any direct device-to-device communication on the underlying network infrastructure.
Gateway-only traffic policies: Deploy stateful firewall rules that exclusively permit traffic originating from Access Gate, effectively making it the single point of network entry and control.
Zero-trust architecture: Establish a security model where every communication must traverse the monitored overlay, eliminating the possibility of unauthorized or unmonitored network access.

See how Trout leverages Overlay Networking to secure Industrial & Critical Environments.

Access Demo Instance

Get in Touch with Trout team

Enter your information and our team will be in touch shortly.

Get in Touch with Trout team

Enter your information and our team will be in touch shortly.

FAQ

Secure Modernization Without Disruption

How does Trout modernize network security without rewiring?

Trout’s on-premise appliance layers Zero-Trust segmentation and encrypted access over your existing OT network, rather than replacing it. It creates secure enclaves that isolate critical assets and enforce identity-based access — all without changing IP schemes, VLANs, or cabling.

What is Framer?

Framer is a no-code tool for building and publishing responsive websites—perfect for anyone creating modern, high-performance pages without coding.

Will installation disrupt production or require downtime?

No. The solution deploys in parallel to your current infrastructure, so production remains uninterrupted. Most sites can be onboarded in under a day, and configuration happens during normal operations with no rewiring or endpoint reconfiguration.

Do I need to know how to code to use Framer?

Framer is fully visual with no code needed, but you can still add custom code and components for more control if you're a designer or developer.

Is this compatible with legacy or unpatchable equipment?

Yes. Trout enclaves are designed for brownfield environments where legacy PLCs, HMIs, or Windows 7 systems can’t be patched or modified. The overlay adds encryption, access control, and monitoring without touching those assets directly.

What is this FAQ component?

This is a free, responsive FAQ section for Framer. Drop it into any project, customize styles and text, and use it to save time on support or info pages.

Does Trout support compliance frameworks like CMMC, NIS2, or IEC 62443?

Absolutely. The overlay architecture implements the required technical controls — including segmentation (SC), access control (AC), incident response (IR), and audit logging (AU) — mapped directly to frameworks like CMMC 2.0, DFARS 252.204-7012, NIS2, and IEC 62443.

How do I add this FAQ component to my project?

After duplicating, copy and paste the component into your Framer project. Then edit the questions, answers, styles, and animations as needed.

Can this run fully on-premise without cloud dependencies?

Yes. The system operates entirely on-premise, with optional integration to your SIEM or monitoring stack. It’s ideal for secure or air-gapped environments where external connectivity is restricted.

Can I customize the design of this component?

Yes, absolutely. The component is built using native Framer tools, so you can tweak fonts, colors, spacing, animations, and layout however you like.

What is required for deployment?

Each site typically requires a Trout Access Gate appliance, an existing Ethernet link, and access to your current directory (e.g., Microsoft 365 or Active Directory) for authentication. No additional firewalls, proxies, or cloud infrastructure are needed.

Is this component responsive?

Yes, the FAQ component is fully responsive and adapts seamlessly to desktop, tablet, and mobile screen sizes.

How is this different from traditional VLAN or firewall segmentation?

Traditional segmentation depends on network redesign — new VLANs, IP changes, and revalidation of OT systems. Trout’s overlay approach achieves the same security outcome without altering the underlying network, making it feasible for legacy and production environments.

Is this component responsive?

Yes, the FAQ component is fully responsive and adapts seamlessly to desktop, tablet, and mobile screen sizes.

To go further

Demilitarized LAN

A whitepaper paper on how overlay networking allows to deploy the concept of Demilitarized LAN.

2025 State of Ransomware

Our analysis show an increase of 47% vs 2024, with roughly 56% of attacks targeting industrial companies.

Tech Blog

Resources and articles written by Trout's team on networking, cybersecurity & operational technologies.