How Software-Defined Security Works in Industrial Networks
One of the first question we hear when presenting Access Gate to IT professional is “really, how do your overlay network works”?
Being able to migrate assets to a secured network without rewiring is pretty appealing, right? Might even sound a bit like magic, or even marketing oversell?
The reality is much simpler, and relies on very standard IP network facilities (namely routing and bidirectional NAT). Let’s demystify how this works, and, if you are interested in installing Access Gate to secure your site, our team is just a click away.
Step 1: Traditional Industrial Network
Most industrial networks prioritize uptime over security. They typically rely on flat Layer 2 or VLAN-based architectures with minimal segmentation.
Key traits:
Flat networks: Devices from multiple zones share subnets, increasing lateral movement risk.
Static trust boundaries: VLANs and firewalls define access but are error-prone and hard to scale.
Legacy protocols: OT traffic (Modbus, DNP3, S7) runs unencrypted and unauthenticated.
No identity enforcement: Access is granted by IP or MAC, with limited visibility or auditability.
Step 2: Deploy an Access Gate
The Access Gate automatically assigns address in the network overlay to every device, no impacting the existing - underlay network. No VLAN redesign, no production downtime.
Dynamic overlay creation: Builds a virtual network layer (e.g. 100.64.0.0/16) that scales independently of VLAN size limits or physical layout.
Gateway intelligence: Access Gate mirrors the physical network by building a secure virtual overlay, which is later used for routing traffic.
Zero-touch device integration: DNS automatically resolves overlay addresses — no need to reconfigure assets or install agents.
🔎 Note: The overlay network uses the 100.64.0.0/16 address space, which falls within the CGNAT range. This ensures it won't interfere with public IP routing or internet access.
Step 3: Secure Overlay Communications
Communications start to be routed through the Access Gate, which acts as an intelligent control point — enforcing security and visibility without altering the physical infrastructure.
Security enforcement: Traffic flows through Access Gate, where real-time authentication, access control, and logging are enforced.
Flexible trust model:
When supported, the Access Gate establishes two-legged proxy communication between assets—enabling fine-grained, protocol-aware control.
If proxying isn’t possible, the system defaults to end-to-middle encrypted tunnels, still providing stronger isolation and encryption than the underlying network.
Zero-downtime migration path: Assets can transition incrementally to the overlay, avoiding disruptions or changes to existing wiring or configurations.
🏭 Using a dual DNS naming scheme simplifies migration: each device is accessible via both its original IP (in our example 10.0.1.8.fabcore.tr-sec.net) and a human-readable alias (asset4.fabcore.tr-sec.net). This approach maintains backward compatibility while enabling clear, structured overlay addressing.
Step 4: Lock Down the Underlay
Once communications shift to the secure overlay, the physical network — the underlay — can be locked down. By applying port isolation and targeted firewall rules, it becomes a controlled layer that only allows authenticated overlay traffic.
Switch-level isolation: Enable port isolation features to create physical barriers that prevent any direct device-to-device communication on the underlying network infrastructure.
Gateway-only traffic policies: Deploy stateful firewall rules that exclusively permit traffic originating from Access Gate, effectively making it the single point of network entry and control.
Zero-trust architecture: Establish a security model where every communication must traverse the monitored overlay, eliminating the possibility of unauthorized or unmonitored network access.
To go further
Demilitarized LAN
A whitepaper paper on how overlay networking allows to deploy the concept of Demilitarized LAN.
2025 State of Ransomware
Our analysis show an increase of 47% vs 2024, with roughly 56% of attacks targeting industrial companies.
Where the Packets Roam
On why integration-driven products are delivering profoundly higher value in industrial environments.