As we have engaged closely with our customers, a common need has emerged: a solution to extend zero trust access to non-identity-aware machines<\/strong>. These are typically legacy or specialized OT devices that cannot host identity clients yet still require secure, policy-driven communication. Addressing this need is essential to achieving comprehensive zero trust coverage across heterogeneous environments.<\/p>\n\n\n\n Before diving into implementation details, let\u2019s first understand the concept. In industrial environments, edge or industrial compute devices typically serve as network gateways<\/strong>, connecting to machines such as PLCs, sensors, actuators, and other OT assets. These gateways generally run a standard operating system and possess sufficient compute resources to host NetFoundry edge software<\/strong>.<\/p>\n\n\n\n In this architecture, the gateway acts as the identity-bearing entity\u2014running the NetFoundry tunneler\/router<\/strong>\u2014while the connected machines communicate with cloud services, applications, and other machines through the identity of the gateway<\/strong>. The core objective is to implement a mechanism that controls and restricts which specific machines behind the gateway can access designated resources<\/strong>, even though they themselves may not have individual identities or tunneling capabilities. This enables enforcement of zero trust principles<\/strong> such as least privilege and segmentation, even for non-identity-aware devices.<\/p>\n\n\n\n The following are the communication objectives we want to achieve:<\/strong><\/p>\n\n\n\n As part of the NetFoundry “Service Config”, access is restricted to a spefic port(s) and IP(s) \/ host name(s) and specific identities are allowed to access based on the “Service Policy Config”. <\/p>\n\n\n\n For example,<\/strong> machines connected to the IEC device that runs Identity A<\/strong> can be allowed to access a SCADA application in the cloud<\/strong> through appropriate service and policy configurations. However, this identity-based model alone does not prevent unauthorized machines within Subnet A<\/strong> from reaching the SCADA service.<\/p>\n\n\n\n To address this requirement, NetFoundry introduces the Allowed Source Address<\/strong> feature within the service configuration. This enhancement enables administrators to enforce access control beyond the identity level<\/strong>, down to the level of specific source IP addresses<\/strong> of individual machines behind the tunneler or a router.<\/p>\n\n\n\n With this feature:<\/p>\n\n\n\nWhat is it?<\/h3>\n\n\n\n
Scenario:<\/h3>\n\n\n\n
![\"\"](\"https:\/\/netfoundry.io\/wp-content\/uploads\/2025\/07\/Extended-ZT-Access-v1-pdf-1024x576.jpg\")
<\/figure>\n\n\n\n\n
Introducing “Allowed Source Address”<\/strong><\/h3>\n\n\n\n
\n
![\"\"](\"https:\/\/netfoundry.io\/wp-content\/uploads\/2025\/07\/image-1-700x1024.png\")
<\/figure>\n\n\n\n![\"\"](\"https:\/\/netfoundry.io\/wp-content\/uploads\/2025\/07\/image-2-1024x519.png\")
<\/figure>\n\n\n\n![\"\"](\"https:\/\/netfoundry.io\/wp-content\/uploads\/2025\/07\/image-3-1024x566.png\")
<\/figure>\n\n\n\n![\"\"](\"https:\/\/netfoundry.io\/wp-content\/uploads\/2025\/07\/image-4-563x1024.png\")
<\/figure>\n\n\n\n![\"\"](\"https:\/\/netfoundry.io\/wp-content\/uploads\/2025\/07\/image-5-1024x513.png\")
<\/figure>\n","protected":false},"excerpt":{"rendered":"