Network Topology
Network Topology
Network topology describes how systems are connected and how traffic flows between them. In on-premise environments (whether IT, OT, or hybrid) topology directly affects security, reliability, scalability, and operational risk.
Unlike cloud environments, on-premise networks are constrained by physical infrastructure, legacy systems, and uptime requirements. As a result, topology choices tend to persist for years and must be made carefully.
Why Network Topology Matters On-Premise
On-premise networks commonly support:
- Business-critical applications
- Production systems
- Legacy servers and appliances
- Mixed IT, OT, and IoT assets
Topology changes in these environments are:
- Risky to deploy
- Hard to roll back
- Often avoided once systems are live
Security and access control solutions must therefore adapt to the existing topology, not force a redesign.
Common On-Premise Network Topologies
Flat Network
All systems share the same logical network and can communicate directly.
Characteristics
- Simple and inexpensive
- Minimal routing or segmentation
Limitations
- Implicit trust across all systems
- Easy lateral movement
- Poor visibility and auditability
- Common in older deployments
Still widely found in SMBs, legacy data centers, and industrial sites.
Segmented Network (VLAN / Subnet-Based)
Networks are divided into zones using VLANs, subnets, and firewall rules.
Characteristics
- Reduces blast radius
- Clear separation between system groups
Limitations
- Static and IP-based
- Complex to design and maintain
- Changes carry operational risk
- Does not express user or identity context
Segmentation improves hygiene but doesn't improve visibility, access control, encryption, logging.
Inline Enforcement Topology
Traffic is forced through inline firewalls or security appliances.
Characteristics
- Centralized control
- Clear inspection point
Limitations
- Single point of failure
- Throughput constraints
- High operational risk
- Difficult to deploy safely in production
Common in data centers, often avoided in environments with strict uptime requirements.
Lollipop Topology
In a lollipop topology, the security appliance connects beside the network rather than inline with traffic. The existing network topology remains unchanged, and access is redirected logically instead of physically.
Characteristics
- Appliance is not in the physical traffic path
- Existing routes, VLANs, and IP addressing remain intact
- Traffic is steered via DNS and routing when protection is required
- Fail-open by design: the network continues to operate if the appliance is offline
Advantages
- No single point of failure for production traffic
- Minimal deployment risk in live environments
- Easy to deploy, test, and remove
- Compatible with legacy systems and static networks
Limitations
- Requires routing and DNS awareness
- Enforcement applies only to protected access paths
- Not designed for full inline inspection of all traffic
Lollipop topology enables policy-driven access control and visibility without redesigning the network, making it well-suited for modern Zero Trust implementations in on-premise environments.
Overlay-Based Network Topology
Instead of modifying the underlay network, Access Gate introduces a logical overlay:
- Systems keep their original IP addresses
- Protected services are exposed via overlay IPs
- DNS and routing steer traffic through Access Gate
- All protected access is proxied and controlled
This separates security topology from physical topology.
Traffic Flow Comparison:
- Direct Access (Traditional Topology)
Client → System
- Overlay-Based Access
Client → Overlay IP
→ Router
→ Access Gate (policy + proxy)
→ Underlay IP
→ System
The client never connects directly to the protected system.
Key Takeaway
In on-premise environments, the most reliable network topology is often the one that does not change.
Access Gate enables:
- Secure access
- Logical segmentation
- Visibility and auditability
…without redesigning the physical network your operations depend on.