Knocknoc
What is it?
Knocknoc is a just-in-time network access control platform that ties SSO authentication to firewall rules. Users authenticate via a web-based SSO flow, and Knocknoc dynamically adds their IP address to firewall allow lists for a configured duration. When the session expires, the IP is removed.
The platform orchestrates existing network infrastructure rather than routing traffic through a proxy cloud. Supported targets include Palo Alto firewalls, Fortinet devices, cloud security groups (AWS, Azure, GCP), Linux iptables, and reverse proxies (HAProxy, Nginx). No endpoint agent is required.
Knocknoc can also operate as a layer 7 identity-aware reverse proxy for web applications, providing path-level access controls and HTTP method filtering.
Why did they build it?
Border devices have become a primary attack vector. Vulnerabilities in Fortinet, Palo Alto, and Ivanti appliances have led to enterprise compromises. VPN endpoints are targets for brute-force attacks and credential stuffing. Management interfaces for network equipment are often exposed to the internet for remote administration.
Organizations also run legacy applications that cannot be patched or modernized (file transfer appliances, payroll systems, industry-specific software) that lack MFA support and contain pre-authentication vulnerabilities. These systems require remote access but are unsafe to expose directly.
Knocknoc addresses this by making services invisible to network scanners until a user authenticates. Attack surface management tools identify exposed assets, but no corresponding tool existed to actually remove them from the internet on demand.
How does Knocknoc orchestrate existing firewall infrastructure?
Knocknoc supports three integration modes with firewalls:
- Passive mode: The firewall polls Knocknoc for an External Dynamic List (EDL) of allowed IP addresses. Knocknoc does not interact with the firewall directly. Poll intervals are typically 1-5 minutes.
- Passive plus mode: Knocknoc publishes the allow list and sends a notification to the firewall to refresh immediately, reducing the delay between authentication and access.
- Active mode: Each authentication event triggers a direct API call to the firewall, adding the user’s IP address along with their username. This enables user attribution in firewall logs and downstream SIEM systems.
For on-host firewalls (iptables, Windows Firewall), Knocknoc agents receive instructions to modify local rules. The platform can be deployed entirely on-premises with no internet connectivity for air-gapped environments.
How does the layer 7 proxy mode provide controls beyond IP allow-listing?
When users connect from shared IP addresses (CGNAT gateways, VPNs, corporate egress points), IP-based allow-listing grants access to all users behind that IP. The layer 7 proxy mode addresses this by injecting session tokens into HTTP requests.
In this mode, Knocknoc operates as a reverse proxy in front of the protected application. After SSO authentication, the user’s browser session carries a token that Knocknoc validates on each request. Path-level controls allow different authentication requirements for different URL paths. For example, requiring a separate Knocknoc authentication for /admin while allowing authenticated users direct access to other paths. HTTP method filtering can restrict write operations (POST, PUT, DELETE) while permitting read access.
This mode also enables protection for web applications that lack native MFA support. The application sees only requests that have passed through Knocknoc’s authentication layer.
How does Knocknoc provide user attribution for network access?
When a user authenticates, Knocknoc logs the SSO identity, source IP address, timestamp, and session duration. In active firewall integration mode, the username is passed to the firewall alongside the IP address, enabling correlation in firewall logs.
For organizations using IPv6 with unique addresses per device, Knocknoc provides direct user-to-IP attribution without ambiguity. The platform supports IPv6 privacy extensions where addresses rotate.
Session data feeds into SIEM systems, providing an audit trail of which user had network access to which service at which time. This addresses compliance requirements for access logging and MFA on legacy systems that cannot implement these controls natively.
What are the deployment constraints?
Knocknoc controls network access but does not inspect or filter traffic content. It is not a replacement for endpoint security, application-layer firewalls, or DLP. The platform provides selective just-in-time access controls rather than full network micro-segmentation.
For non-HTTP protocols (SSH, RDP, thick-client applications), Knocknoc provides network-level access control only. Protocol-aware proxying for these services requires additional components. For example, Apache Guacamole for browser-based RDP access, with Knocknoc controlling access to the Guacamole instance.
Risky Business appearances
- Soap Box: Knocknoc glues your SSO to your firewalls for Just-in-Time network access
- Snake Oilers: Push Security, Knocknoc and iVerify
- Risky Business #789 – Apple’s AirPlay vulns are surprisingly awful
- Product Demo: The Knocknoc Secure Access Control Platform
Sources
- Soap Box: Knocknoc glues your SSO to your firewalls, primary interview
- knocknoc.io
Disclosure: Patrick Gray is on the board of directors of Knocknoc and helped the company secure seed funding.
Knocknoc
Knocknoc removes the attack surface of your assets.