Financial services data partner, secure web upload

Use Case: DynamicTrusted Just-in-Timepartners IP Restrictions for High-Security Subnet

~~A critical infrastructure environment needed to restrict~~secure access to ~~specific~~web ~~high-security~~application ~~internal~~

A ~~networks~~financial services provider relied on periodic uploads through an Internet-exposed web application. Although the application was actively maintained, it posed substantial value and risk to ~~trusted~~the IPorganization ~~addresses~~due ~~dynamically,~~to ~~allowing~~the ~~access~~highly ~~only~~confidential, proprietary investment information it contained.

The goal: Eliminate the attack surface of the highly confidential, internally-built web application used for ~~short-lived~~collecting ~~periods.~~proprietary ~~This~~investment ~~approach~~information. Trusted third parties and business partners would ~~ensure~~be ~~that systems remained inaccessible when operational staff were not at their terminals or did not require interactive access.~~

~~The goal: Users wishing~~required to ~~access the high-security internal networks would~~ log in to ~~Knocknoc,~~Knocknoc ~~granting~~before ~~network~~accessing ~~access~~the web application, enhancing edge security and ~~direct~~mitigating ~~control-system protocol access~~risks to the ~~target~~application.

~~network~~

The result: The web application's exposure to the public Internet was eliminated without significantly disrupting the access flow for aexternal ~~period~~business ofpartners 60and ~~minutes.~~

data

~~The~~providers. ~~result:~~Pre-auth ~~The~~web ~~high-security~~application ~~network~~paths, ~~was~~API ~~protected~~routes, byand other potential attack vectors were removed. Both Knocknoc and the web application were integrated with the same Identity Provider (IdP), delivering a ~~default-deny~~seamless ~~firewall~~user ~~policy,~~experience ~~with~~without ~~access~~requiring ~~granted~~any ~~only~~end-user ~~when an operator required interactive access. During that time, the terminal's IP address was dynamically allowed short-lived access.~~installation.

Technical how:

In this example, ana ~~existing~~reverse ~~in-line~~proxy ~~Firewall~~(HAProxy ~~appliance~~in this case) was orchestrated toby ~~open~~Knocknoc, opening up access ~~just~~to inlayer-7/HTTP ~~time~~filtered ~~and~~paths ~~remove~~to ~~access~~trusted onIP ~~logout~~addresses oronly ~~timeout.~~after they successfully authenticated to Knocknoc.