High security subnets and JIT network access

Use Case: Dynamic Just-in-Time IP Restrictions for High-Security Subnet

A critical infrastructure environment needed to restrict access to specific high-security internal networks to trusted IP addresses dynamically, allowing access only for short-lived periods. This approach would ensure that systems remained inaccessible when operational staff were not at their terminals or did not require interactive access.

The goal: Users wishing to access the high-security internal networks would log in to Knocknoc, granting network access and direct control-system protocol access to the target network for a period of 60 minutes.

The result: The high-security network was protected by a default-deny firewall policy, with access granted only when an operator required interactive access. During that time, the terminal's IP address was dynamically allowed short-lived access.

Technical how:

In this example, an existing in-line Firewall appliance was orchestrated to open access just in time and remove access on logout or timeout.