How Knocknoc removes attack surface

Knocknoc enables you to remove the attack surface of systems, by enacting just-in-time network/application-based allow-listing.

It can operate in a number of ways - from orchestrating network access controls (eg: adding to firewall rules - whilst presenting no attack surface), through to operating as an identity aware gateway, or any combination thereof.

Knocknoc orchestrates a control layer by providing it the IP address of a user who has successfully logged in to a centralised portal. It is not a proxy, it is not a VPN. You host it or we host it, with support for access control systems of all types - commercial firewalls, open-source/native, public cloud providers and more - with custom scripting capability too.

A simple example is an SSH bastion host. Typically, SSH is exposed to the entire Internet, allowing any IP address to make a login attempt or otherwise access the port, daemon/service and network stack - presenting an attack surface.

To solve this, a Knocknoc "agent" is installed on the bastion host which dynamically adds a users IP address to a firewall rule or policy, which opens SSH at the network level. It does so only after the user has centrally logged in to the Knocknoc portal, which sits elsewhere. The SSH port is only made visible to the users IP address after the Knocknoc login.

This is a basic on-host example, however Knocknoc can do much more.

If you need to urgently protect VPN services on devices like Fortinet, Palo Alto or Ivanti etc - Knocknoc can do that, by removing their entire attack surface from the Internet through orchestration. This removes attack surface that may be ok today, but suffers from zero-day attacks tomorrow.

Operating models

Knocknoc can be deployed in a number of ways, including:

On-host orchestration. An Agent is installed directly on a host which securely adds IP address information to a firewall rule or policy. This could be a single host offering services, a Linux-based firewall with multiple network interfaces, or a machine running a large virtual environment (eg: Proxmox/VMWare) with numerous virtual interfaces and failover/cluster considerations.
Adjacent orchestration. An Agent is deployed alongside infrastructure it can orchestrate, for example, the API of a Fortinet or Palo Alto/Checkpoint which the Knocknoc Agent interacts with, holding tightly constrained access permissions allowing only an IP address to be added/removed from a specified policy based on API credentials. This mode can also manage public cloud provider controls/APIs, eg: AWS/Azure, Digital Ocean.
AllowList (passive) mode. A firewall can be configured to dynamically source trusted IP address information from Knocknoc. These IP lists are securely published and consumed by firewalls which support external dynamic lists. This obviates the need for a Knocknoc Agent to be deployed anywhere in the environment.
Identity Aware Gateway. Knocknoc can also be deployed to act as an identity aware gateway. This is effectively a reverse-proxy that sits in-line between your client/users and the back-end protected system(s). Only after a central login is the users IP address permitted. This allows layer-7 filtering and access control, meaning web-requests or POSTs to /admin/ require a Knocknoc login, whereas requests to other paths do not.
Combination. Knocknoc can be deployed in any combination of the above. The per-user license model means you can start small and simple, and increasingly reduce your attack surface over time.

Other modes include centralised yet distributed orchestration. A server is established for the purpose of orchestrating multiple systems across a distributed environment. These systems could be a mixture of AWS, Azure, Entra, Digital Ocean and public cloud providers, whilst also orchestrating adjacent firewalls and executing custom scripts. The options here are near limitless.

Talk to us about your architecture or use case and we'll help get you protected fast.

User/client access model

Once Knocknoc has instructed the various back-end systems to trust the IP address of the authenticated user, they connect directly to the host or service. There is no broker service nor VPN/tunnel wrapper, instead the connection is direct with no latency or other interference/chokepoint nor reliability risk added.

No installation is required on the client machine, they just log in centrally and their access policies are processed. Existing tools that use bespoke TCP/UDP or other protocols work without interruption as Knocknoc is not in the direct path.

For example, Knocknoc can protect 1,000 servers and services distributed across the globe, with users accessing them locally and direct - without adding a network chokepoint.

Agent->Server architecture

The Knocknoc Agents installed to orchestrate your infrastructure connects outbound to your Knocknoc server, via TLS (HTTPS, or your selected port), and maintains a websocket connection. After a user logs in to your Knocknoc portal, client-side IP address information is then shared across this websocket, meaning the Agents have no direct attack surface.

The Agents themselves are intentionally small, written in a memory-safe language and receive IP address information as part of the agent->server process. Once received, the Agent validates the IP address prior to onward processing.

Note that no installation is needed on a client machine, no VPN-like agent nor client configuration, just a web login.

Direct and distributed dynamic ACLs

Knocknoc allows you to combine on-host/adjacent/passive orchestration with an identity-aware-gateway model, giving you complete flexibility.

As shown below, an authorizer user is granted direct network-level access to various distributed systems, only after the central login is performed. Knocknoc manages access without getting in the way.

Get going

Setting up Knocknoc for the first time is easy, the Getting Started guide runs through the install and setup process.

For new admins we recommend checking out the Consider Your Use Case and Understanding Access Control pages to understand how Knocknoc fits into your security architecture.

Consider Your Use Case

SSH

Remote Desktop

Web applications

Ivanti Connect Secure

Video

FortiOS, FortiProxy or SSL VPN

VOIP

AWS Infrastructure

Azure Portal

Licensing Knocknoc

Server Installation

Agent Installation

Create Users

Create Groups

Admins

Settings

Local Authentication

LDAP

SAML

SAML Principles and Terms

SAML with EntraID (Azure AD)

SAML with OKTA

SAML with Gsuite as IDP

SAML with Jumpcloud

SAML for the Admin Interface

SAML with CyberArk

Knocknoc with ADFS

IPset (Linux Netfilter/IPTables)

HAProxy

IPsets with UFW

IPsets with Shorewall

Script Any Arbitrary Backend

AWS (EC2) Security Groups

Mikrotik RouterOS

Nginx

Apache Webserver

Fortigate Address Groups

Microsoft Entra

Allowlist

ACLs

Time for NTP

LDAP Troubleshooting tips

Knocknoc server behind HAProxy