Use Cases (overview)

Knocknoc use cases

Knocknoc is extremely versatile and can ~~ultimately~~enable ~~act~~just asin antime ~~authentication~~network ~~portal~~access ~~for~~control and solve many use ~~cases.~~cases Toacross ~~simplify~~various industries and technologies.

SSH Bastion hosts - add MFA, link in your IdP, remove the ~~setup~~servers attack surface (read more)

Remove VPN edge risks: Prevent stolen credentials and brute-force attacks, securing against zero-day exploits (read more)

Remove RDP attack surface: Require a central login before RDP is exposed at the network layer (read more)

Risky Web Apps: Secure with just-in-time access, removing raw internet exposure (read more)

Firewalls: Remove exposure to ~~begin~~zero-day ~~with,~~attacks it(read ~~helps~~more)

Azure Portal: Restrict Azure Portal to ~~consider~~allowlisted aIP ~~single~~addresses ~~application~~only

Manage MSSP Firewall changes - Don't expose your firewall management interfaces to ~~put~~the ~~behind~~raw ~~Knocknoc,~~Internet ~~and~~(read ~~build~~more)

~~it out from there. Once you have added an application, configured and tested user and/or group authentication you can update your~~

Layer-7 reverse proxy orfiltering ~~firewall~~tied to ~~block~~your ~~all~~IdP, ~~traffic not authenticated via Knocknoc.~~

Cloud or self-hosted server?

~~Should you deploy~~require a ~~cloud~~login orbefore ~~self-hosted~~exposing ~~instance~~"/admin" of(read ~~Knocknoc?~~more)

~~The~~This ~~answer~~is ~~will depend on~~only a few ~~factors.~~

~~For example, if your LDAP authentication source is not on the internet, then of course you need self-hosted. A self-hosted~~ways Knocknoc ~~server~~has ~~may~~been ~~also suit you better for various security segmentation scenarios, or even Knocknoc on the LAN, which is great for SCADA or ICS systems.~~

~~However, depending on your environment, it may be hard~~deployed to ~~get~~remove ~~inbound~~attack ~~public~~surface IPand ~~access~~enable ~~to the Knocknoc server. In which case, cloud hosting would make sense. Our cloud servers are deployable~~just in ~~under a minute, with DNS records and inbound rules all configured for you ready to go.~~

Where will your agents run?

The Knocknoc agent connects out to the server over port 443/TCP (HTTPS), and maintains a secure web socket connection to manage your ACLS. The agent needs to live somewhere that can easily access its associated backend. For example, a HAProxy Unix socket is going to need to be on the same machine, or a firewall IPset or API might require the agent to be deployed in a control plane firewall zone. Deploying the agent is easy, and as long as you consider where in yourtime network ~~they~~level ~~live, this can strike a great balance between security and~~access control.

Select your backends

The backend is a type of control mechanism, for example, a HAProxy unix socket, an AWS security group script or a firewall IPset. The backend needs to be able to apply the change to your protected application instantly and idempotently. Knocknoc agents are resilient and will update ACLs on backends in a reliable fashion, however various backends have limitations. For example, an AWS security group can only have 60 entries before you need a support ticket. Please consider the limitations of any backends to ensure you choose the best possible solution for your use case.