How Knocknoc Works

Knocknoc removes the attack surface of your existing infrastructure by providing access only to authorised users. It’s simple to implement and cost-effective at scale.

Examples

SSH: Zero your network exposure, just in time firewall control via your centralized authentication system..

Hosted Apps: Remove legacy or high-risk systems from direct internet access, only exposing them after a secure login.

Direct, low-latency access: Open services instantly without VPNs or additional hops – no client installation needed, in your complete control.

VPN devices: Protect network services until users centrally login, reducing your exposure to zero-day attacks.

First you deploy your Knocknoc server. This provides the web interface that users and admins log into, and interacts with your identity provider. The server can run on-premise in your network, in our managed cloud or within your own hosted infrastructure.

Next you install one or many Knocknoc agents. The agents connect to your Knocknoc server and receive instructions to allow or deny IP addresses, including IPv4 and/or IPv6. They apply these grants against backends within their reach based on the user mapping.

An example backend can be any one or more of:

Firewall (e.g. ipset/iptables, ufw/shorewall, etc)
Firewall appliances (e.g. Fortinet/Palo/Sonicwall, pfsense, etc)
Reverse proxy (e.g. HAProxy, Nginx)
Cloud ACL (e.g. AWS Security Group, Entra conditional access)
Application configurations (e.g. sshd hosts.allow, etc)

We also offer a “script” backend which allows you the flexibility to create your own backends, even up/down network interfaces.

Features of Knocknoc

Zero Trust Made Easy: Protect your systems by ensuring that no one gains access until authenticated by Knocknoc. A minimal barrier to entry into a zero trust model, simply “Knoc first”.
Use your existing infrastructure: No additional routes, no added latency, direct network access, in your complete control.
Seamless Integration: Add SAML and MFA to applications that lack native support, such as SSH, raw video feeds, protecting your attack surface effortlessly.
Timed Access Control: Allow access to applications and infrastructure only when users are authenticated and within specified time windows.
Enhanced Security: Remove attack surfaces and eliminate brute force attempts with our state-of-the-art authentication process.
Authentication: Knocknoc integrates with existing platforms such as Okta, Entra, Google, Jumpcloud, or can be used in standalone mode, including multi-factor authentication (MFA).
Visibility and Audit Trail: Gain full visibility over authenticated users and their access durations with our comprehensive activity audit trail.
Highly extensibile: Link authorized logins to ACLs, Identity Groups can become ACLs on anything.

Does Knocknoc replace my VPN?

No, it allows you to protect more than a VPN. But it can replace it.

Often Knocknoc is installed in addition to an existing VPN. The VPN provides access to internal resources for staff only, for site–to–site connectivity or heavier administration tasks. Knocknoc can protect the VPN itself by reducing its attack surface, such that it is not internet–exposed until users first centrally log in.

In addition to your VPN, Knocknoc is often leveraged for contractors, third–parties or those seeking faster and direct access to resources that sit outside of internal networks protected by traditional VPNs. A good example is SSH, dev/test environments or legacy/untrusted web applications that are currently on the Internet but need additional protection. Moving those behind your VPN is prohibitively complex given the userbase, thus they remain exposed today.

Knocknoc doesn’t require an agent/client installation, so it is far more user and admin friendly. Don’t let a ZTNA solution provider observe all your traffic, add latency and at the same time be a potential source of breach. With Knocknoc, access and network connectivity is direct. Knocknoc does not broker nor touch your network traffic –perfect for low–latency and high–security network environments.