How Knocknoc Works

Knocknoc removes the attack surface of your existing infrastructure by orchestrating network level access controls. Your firewalls or ACLs are safely updated with an IP address to allow access, only after users centrally log in. Meaning your ports are closed and services invisible, until your users log in centrally. Knocknoc takes care of the rest. It’s simple to implement and cost-effective at scale.

Examples

SSH: Don’t open SSH to the world, instead let Knocknoc add your trusted users IP address to the IPTables/IPSet allow list – dynamically, only after they have centrally authenticated. Zero network exposure with just in time firewall control tied to your identity platform.

Hosted Apps: Remove legacy or high-risk systems from direct internet access, only exposing them after a secure login. Our gateway solution allows layer-7 filtering, or prevent access entirely using the firewall control/orchestration functionality.

Direct, low-latency access: Open services instantly without VPNs or additional hops – once authenticated, users access the network service directly. Their IP is allowed and the firewall now open, they go on and connect directly without the need for a centralised routing platform. No client installation needed, in your complete control.

VPN devices: Protect network services until users centrally login, including your VPN management interfaces or VPN access-services (IKE, AH/ESP, TLS, TCP/UDP) – reducing your exposure to zero-day attacks.

Use cases
Use cases

Features of Knocknoc

  • Not a VPN, not a Proxy - we're different, we orchestrate your control infrastructure. Novel yet elegant, and very effective.
  • Use your existing infrastructure: No additional routes, no added latency, direct network access, in your complete control. No VPN/VPN-like services.
  • Zero Trust: Protect your systems by ensuring that no one gains access until authenticated by Knocknoc. A minimal barrier to entry into a zero trust model, simply “Knoc first”.
  • Seamless Integration: Add SAML and MFA to applications that lack native support, such as SSH, raw video feeds, protecting your attack surface effortlessly. No SSO/SAML tax, included in the base license.
  • Timed Access Control: Allow access to applications and infrastructure only when users are authenticated and within specified time windows.
  • Enhanced Security: Remove attack surfaces and eliminate brute force attempts with our state-of-the-art authentication process.
  • Authentication: Knocknoc integrates with existing platforms such as Okta, Entra, Google, Jumpcloud, or can be used in standalone mode, including multi-factor authentication (MFA).
  • Visibility and Audit Trail: Gain full visibility over authenticated users and their access durations with our comprehensive activity audit trail.
  • Highly extensibile: Link authorized logins to ACLs, Identity Groups can become ACLs on anything.
View pricing
Book a demo

Does Knocknoc replace my VPN?

No, it allows you to protect more than a VPN. But it can replace it.

Often Knocknoc is installed in addition to an existing VPN. Your existing VPN often provides access to internal resources for staff only, for sitetosite connectivity or heavier administration tasks. Knocknoc can protect the VPN itself by reducing its attack surface (via orchestration), such that it is not internetexposed until users first centrally log in.

In addition to your VPN, Knocknoc is often leveraged for contractors, thirdparties or those seeking faster and direct access to resources that sit outside of internal networks protected by traditional VPNs. A good example is SSH, dev/test environments or legacy/untrusted web applications that are currently on the Internet but need additional protection. Moving those behind your VPN is prohibitively complex given the userbase, thus they remain exposed today.

Knocknoc doesn’t require an agent/client installation, so it is far more user and admin friendly. Don’t let a ZTNA solution provider observe all your traffic, add latency and at the same time be a potential source of breach. With Knocknoc, access and network connectivity is direct. Knocknoc does not broker nor touch your network traffic perfect for lowlatency and highsecurity network environments.

Get started
Free trial

That's new! Deployment architecture options?

First you deploy your Knocknoc server. This provides the web interface that users and admins log into, and interacts with your identity provider. The server can run on-premise in your network, in our managed cloud or within your own hosted infrastructure.
 
Next you install one or many Knocknoc agents. The agents connect to your Knocknoc server and receive instructions to allow or deny IP addresses, including IPv4 and/or IPv6. They apply these grants against backends within their reach based on the user mapping.
 
An example backend can be any one or more of:
  • Firewall (e.g. ipset/iptables, ufw/shorewall, etc)
  • Firewall appliances (e.g. Fortinet/Palo/Sonicwall, pfsense, etc)
  • Reverse proxy (e.g. HAProxy, Nginx)
  • Cloud ACL (e.g. AWS Security Group, Entra conditional access)
  • Application configurations (e.g. sshd hosts.allow, etc)
We also offer a “script” backend which allows you the flexibility to create your own backends, even up/down network interfaces, control services like hostapd, enable/disable serial interfaces, or anything you can dream up.
Read the documentation
View pricing
Book a demo
KNOCKNOC Logo stacked
Product
Resources
Support
Knocknoc
Linkedin Github Youtube X-twitter
© 2024 Knocknoc Pty Ltd