Knocknoc

What is it?

Knocknoc is a just-in-time network access control platform that ties SSO authentication to firewall rules. Users authenticate via a web-based SSO flow, and Knocknoc dynamically adds their IP address to firewall allowlists for a configured duration. When the session expires, the IP is removed.

The platform orchestrates existing network infrastructure and host-based firewalls rather than routing traffic through a proxy cloud. Supported technologies include Windows Firewall (2019+), Linux IPTables, Palo Alto firewalls, Fortinet devices, Checkpoint, cloud security groups (AWS, Azure, GCP, Digital Ocean), Cloudflare IP allow lists, SaaS application allow lists (like Salesforce), Solaris/SPARC, HP-UX/PA-RISC and reverse proxies (HAProxy, Nginx).

Knocknoc can also operate as a layer 7 identity-aware reverse proxy for Web applications, providing path-level access controls and HTTP method filtering.

Why did they build it?

Pre-authentication vulnerabilities remain a series risk both to external and internal services.

On the external side, border devices are still a primary attack vector. Vulnerabilities in Fortinet, Palo Alto, and Ivanti appliances often lead to enterprise compromises. VPN endpoints are targets for brute-force attacks and credential stuffing. Management interfaces exposed on the internet for remote administration are also frequently targeted.

Organizations also run legacy applications that cannot be patched or modernized (file transfer appliances, payroll systems, industry-specific software), that lack MFA support and contain pre-authentication vulnerabilities. These systems require remote access but are unsafe to expose directly to the internet.

There are also internal services that benefit from network-based controls, like RDP, KVM-over-IP switches, legacy infrastructure, management interfaces or IOT/OT.

Knocknoc addresses these risks by making services inaccessible over the network before a user authenticates via SSO.

How does Knocknoc orchestrate existing firewall infrastructure?

Knocknoc supports three integration modes with firewalls:

  • Passive mode: The firewall polls Knocknoc for an External Dynamic List (EDL) of allowed IP addresses. Knocknoc does not interact with the firewall directly. Poll intervals are typically 1-5 minutes.
  • Passive plus mode: Knocknoc publishes the allow list and sends a notification to the firewall to refresh immediately, reducing the delay between authentication and access.
  • Active mode: Each authentication event triggers a direct API call to the firewall, adding the user’s IP address along with their username. This enables user attribution in firewall logs and downstream SIEM systems.

For on-host firewalls (Linux iptables, Windows Firewall), Knocknoc agents receive instructions to modify local rules. The platform can be deployed entirely on-premises with no internet connectivity for air-gapped environments.

How does the Windows agent work?

The Windows agent (released February 2026) orchestrates the native Windows Firewall via an agent written in Go. It supports Windows Server 2019 and later. The agent manages local firewall rules based on SSO authentication state: ports are closed by default and opened only for authenticated users in the appropriate SSO group.

Access controls are port-specific. A Windows server can keep port 443 open for general web traffic while restricting RDP access to SSO-authenticated administrators. Backup services running on non-standard ports can be hidden from the rest of the network.

The primary use case is internal: protecting jump hosts, RDP servers, backup services, and other high-risk Windows systems on the corporate network. Rather than a centralized microsegmentation project, this is a “self-defending host” approach. Each machine manages its own firewall rules, allowing teams to start with the boxes that keep them awake at night rather than re-architecting the entire network.

How does the layer 7 proxy mode provide controls beyond IP allow-listing?

When users connect from shared IP addresses (CGNAT gateways, VPNs, corporate egress points), IP-based allow-listing grants access to all users behind that IP. The layer 7 proxy mode addresses this by injecting session tokens into HTTP requests.

In this mode, Knocknoc operates as a reverse proxy in front of the protected application. After SSO authentication, the user’s browser session carries a token that Knocknoc validates on each request. Path-level controls allow different authentication requirements for different URL paths. For example, requiring a separate Knocknoc authentication for /admin while allowing authenticated users direct access to other paths. HTTP method filtering can restrict write operations (POST, PUT, DELETE) while permitting read access.

This mode also enables protection for web applications that lack native MFA support. The application sees only requests that have passed through Knocknoc’s authentication layer.

What about legacy systems?

Knocknoc has built C-based agents for Solaris/SPARC and HP-UX/PA-RISC (released February 2026). Go doesn’t readily compile for these architectures, so the team wrote intentionally slimmed-down agents in C that only manage the local host firewall.

How does Knocknoc provide user attribution for network access?

When a user authenticates, Knocknoc logs the SSO identity, source IP address, timestamp, and session duration. In active firewall integration mode, the username is passed to the firewall alongside the IP address, enabling correlation in firewall logs.

For organizations using IPv6 with unique addresses per device, Knocknoc provides direct user-to-IP attribution without ambiguity. The platform supports IPv6 privacy extensions where addresses rotate.

Session data feeds into SIEM systems, providing an audit trail of which user had network access to which service at which time. This addresses compliance requirements for access logging and MFA on legacy systems that cannot implement these controls natively.

What about cloud and SaaS integrations?

Building upon existing support for AWS, Azure, and GCP security groups, Knocknoc now orchestrates Cloudflare IP allow lists, Digital Ocean firewall rules, and SaaS application allow lists like Salesforce. The approach is the same: if a service has a manageable IP allow list, Knocknoc can dynamically populate it based on SSO authentication.

This means a single Knocknoc deployment can simultaneously orchestrate perimeter firewalls, host firewalls, cloud security groups, CDN allow lists, and SaaS application restrictions, giving a unified view of just-in-time access across the environment.

What doesn’t it do?

Knocknoc controls network access but does not inspect or filter traffic content. It is not a replacement for endpoint security, application-layer firewalls, or DLP. For non-HTTP protocols (SSH, RDP, thick-client applications), Knocknoc provides network-level access control only.

Risky Business appearances

Sources

Disclosure: Patrick Gray is a Knocknoc shareholder and serves on the company’s board of directors. He helped Knocknoc raise a seed round through Decibel Partners, where he is a founder advisor.