Network Access Control (NAC)
Beginning in ThreatLocker 7.2(beta) and above, Network Access Control will begin in a monitor-only state by default. You will need to create a default deny policy to begin blocking.
In ThreatLocker Versions earlier than 7.2 (beta), as soon as Network Access Control is enabled on an organization, all Inbound network traffic will be denied by default. Outbound traffic will be unaffected. It may be preferred to create policies and Authorization Hosts BEFORE enabling Network Access Control on an organization.
NAC is only supported by ThreatLocker Version 7.1 or higher. Downgrading from 7.1 to an earlier ThreatLocker version without disabling the NAC policies on an organization will cause high CPU usage. All network traffic will continue being logged. To remedy this, update to at least ThreatLocker Version 7.1 or higher.
Network Access Control allows users the ability to dynamically authenticate to network locations based on a Keyword challenge handshake, even when a user is connecting from different IP addresses. Once authenticated, the connection will remain open for 5 minutes. Every minute, the authentication is checked again, and once it can no longer be authenticated, the connection closes in 5 minutes.
Creating Network Access Control Policies
Navigate to Network Access Control > Policies.
Click the 'New NAC Policy' button in the top left corner of the page.
Input a logical name for the Policy in the textbox under 'Enter a name for this Network Access Control Policy". In our example, we have entered 'Allow Inbound RDP'.
Enter a description in the Description box if desired.
Select 'Permit' or 'Deny' from the dropdown box below 'Should this policy permit or deny access'.
In the section 'Do you want this policy to apply to the entire organization or a selected computer group', choose to either 'Apply to entire organization' or 'Select a computer or a group' and then select the desired computer or group from the dropdown. Here, you are deciding if this Policy will be applied to every computer in the Organization, select a specific group to apply it to, or choose a single computer. In our example, we have selected a single server.
Under 'Which Source Ports should this policy apply to', select 'All Ports' or 'These selected ports'. This is where the traffic will be coming from. In our example, we have selected 'All Ports', which means that we aren't limiting which port the incoming traffic can come from.
The 'Which Source Locations should this policy apply to' section is where you will enter the keywords you want to use for your authorized hosts, or IP addresses for authorized hosts, including Tags if desired. These are the endpoints that will be permitted to connect to the location you are setting this policy on. For example, if you have a backup device that is unable to have ThreatLocker installed, enter the IP address of that device here to enable it to communicate with the location you are setting this policy on.
- To add a keyword, select 'Keyword' from the dropdown menu and then input your chosen keyword into the textbox. Click the 'Add' button. Keywords must be less than 50 characters in length and cannot contain these characters: < or >
- To add an IPv4 address, select 'IPv4' from the dropdown, input the IPv4 address in the textbox(including CIDR notation if desired), and click 'Add'.
- To add an IPv6 address, select 'IPv6' from the dropdown, input the IPv5 address in the textbox, and click 'Add'.
- To add a tag, select 'Tag' from the dropdown, select the desired tag from the dropdown menu, and click 'Add'.
- To add an object, select 'Object' from the dropdown, select the desired object (computer, group, or organization) from the dropdown menu, and click 'Add'.
In the 'Which Destination Ports should this policy apply to' section, you can select 'All Ports' which would permit inbound traffic to all ports to connect to the location you are setting this policy on, or select specific ports. In our example, we have selected' These selected ports' and added port 3389. So only traffic coming into port 3389 will be permitted provided it meets all the other criteria that have been specified in this policy.
To add a port, input the number into the textbox, and then click 'Add'.
To add a port range, input the starting port number, followed by a dash, and then the ending port number, then click 'Add'.
Under 'Which Destination Locations should this policy apply to', choose from 'All' or 'These selected locations'. If 'These selected locations' is selected, then input the desired locations as described above in the 'Source Locations' section.
In our example, we have selected 'All' specifying that any endpoint can connect on port 3389 if they meet all the other criteria in this policy (if they are coming from one of the specified source locations, or contain one of the keywords specified).
Click the 'Save and Close' button in the top left corner to save the policy.
Remember, Policies are processed from the top down, from the lowest number to the highest, the same as Application Control Policies. To move a Policy higher or lower in the list, change the number in the textbox and click 'Save'.
Be sure to click 'Deploy Policies' when finished manipulating the Network Access Control Policy list. If Global Policies were created, navigate to the Organizations page, select the checkbox at the top of the page to select all organizations, and click 'Deploy Policies' at the top of that page to deploy Policies to all organizations.
To create the ability to dynamically permit remote access, the next step is to create authorization hosts. This is where we will associate keywords with network traffic destinations.
Creating Authorization Hosts
Navigate to Network Access Control > Authorization Host.
- Input the hostname, FQDN, or URL of the network destination into the 'Hostname' textbox followed by ':8810'.
- Input the Keyword into the 'Keyword' textbox. Keyword is case-sensitive, must be less than 50 characters in length and cannot contain these characters: < or >
- Select where you would like this authorization to apply.
- Click the 'Add' button.
In our example, you can see we have specified that HTTP://SER201901A can be authenticated to via port 8810 from any computer in the organization that has the Keyword 'allow'.
Enabling Network Access Control
Navigate to the Organizations page.
Select the checkbox next to Network Access Control in the Products dropdown menu beside the Organization(s) you wish to enable Network Access Control on.
NAC does not interfere with your perimeter firewall. You will need to open 8810 on your perimeter firewall to allow external network traffic. Use port forwarding on your perimeter firewall to ensure the inbound traffic enters and leaves the firewall through 8810 to ensure it communicates with the NAC on 8810.