Network Control allows for total control of inbound and outbound traffic to your protected devices. By configuring policies using either Objects or Authorization Hosts/Keywords, you can allow granular access based on IP address or even specific keywords. Once authenticated, the connection will remain open for 5 minutes. Every minute, the authentication is checked again, and once it can no longer be authenticated, the connection closes in 5 minutes.
Special consideration for LAN-Based Network Traffic and using Objects:
Network Control and LAN-Based Connection Traffic | ThreatLocker Help Center (kb.help)
Enabling the Network Control Module
In order to use the Network Control solution, you will need to make sure the module is enabled for the organization you wish to create policies for.
Navigate to Organizations page and locate the organization you plan on creating Network Control policies for.
Once located, check the Modules column for a dropdown that lists which modules are enabled. Network Control is part of the ThreatLocker Protect bundle but can also be enabled seperately.
Note: If ThreatLocker Protect is selected, you will not see Network Contol as a part of the dropdown menu because it is included in ThreatLocker Protect.
Keep in mind, changes to any modules in this list will require a service restart of ThreatLocker to all computers in the organization being changed. This can be done from the Computers page.
Creating Inbound Network Control Policies
Navigate to Network Control > Policies.
Click the '+ New Policy' button in the top left corner of the page.
Once the side pane opens, give a desired Policy Name for the new policy.
Then select the hierarchy level where this new policy will be effective using the Applies To dropdown. By default, this will automatically select the current "Applies To" section selected on the Network Control page when the '+ New Policy' button is selected.
With the policy Applies To set, select the traffic direction you want the policy to cover. For example, for inbound network traffic connections, select 'Inbound'.
Under 'Source Locations', select 'All' or 'Selected'.
- When choosing Selected, multiple options appear. We have the option to type in the format for the IPv4, IPv6, and Keywords in the boxes.
- After entering a valid format for each, press the comma, tab, or enter key. If entered correctly, your entered addresses and Keywords should look like the ones entered in the screenshot below.
- The Tags and Objects will open a dropdown that will allow you to pick the Tag or Object you would like to apply to this policy.
Make sure to select the '+' when adding new items to the Source list.
Now add your Destination Locations (optional but this setting will make your policy more granular). This uses similar options as Source with the exception of Keyword.
- If you have a Tag of pre-set IPV-4 and IPV-6 addresses, this would be a great place to use it. Otherwise, you can write them in. You can also use IP address ranges using a / on the end.
Then add your Destination Ports or port ranges.
Communication Protocol can then be configured for TCP, UDP, or both TCP/UDP (default).
After you have configured all your policy options, click the 'Create Policy' button. Then click 'Deploy Policies.'
Remember, Policies are processed from the top down, from the lowest to the highest, the same as Application Control Policies. To move a Policy higher or lower in the list, change the number in the textbox and click the green checkmark to save your changes.
To create the ability to permit remote access dynamically, the next step is to create Authorization Hosts. This is where we will associate keywords with network traffic destinations.
Creating Outbound Network Control Policies
Requirements:
Starting with ThreatLocker version 8.6.1, we have introduced the feature to lockdown outbound network traffic. It is important to make sure your devices are on version 8.6.1 or greater before configuring and deploying outbound Network Control policies.
Recommendation:
When initially setting up outbound Network Control policies, it is important to keep in mind that a deny all outbound network control policy may interrupt critical network traffic needed for your device, including communication with the ThreatLocker portal.
It is recommended to start with explicit deny policies for specified outbound network traffic that is unwanted. A great example is to start building a policy to block certain social media access.
Troubleshooting Note:
The ThreatLocker service needs to be able to identify domains registered to an IP address if you plan on configuring your Network Control policies using domains. If you are facing difficulties with registering proper domains to outbound network traffic, it is recommended to utilize the “UseDNSCacheToGetHostnames” and/or “EnableDriverDomainNameParsing” options in the desired location. Please visit this KB for more information:
Options Tab: Choices and Descriptions: for the Computers Page, the Computer Groups Page, and the Entire Organization Page | ThreatLocker Help Center (kb.help)
Navigate to Modules > Network Control > Policies
Click the '+ New Policy' button in the top left corner of the page.
Once the side pane opens, give a desired Policy Name for the new policy.
Then select the hierarchy level where this new policy will be effective using the Applies To dropdown. By default, this will automatically select the current "Applies To" section selected on the Network Control page when the '+ New Policy' button is selected.
For the Direction section, select 'Outbound' to indicate this policy is being applied to outbound network traffic.
Under the Source subsection, you are given a few options for configuring the source of the network traffic that is being controlled. This will determine where the origin, or source, of the outbound network traffic that will be affected.
· All – This option will target all sources of outbound network traffic where the policy is effective.
· Selected – This option will allow further customization of the source locations the outbound traffic will be controlled from. Source locations can be defined in several ways:
o IPv4 – The IPv4 of the source location.
o IPv6 – The IPv6 of the source location.
o Tag – A defined list of IPs or domains configured in the ThreatLocker portal.
o Object – A defined Object in the ThreatLocker portal. This can include an organization, computer group, or individual computers.
· You can include any combination of the above listed options for configuring Source locations. Keep in mind, the Applies To configuration defines which computers will be affected by this policy to begin with.
The next step is to configure the Destination of the network traffic that this policy will be controlling.
Selecting All will make the policy effective on all outbound network traffic and should only be used when completely locking down all outbound Network Traffic.
It is recommended to define outbound network traffic using the Selected option. You can use IPv4, IPv6, or Tag as configurations for the outbound network traffic in your policy much like the Source configuration options.
Next you will need to configure which ports this policy will be effective on. You can select All Ports, or choose Selected Ports to define a port or range of ports on the outbound network traffic. Make sure to use the '+' button when making your selection from the dropdown or manually entering in a port.
Communication Protocol can then be configured for TCP, UDP, or both TCP/UDP (default).
Lastly, you will need to select what action should be taken when the configurations placed above are met. Permit will allow the specified traffic, Deny will block the specified traffic.
After all the configurations have been put in place, select Create on the bottom of the side pane and be sure to use the Deploy Policies button in the top right of the portal to deploy this policy to the endpoints where it was applied to.
Remember, Policies are processed from the top down, from the lowest to the highest, the same as Application Control Policies. To move a Policy higher or lower in the list, change the number in the textbox and click the green checkmark to save your changes. Deploy Policies for any changes made to be applied.
Creating Authorization Hosts and Applying Keywords
NC does not interfere with your perimeter firewall. You will need to open 8810 on your perimeter firewall to allow external network traffic with Authorization Host configurations. Use port forwarding on your perimeter firewall to ensure the inbound traffic enters and leaves the firewall through 8810 to ensure it communicates with the NC on 8810.
Navigate to Network Control > Auth Host. Select '+ New Auth Host'.
- Enter your Destination Server
- The port number is 8810. There are plans to allow this port to be customized in future releases. Until then, using port 8810 with Keywords is required.
- Input the Keyword into the 'Keyword' textbox. Keyword is case-sensitive, must be less than 50 characters in length, and cannot contain these characters: < or >
- Select where the Keyword would like this authorization to apply to.
- Click the 'Add' button.
Legacy Documentation:
The legacy name of this module was Network Access Control.Beginning in ThreatLocker 7.2 and above, Network Control will begin in a monitor-only state by default. You will need to create a default deny policy to begin blocking. In ThreatLocker Versions earlier than 7.2, as soon as Network Control is enabled on an organization, all Inbound network traffic will be denied by default. Outbound traffic will be unaffected. Creating policies and Authorization Hosts may be preferred BEFORE enabling Network Control on an organization.
NC is only supported by ThreatLocker Version 7.1 or higher. Downgrading from 7.1 to an earlier ThreatLocker version without disabling the NC policies on an organization will cause high CPU usage. All network traffic will continue being logged. To remedy this, update to at least ThreatLocker Version 7.1 or higher.
For more information about Network Control, please see our ThreatLocker University course, Network Control.