Network Control (NC)
The legacy name of this module was Network Access Control.
Beginning in ThreatLocker 7.2 and above, Network Control will begin in a monitor-only state by default. You will need to create a default deny policy to begin blocking. In ThreatLocker Versions earlier than 7.2, as soon as Network Control is enabled on an organization, all Inbound network traffic will be denied by default. Outbound traffic will be unaffected. It may be preferred to create policies and Authorization Hosts BEFORE enabling Network Control on an organization.
NC is only supported by ThreatLocker Version 7.1 or higher. Downgrading from 7.1 to an earlier ThreatLocker version without disabling the NC policies on an organization will cause high CPU usage. All network traffic will continue being logged. To remedy this, update to at least ThreatLocker Version 7.1 or higher.
Network Control allows for total control of inbound traffic to your protected devices. By configuring policies using either Objects or Authorization Hosts/Keywords , you can allow granular access based on IP address or even specific keywords. Once authenticated, the connection will remain open for 5 minutes. Every minute, the authentication is checked again, and once it can no longer be authenticated, the connection closes in 5 minutes.
Creating Network Control Policies
Navigate to Network Control > Policies.
Click the '+ New Policy' button in the top left corner of the page.
The NC Policy window will open. The first dropdown is where the Policy Level is selected. Select the hierarchy level you would like this policy to apply.
Once our Policy Level is selected, in the Policy Details we have the option to input the desired Policy Name, a Description for your records, and whether this policy should Deny or Permit.
Under 'Source Locations', select 'All' or 'Selected'.
- When choosing Selected, multiple options appear. We have the option to type in the format for the IPv4, IPv6, and Keywords in the boxes.
- After entering a valid format for each, press the comma, tab, or enter key. If entered correctly, your entered addresses and Keywords should look like the ones entered in the screenshot below.
- The Tags and Objects will open a dropdown that will allow you to pick the Tag or Object you would like to apply to this policy.
Now add your Destination Locations (optional but this setting will make your policy more granular).
- If you have a Tag of pre-set IPV-4 and IPV-6 addresses, this would be a great place to use it. Otherwise, you can write them in. You can also use IP address ranges using a / on the end.
Then add your Destination Ports or port ranges.
After you have finished configuring all your policy options, be sure to click the 'Create Policy' button. Then click 'Deploy Policies'.
Remember, Policies are processed from the top down, from the lowest number to the highest, the same as Application Control Policies. To move a Policy higher or lower in the list, change the number in the textbox and click the green checkmark to save your changes.
To create the ability to dynamically permit remote access, the next step is to create authorization hosts. This is where we will associate keywords with network traffic destinations.
Creating Authorization Hosts
Navigate to Network Control > Auth Host. Select '+ New Auth Host'.
- Enter your Destination Server
- Port number is 8810. There are plans to allow for this port to be customized in a future release. Until then, using port 8810 with Keywords is required.
- Input the Keyword into the 'Keyword' textbox. Keyword is case-sensitive, must be less than 50 characters in length and cannot contain these characters: < or >
- Select where Policy Level would like this authorization to apply.
- Click the '+ Add Auth Host' button.
Enabling Network Control
Navigate to the Organizations page.
Select the checkbox next to Network Control in the Modules dropdown menu beside the Organization(s) you wish to enable Network Control on.
Note: If ThreatLocker Protect is selected, you will not see Network Contol as a part of dorpdown menu because it is included in ThreatLocker Protect.
NC does not interfere with your perimeter firewall. You will need to open 8810 on your perimeter firewall to allow external network traffic. Use port forwarding on your perimeter firewall to ensure the inbound traffic enters and leaves the firewall through 8810 to ensure it communicates with the NC on 8810.
For more information about Network Contol, please see our ThreatLocker University course, Network Control.