Network Access Control Solution

Overview

This solution is built to maximize network isolation from WAN while maintaining high levels of security without relying on third-party cloud services like Zscaler or Azure Application Proxy.

Primary authentication methods include OTP (One-Time Password) and password/passkeys, with an additional factor added for extra protection.

Key Features

WAN Traffic Denial by Default

All WAN traffic is denied by default and only authenticated traffic is allowed.

Dynamic IP Whitelisting

Access is only granted from dynamically whitelisted IPs.
Temporary whitelisting for reducing exposure.

SMS-Based Authentication

Users authenticate via SMS with rotating phone numbers (changed every 24 hours).
SMS includes encrypted certificates and one-time codes for authentication.

PKI & One-Time Code

End-to-end encryption ensures secure authentication.

Fixed Duration Whitelisting

IPs are whitelisted for a limited time to minimize potential exposure.

No SIM Swapping

SIM cards used for SMS authentication are protected against swapping unless the user is physically present.
Strict SIM Revocation Process ensures SIM swapping risks are minimized.

Benefits

Reduced Attack Surface: Limiting WAN exposure prevents exploits like VPN/firewall 0-days.
No Cloud Dependency: The solution operates without relying on cloud-based ZTNA services.
Enhanced Authentication: 2FA with PKI certificates and OTP ensures secure access.
Seamless User Experience: The authentication process is smooth and fast for users.

Challenges

Mobile IP Users: Mobile users may experience occasional delays in authentication.
SIM Swap Risk: Despite a strict revocation process, social engineering remains a potential risk.
Scalability: Large-scale whitelisting and authentication management require automation.