AccessWall¶
AccessWall narrows inbound admin access to managed assets so the 12Port PAM becomes the only path to them. Combined with PAM's unique-credential-per-asset model, AccessWall closes the lateral-movement gap that traditional admin networks leave open.
12Port PAM prevents lateral movement at the credential layer — each managed asset has a unique credential, so compromise of one asset doesn't yield access to others. AccessWall extends this by restricting inbound admin paths to the PAM gateway, removing direct asset-to-asset admin access entirely.
Two tiers¶
| Tier | What's included | How it's licensed |
|---|---|---|
| AccessWall | Tag-based inbound enforcement on each asset's native firewall. Default rules limit RDP, SSH, and WinRM to PAM-only. Optional trusted hosts. | Included with 12Port PAM. |
| AccessWall Enterprise | Everything in AccessWall, plus full asset-level network visibility, observed-connection mapping, policy simulation before enforcement, segmentation analytics, and service-request workflows for time-bound exceptions. | Premium add-on. Available on request. |
This portal documents both tiers. Sections marked Enterprise apply only when AccessWall Enterprise is licensed.
What AccessWall does¶
AccessWall enforces policy directly on each asset's native firewall (Windows Defender Firewall, Linux iptables/nftables, Oracle Solaris Packet Filter, IBM AIX IP Security). No agents are installed; PAM connects to the asset over its existing privileged credential and applies inbound rules.
Default behavior: only PAM servers (and any explicitly trusted hosts you configure) can reach the asset on its admin ports. Untagged assets are unaffected.
What AccessWall Enterprise adds¶
Asset-level network visibility¶
- Collects connection and firewall state directly from endpoints.
- View interfaces, active connections, and firewall rules per asset.
- Track enforcement status of current rules.
Interactive connection mapping¶
- Map inbound and outbound connections between assets and nodes.
- Navigate the infrastructure hierarchy with zoom and container filters.
- Aggregate and manage IP lists for granular control.
Policy authoring with selectors and tags¶
- Build segmentation policies using selectors, services, and asset tags.
- Apply tag-based logic across workloads and services.
- Policies adapt automatically as asset tags or selectors change.
Policy simulation before enforcement¶
- Run policies in monitor-only mode before enforcement.
- Detect violations without impacting live traffic.
- Refine policies using observed behavior.
Segmentation suggestions from observed traffic¶
- Built-in analytics engine recommends segmentation patterns from connection data.
- See how asset tags influence segmentation decisions.
- Adjust policies using real-world data.
Service-request workflows for exceptions¶
- Request temporary, time-bound exceptions.
- Approval cycles and audit logging on every request.
- Granular control without compromising the default-deny baseline.
Reporting and compliance¶
- Reports by site, container, or individual asset.
- Visual and tabular views of firewall rules, active connections, and asset states.
- Detailed status reports for endpoints, workloads, interfaces, and active policies.
Getting started¶
Start with the resources below to deploy AccessWall in your environment:
- Installation and setup — Deploy AccessWall and integrate it with existing infrastructure.
- Network visibility (Enterprise) — Collect and analyze asset-level network data.
- Policy creation and management — Set up dynamic segmentation policies for your assets.
- Simulating policies (Enterprise) — Test policies in monitor-only mode before enforcement.
- Reporting and compliance — Generate reports for audits and ongoing review.
Need assistance?¶
Explore the Getting Started section to deploy AccessWall in your network, or dive into the Enterprise features for policy automation and visualization. This documentation is designed to give you everything you need to deploy and operate AccessWall effectively.
Need more help? Contact support@12port.com at any time.