Platform · Enforcement Layer
Enforce privileged access. Eliminate PAM bypass.
AccessWall is a PAM-native enforcement layer that automatically restricts inbound administrative connections — SSH, RDP, WinRM — so they only come from the 12Port platform or explicitly approved trusted systems. Every other path to the asset is closed at the host level.
Enforcement Mechanism
How AccessWall Closes Every PAM Bypass Path
PAM tools that protect credentials still leave a gap: nothing physically prevents a user or attacker from connecting around them. AccessWall enforces, at the host level, that every administrative connection comes through PAM.
01
Direct admin logins blocked
Inbound SSH, RDP, and WinRM are restricted at the operating system firewall to the 12Port platform and approved trusted systems only.
02
Stolen credentials neutralized
Even with valid or stolen credentials or keys, an attacker cannot connect directly. The host itself rejects any path that doesn’t come through 12Port.
03
Insider bypass eliminated
Operators with legitimate credentials cannot circumvent PAM by SSH-ing directly to a server. Every privileged session is forced through audit.
04
Reset-window exposure closed
Brief access windows that open during credential resets are eliminated. Host-level enforcement is independent of credential state.
05
Trusted host allowance
Jump servers, IT-management nodes, and approved trusted systems retain access. AccessWall enforces a strict allowlist, not a hard block.
06
Tag once, enforce everywhere
Apply one tag, AccessWall publishes the firewall rules. No manual firewall configuration, no per-asset scripts, no ongoing maintenance.
Built-in Audit
Every Connection Authenticated, Monitored, and Audited
AccessWall doesn’t just enforce — it produces the evidence auditors need. Every privileged session routed through 12Port is captured end-to-end, with the firewall rules and tag history that prove enforcement is in place.
Firewall Rule Audit
Every published firewall rule is logged with the source IP allowlist, timestamp, and asset version. Naming follows the ZTNA Access Wall convention: ZTNA-RULE-ZT-{ID}.
Brokered Sessions Only
Allowed sessions land in 12Port and are recorded, transcribed, and indexed. Denied attempts (direct connections from outside the allowlist) are captured by the host firewall log for forensics.
Asset Tag History
The [Application :: Access Wall] tag is versioned per major asset version, giving auditors a continuous timeline of which assets were under enforcement and when.
Jobs Report
Enable, disable, and rule-publish operations are tracked as system jobs with status, asset, operator, and result. One report shows enforcement coverage at any point in time.
Platform Coverage
Enforced for Every Privileged Identity
AccessWall protects assets regardless of who’s trying to reach them. Same enforcement, same audit trail, whether the request comes from a human, a machine, or an AI agent.
Human users
Admins, operators, and contractors all reach assets through the brokered PAM session. Direct logins are rejected by the host.
Machine identities
Service accounts, automation pipelines, and scheduled jobs are routed through PAM with rotated credentials. No standing service-account access.
AI agents
MCP-mediated AI agents request scoped access through PAM with the same enforcement and audit trail as human users.
Developer JIT
Just-in-time access to production systems issued through PAM. AccessWall ensures the JIT grant is the only path to the host.
Supported Platforms
Built-in Firewall Enforcement on Every Major OS
AccessWall uses native operating system firewall controls — no third-party agents, no kernel modules. Same enforcement model across the OS mix your enterprise actually runs.
Take control of privileged access enforcement today.
30 minutes. Real screens. A live privileged session against a system you pick.