PrivX Product Update

This release is a maintenance release, focusing on improving product quality and architecture. In addition to improving old functionality and fixing bugs, we managed to include a feature for improving audit-event-search performance using a trigram index. Details of the improvements and fixes are listed in the release notes.

Audit-Event Indexing for Faster Searches

This feature improves search performance, especially in large environments where the number of daily connections is hundreds of thousands or more.

Supported Releases and Upgrade Path

After this release, we will produce security and stability fixes for PrivX 28.x, 27.x, and 26.x. Older versions are not officially supported. We recommend you upgrade as soon as you can if you are running an unsupported version.

Upgrading to version 28 is supported by three previous major versions (27.x, 26.x, 25.x). For more information about upgrading from older versions see the full release notes.

For more details about the PrivX 28 release, read the full release notes.

This release delivers a bunch of new features and enhances existing ones: Passwordless login to PrivX UI using Passkey, Custom headings/watermarks to distinguish sessions, live monitoring for RDP/Web/VNC connections, viewing active users in PrivX UI, additional settings for auditing (performance optimization) and SSO support for PrivX as an IDP (OIDC provider).

Passkeys login (passkey authentication)

Passkeys login (using WebAuthn authentication) allows users to log into PrivX using a passkey (such as a fingerprint, Face ID, PIN, or YubiKey).

Passkeys are a safer and easier replacement for passwords. A passkey can replace a password and a second factor in a single step. The user experience can be as simple as auto-filling a password form. Passkeys provide robust protection against phishing attacks, unlike SMS or app-based one-time passwords. Since passkeys are standardized, a single implementation enables a passwordless experience across different browsers and operating systems.

WebAuthn authentication is supported on browsers such as Chrome, Safari, and Edge. Firefox is only supported on Windows 10. Note that the available authentication methods depend on the user's hardware (such as having the appropriate biometric readers) and operating system.

The feature can be enabled from PrivX settings.

Color heading and watermark in connections

When making connections to multiple targets and simultaneously working in different types of environments, e.g. development, testing, and production, it might be possible to lose traction in which environment you're working. Unintentionally you might make changes to the production environment instead of the test environment.

Enhanced real-time connection monitoring

For SSH connections, real-time monitoring was introduced in the previous release (PrivX 26). Now the real-time monitoring covers also RDP, VNC, and Web connections.

Show active users

PrivX admin can see users who are currently logged into PrivX. This is handy, for example, in situations when doing an upgrade or restarting PrivX after configuration changes.

Admin view can list user-specific events and connections (ongoing/history) and can terminate the user session (kick out the user from PrivX).

Settings for performance optimizations

The new exclusion list setting allows filtering audit events that are written to a database; normally, audit events are transferred to external systems like SIEMs/log collectors anyway. This way it is possible to optimize the database usage by excluding irrelevant ones. That's beneficial especially when running many M2M connections.

Data collected by PrivX is stored in multiple places. In order to save storage space, it is possible to configure retention policies for:

• Audit events (database)
• Connections Metadata (database)
• Trails (file system)

For trails, it is now possible to separate settings for Trail expiration and Trail transferred files expiration.

Single sign-on support for OIDC (provider)

When PrivX is used as OIDC Provider - in other words, using PrivX as an identity provider to perform user authentication and issue tokens/claims for accessing applications supporting OIDC-relying party functionality. Users can access web applications by logging into PrivX. Application-specific login credentials are not needed. Connections are not going through PrivX (no session recording).

Now PrivX users can authenticate to multiple websites, once they are logged into PrivX.

For more details about the PrivX 27 release, read the full release notes.

In this release, we are adding new features and improving existing ones. To highlight a few of them: More secure SSH connections with Post-Quantum Computing algorithms, automatic detection of anomalous connections (UEBA), live monitoring of SSH connections, and the possibility to use PrivX as an OIDC Provider.

Post-Quantum Computing Algorithms

Quantum computers already exist and their power is increasing. Soon, they will reach the point where classical cryptography is in danger.

With more sophisticated quantum computing technology, all data encrypted with classic encryption is vulnerable. Now is the time to start using Post-Quantum Computing algorithms. PrivX now supports new SSH KEX algorithms:

• ​​​​​​​ecdh-nistp521-kyber1024-sha512@ssh.com
• curve25519-frodokem1344-sha512@ssh.com
• sntrup761x25519-sha512@openssh.com

New algorithms are used, for example, in connections from PrivX to OpenSSH and Tectia Servers.

User and Entity Behavioral Analytics (UEBA)

Using machine learning it is possible to automatically detect suspicious behavior and take necessary actions. In the case of PrivX, it is possible to automatically detect anomalous connections, e.g. when connections are made from unusual source addresses or when they are made at unusual times. Data collected by PrivX is used for training the UEBA to distinguish normal and anomalous connections. Results are based on customers' own data used in training. UEBA focuses initially on connection metadata, enabling alerting/blocking anomalous connections.

​​​​​​​High-level steps for UEBA setup involve:

1. UEBA-server setup.
2. Training UEBA to distinguish normal/anomalous connections.
3. Configuring anomaly thresholds and behavior.

Real-time SSH Connection Monitoring

Sometimes it is mandatory to survey what is being done in real-time. Now it is possible to start live connection monitoring, for example, when third parties are making changes to critical systems, handling privacy-related files, a connection needs to be shared in training situations, etc.

PrivX as an OpenID Connect Provider

OpenID Connect is the de-facto standard for handling authentication in the modern world. The OIDC Provider performs user authentication, user consent, and token issuance. The client or service requesting a user’s identity is normally called the Relying Party (RP).

PrivX 2.4 (2018) introduced the Relying Party functionality, meaning that it has been possible to log into PrivX using a single-sign-on (SSO) solution which supported OpenID Connect Provider functionality. Such solutions are provided by e.g. Okta, Google, Sailpoint, Forgerock, etc.

Now, PrivX can also work as an OIDC Provider. In other words, it can perform user authentication and issue tokens/claims for accessing applications supporting OIDC-relying party functionality. Users can access web applications by logging into PrivX. Application-specific login credentials are not needed. Connections are not going through PrivX (no session recording).

In addition to the features described above:

• Additional container support for Web carrier: Firefox, Firefox Lite, Chromium Lite
• Hostname as a parameter to password-rotation scripts
• Utility for cleaning up old daily backups
  
  

We also made a bunch of improvements and bug fixes.

For more details about the PrivX 26 release, read the full release notes.

This release is mainly a housekeeping release, focusing on improving product quality and architecture. In addition to improving old functionality and fixing bugs, we included a feature for restricting the commands used in SSH sessions.

In general, when providing access to target systems whether they are servers, applications, etc., you should:

• Make sure that only the right persons have access to the right resources (this applies to non-human users as well)
• Make sure that they have the right level of access rights (Just-Enough-Access, JEA)
• Make sure that they have access only when it is needed (Just-In-Time, JIT)
• Automate processes to avoid human errors

By default, PrivX has been designed for this. When it comes to accessing critical systems it is important to control what users can do on target systems. The recommended way to control what users are allowed to execute on target hosts is to implement proper access control and separation of duties using target system user accounts, groups, file system permissions, and sudoer configurations.

​​​​​​​However, sometimes re-configuring the target server is not possible or - due to the temporary nature of the need for access - it is not feasible. In such cases, the SSH command restrictions feature can be used to restrict the commands a user is allowed to execute when connecting to the target host through PrivX. The feature can also be used when the execution of commands should not be restricted, but certain commands should trigger alerts. This can be achieved by forwarding audit events to an external SIEM system. Command restriction is done through white lists. When SSH command restrictions are set, users may only perform whitelisted commands.

Restricting SSH commands might sound like a simple task to do, but because of the nature of SSH connections, it is actually quite difficult. It is impossible to reliably distinguish shell commands from program input/output by only inspecting SSH connection (stdin/stdout/stderr streams). One way to do the command restriction/filtering is to use agent software on target systems. The agent could control what commands the shell can execute and what files it could open. The downside is that this requires target server reconfiguration and target server OS/CPU architecture-specific agent binary to be developed, installed, and maintained.

We wanted to avoid this kind of configuration and maintenance burden on target systems. We have found a way to do the command restrictions on the gateway level in a secure way (agentless) and applied a patent for the solution.

For more details about the PrivX 25 release, read the full release notes.

In this release we have improved PrivX functionality in multiple areas:

• Real-Time Auditing SSH Connections
• Login to PrivX with a JWT token from a trusted token provider
• Displays certificates configured in PrivX
• Import filter for SCIM directory
• ICAP antivirus checks for file transfers using SFTP

In some situations, it is important to get real-time visibility of the content inside the SSH connections. PrivX can be configured so that it will send SSH events to the audit log. Supported SSH event types to audit are stdin, stdout, stderr, channel_request, and global_request. Output can be then integrated into the SIEM system for automatic event handling. 

Users, whether they are human or non-human, can log into PrivX using multiple authentication methods (LDAP, Azure AD, OIDC, Public-Key, Client-Certificate, etc.).

In addition to the existing methods, it is possible to use an external identity provider to issue and exchange a PrivX access token with a trusted external JWT token.

This can be used especially in machine-to-machine connections.

Certificates have different life cycles, and it is important to renew the needed certificates before they expire. Now it is possible to display Certificates used by PrivX directly from the UI. This helps the admin to identify the certificates which are expired or to be expired soon.

Introduction

The main feature of this release is Password Rotation. This helps companies in their journey towards passwordless privileged access management. In addition to that, we have improved some of our existing features:

• Network Target Access was introduced in PrivX 22. Now it is also possible to establish network target sessions to the non-routable targets behind Extenders.
• File scanning with external systems using ICAP can be now done for SSH proxy and native SCP.
• Support for Microsoft Graph as a user directory has been added in this release.
• Additional operating systems supported for host-deployment scripts.
• UI improvements on the PrivX status page.

With PrivX, we have been always promoting certificate-based authentication when providing access to critical resources (see the whitepaper – From permanent credentials to ephemeral certificates).

We want to help companies on their journey to move gradually to passwordless and keyless environments. We also understand there will be always systems where certificate-based authentication cannot be applied, and the security policies require password rotation. We have now introduced the password rotation feature for Linux and Windows accounts. Functionality is built based on password rotation requirements of large banking environments.​​​​​​​

PrivX will automatically rotate passwords:

• Assign a new password to target accounts according to your password rotation policy.
• Automatically store and update the new password to the PrivX vault.

Password rotation policies define:

• How often passwords are rotated.
• The strength of automatically generated passwords.
• Fall-back behavior in case of failures in automation.

Password rotation scripts are Shell scripts, which PrivX runs to rotate passwords on target accounts. In addition to predefined scripts, it is possible to create custom scripts.

For more details about the PrivX 22 release, read the full release notes.