PrivX Product Update
Learn about the details of the latest releases.
PrivX 31
2023-06-09
Table of contents
PrivX Authorizer CA key rotation
Using tags in connection history
This release is a maintenance release, focusing on improving the product quality and architecture. In addition to improving functionality and fixing bugs, we managed to include features for Certification Authority key rotation and adding tags to connection history as search criteria. Improvements and fixes are listed in the release notes.
PrivX Authorizer CA key rotation
Certain authentication methods such as certificate-based authentication require target-systems to be configured to trust PrivX as a Certification Authority (CA). For example, with Linux hosts, this may involve configuring Tectia or OpenSSH to trust the PrivX Certificate Authority.
PrivX Authorizer creates the ephemeral certificates needed to access SSH and RDP target hosts via certificate authentication. Each access group is associated with a distinct authorizer CA key and a certificate used during authentication to target hosts. The CA key and certificate must be renewed before the certificate expires, or they need to be rotated regularly per company policies.
The rotation process involves the following steps:
-
Create a new CA key in Administration→Access Groups→CA Key Details by choosing Renew CA Key
-
Update the CA public key or certificate on all target hosts belonging to that access group (more on this below)
-
Select the new CA key as the Primary CA Key in the Access Groups view
-
Remove the old CA key once it is no longer used by any hosts
Target hosts using stored credentials for authentication are unaffected by CA key rotation.
Using tags in connection history
Keeping track of specific connections can be done by adding tags to connection information. Connections can be easily searched by using tags as search criteria.
For more details about the PrivX 31 release, read the full release notes.
PrivX 30
2023-07-03
Table of contents
Database access control
PrivX as OIDC Provider - Route https sessions through Carrier
Chromium as an alternative Carrier browser
This release includes functionality for Role-Based Access Control for Databases and improvements for using PrivX as an SSO solution (OIDC provider). In addition, features improving usability are also delivered.
Database access control
A long-waited-for feature for controlling access to Databases using native clients is finally available. Making Database connections using native DB-clients can now be controlled based on a user’s role. Access control works for interactive and scripted m2m/a2a connections.
Connecting to the target database
PrivX DB access supports PostgreSQL and MySQL wire protocols. For these connections, PrivX manages target database credentials. Access control for other DB-protocols, like Oracle database, can be done via Passthrough modes (TLS or Passthrough). In this case, access to the target database is granted based on the PrivX user's roles, but PrivX does not manage target database credentials.
Connection flow:
-
User opens SSH tunnel to PrivX SSH bastion and connects DB client to target database through SSH tunnel via the DP-Proxy (SSH tunnel provides secure communications for unencrypted database protocols)
-
PrivX SSH bastion forwards DB connections to DB-Proxy
-
DB-Proxy grants/rejects connections based on the user's role
Monitoring and terminating connections
DB connection metadata is stored and displayed in PrivX UI, including Audit Evens. Connections can be terminated by admin if/when needed. Recorded protocol streams can be downloaded from PrivX UI in “hex” and “jsonl” format.
Summary of supported protocols
PrivX as OIDC Provider- Route https sessions through Carrier
PrivX can be used as a Single-Sign-On (SSO) solution for web applications, where it can be used as an OIDC Provider. In other words, it can perform user authentication and issue tokens/claims for accessing applications supporting OIDC-relying party functionality. Users can access web applications by login into PrivX. Application-specific login credentials are not needed. By default, the connections are not going through PrivX (no session recording) only the authentication is done with PrivX. From PrivX 30 onwards it is possible to route connections through the Carrier component. This enables the possibility to record the sessions.
As a summary for Web access:
-
Directly to Web applications using their own browser without PrivX. Users log in as themselves and will take care of their personal credentials. Applicable for personal and work-related Web applications
-
Using PrivX for SSO. Users log in as themselves. PrivX provides SSO authentication (OIDC). Web applications are configured to trust PrivX as Identity Provider. Actual https connections are not going through PrivX.
-
PrivX provides SSO authentication (OIDC). Web applications are configured to trust PrivX as Identity Provider. Web applications are running in an isolated browser in PrivX Carrier. Actual https connection is going through PrivX. Sessions can be recorded.
-
Existing OIDC solution can be used in conjunction and can provide SSO to PrivX (identity provider chain).
Chromium as an alternative Carrier browser
In PrivX 30, Chromium can be used as an alternative to Carrier Browser, supporting password injection through Chromium’s password manager.
For more details about the PrivX 30 release, read the full release notes.
This release includes a feature for enabling routing web connections through PrivX Extenders. In addition, features improving usability are also delivered.
Route web connections through Extenders
The basic use case for accessing web servers and routing traffic (HTTP/HTTPS/WS/WSS) via PrivX requires three components:
- PrivX core server
- PrivX Carrier
- PrivX Web Proxy
Previously the Carrier and Web Proxy components needed to be in same network where the Web Servers and applications were. In some environments it would have leaded to a situation where multiple Carrier and Web Proxy components needed to be deployed, thus raising infrastructure and maintenance costs.
Now Extender can be used to route web traffic to different networks. This allows using a single Carrier+Web Proxy setup to reach multiple VPN networks, reducing infrastructure costs and simplifying maintenance.
Easier configuration of disclaimers, headings, and watermarks
Configuring disclaimers, headings, and watermarks was done in JSON format. Now there is a better UI for doing it using text fields, checkboxes, etc.
PrivX login form is collapsible
When SSO functionality is taken into use, users do not need to enter their username and password to log into PrivX. Clicking the SSO button is enough. The login form can be now hidden by collapsing it. This helps users to focus on the SSO button instead of putting credentials to the login form.
(Configuration through /opt/privx/etc/shared-config.toml)
“Secret” tab can be disabled
In some cases, there is no need to give users the possibility to manage user secrets. Access to that functionality can be disabled from PrivX settings.
(Configuration through /opt/privx/etc/shared-config.toml)
Admin tool
The admin tool is a command-line tool that can be accessed on the PrivX server. To use the tool, you must log in as root. Admin tool helps to recover from critical situations easier than before:
- Resetting password of local admin user (e.g., superuser)
- Resetting PrivX role context limitations
- If you lose admin access to PrivX due to misconfigured context limitations on critical roles
New keyboard layouts for PrivX web client connections
When making RDP, VNC or Https connections using browser it is possible to change the keyboard layout through connection settings. In addition to existing layouts Portuguese, Dutch and Romanian are supported now.
For more details about the PrivX 29 release, read the full release notes.
PrivX 28
2023-01-03
Table of contents
Audit-Event Indexing for Faster Searches
Supported Releases and Upgrade Path
This release is a maintenance release, focusing on improving product quality and architecture. In addition to improving old functionality and fixing bugs, we managed to include a feature for improving audit-event-search performance using a trigram index. Details of the improvements and fixes are listed in the release notes.
Audit-Event Indexing for Faster Searches
This feature improves search performance, especially in large environments where the number of daily connections is hundreds of thousands or more.
Supported Releases and Upgrade Path
After this release, we will produce security and stability fixes for PrivX 28.x, 27.x, and 26.x. Older versions are not officially supported. We recommend you upgrade as soon as you can if you are running an unsupported version.
Upgrading to version 28 is supported by three previous major versions (27.x, 26.x, 25.x). For more information about upgrading from older versions see the full release notes.
For more details about the PrivX 28 release, read the full release notes.
This release delivers a bunch of new features and enhances existing ones: Passwordless login to PrivX UI using Passkey, Custom headings/watermarks to distinguish sessions, live monitoring for RDP/Web/VNC connections, viewing active users in PrivX UI, additional settings for auditing (performance optimization) and SSO support for PrivX as an IDP (OIDC provider).
Passkeys login (passkey authentication)
Passkeys login (using WebAuthn authentication) allows users to log into PrivX using a passkey (such as a fingerprint, Face ID, PIN, or YubiKey).
Passkeys are a safer and easier replacement for passwords. A passkey can replace a password and a second factor in a single step. The user experience can be as simple as auto-filling a password form. Passkeys provide robust protection against phishing attacks, unlike SMS or app-based one-time passwords. Since passkeys are standardized, a single implementation enables a passwordless experience across different browsers and operating systems.
WebAuthn authentication is supported on browsers such as Chrome, Safari, and Edge. Firefox is only supported on Windows 10. Note that the available authentication methods depend on the user's hardware (such as having the appropriate biometric readers) and operating system.
The feature can be enabled from PrivX settings.
Color heading and watermark in connections
When making connections to multiple targets and simultaneously working in different types of environments, e.g. development, testing, and production, it might be possible to lose traction in which environment you're working. Unintentionally you might make changes to the production environment instead of the test environment.
Enhanced real-time connection monitoring
For SSH connections, real-time monitoring was introduced in the previous release (PrivX 26). Now the real-time monitoring covers also RDP, VNC, and Web connections.
Show active users
PrivX admin can see users who are currently logged into PrivX. This is handy, for example, in situations when doing an upgrade or restarting PrivX after configuration changes.
Admin view can list user-specific events and connections (ongoing/history) and can terminate the user session (kick out the user from PrivX).
Settings for performance optimizations
The new exclusion list setting allows filtering audit events that are written to a database; normally, audit events are transferred to external systems like SIEMs/log collectors anyway. This way it is possible to optimize the database usage by excluding irrelevant ones. That's beneficial especially when running many M2M connections.
Data collected by PrivX is stored in multiple places. In order to save storage space, it is possible to configure retention policies for:
- Audit events (database)
- Connections Metadata (database)
- Trails (file system)
For trails, it is now possible to separate settings for Trail expiration and Trail transferred files expiration.
Single sign-on support for OIDC (provider)
When PrivX is used as OIDC Provider - in other words, using PrivX as an identity provider to perform user authentication and issue tokens/claims for accessing applications supporting OIDC-relying party functionality. Users can access web applications by logging into PrivX. Application-specific login credentials are not needed. Connections are not going through PrivX (no session recording).
Now PrivX users can authenticate to multiple websites, once they are logged into PrivX.
For more details about the PrivX 27 release, read the full release notes.
PrivX 26
2022-11-03
Table of contents
Post-Quantum Computing Algorithms
User and Entity Behavioral Analytics (UEBA)
Real-time SSH Connection Monitoring
PrivX as an OpenID Connect Provider
In this release, we are adding new features and improving existing ones. To highlight a few of them: More secure SSH connections with Post-Quantum Computing algorithms, automatic detection of anomalous connections (UEBA), live monitoring of SSH connections, and the possibility to use PrivX as an OIDC Provider.
Post-Quantum Computing Algorithms
Quantum computers already exist and their power is increasing. Soon, they will reach the point where classical cryptography is in danger.
With more sophisticated quantum computing technology, all data encrypted with classic encryption is vulnerable. Now is the time to start using Post-Quantum Computing algorithms. PrivX now supports new SSH KEX algorithms:
- ecdh-nistp521-kyber1024-sha512@ssh.com
- curve25519-frodokem1344-sha512@ssh.com
- sntrup761x25519-sha512@openssh.com
New algorithms are used, for example, in connections from PrivX to OpenSSH and Tectia Servers.
User and Entity Behavioral Analytics (UEBA)
Using machine learning it is possible to automatically detect suspicious behavior and take necessary actions. In the case of PrivX, it is possible to automatically detect anomalous connections, e.g. when connections are made from unusual source addresses or when they are made at unusual times. Data collected by PrivX is used for training the UEBA to distinguish normal and anomalous connections. Results are based on customers' own data used in training. UEBA focuses initially on connection metadata, enabling alerting/blocking anomalous connections.
High-level steps for UEBA setup involve:
- UEBA-server setup.
- Training UEBA to distinguish normal/anomalous connections.
- Configuring anomaly thresholds and behavior.
Real-time SSH Connection Monitoring
Sometimes it is mandatory to survey what is being done in real-time. Now it is possible to start live connection monitoring, for example, when third parties are making changes to critical systems, handling privacy-related files, a connection needs to be shared in training situations, etc.
PrivX as an OpenID Connect Provider
OpenID Connect is the de-facto standard for handling authentication in the modern world. The OIDC Provider performs user authentication, user consent, and token issuance. The client or service requesting a user’s identity is normally called the Relying Party (RP).
PrivX 2.4 (2018) introduced the Relying Party functionality, meaning that it has been possible to log into PrivX using a single-sign-on (SSO) solution which supported OpenID Connect Provider functionality. Such solutions are provided by e.g. Okta, Google, Sailpoint, Forgerock, etc.
Now, PrivX can also work as an OIDC Provider. In other words, it can perform user authentication and issue tokens/claims for accessing applications supporting OIDC-relying party functionality. Users can access web applications by logging into PrivX. Application-specific login credentials are not needed. Connections are not going through PrivX (no session recording).
In addition to the features described above:
- Additional container support for Web carrier: Firefox, Firefox Lite, Chromium Lite
- Hostname as a parameter to password-rotation scripts
- Utility for cleaning up old daily backups
We also made a bunch of improvements and bug fixes.
For more details about the PrivX 26 release, read the full release notes.
This release is mainly a housekeeping release, focusing on improving product quality and architecture. In addition to improving old functionality and fixing bugs, we included a feature for restricting the commands used in SSH sessions.
In general, when providing access to target systems whether they are servers, applications, etc., you should:
- Make sure that only the right persons have access to the right resources (this applies to non-human users as well)
- Make sure that they have the right level of access rights (Just-Enough-Access, JEA)
- Make sure that they have access only when it is needed (Just-In-Time, JIT)
- Automate processes to avoid human errors
By default, PrivX has been designed for this. When it comes to accessing critical systems it is important to control what users can do on target systems. The recommended way to control what users are allowed to execute on target hosts is to implement proper access control and separation of duties using target system user accounts, groups, file system permissions, and sudoer configurations.
However, sometimes re-configuring the target server is not possible or - due to the temporary nature of the need for access - it is not feasible. In such cases, the SSH command restrictions feature can be used to restrict the commands a user is allowed to execute when connecting to the target host through PrivX. The feature can also be used when the execution of commands should not be restricted, but certain commands should trigger alerts. This can be achieved by forwarding audit events to an external SIEM system. Command restriction is done through white lists. When SSH command restrictions are set, users may only perform whitelisted commands.
Restricting SSH commands might sound like a simple task to do, but because of the nature of SSH connections, it is actually quite difficult. It is impossible to reliably distinguish shell commands from program input/output by only inspecting SSH connection (stdin/stdout/stderr streams). One way to do the command restriction/filtering is to use agent software on target systems. The agent could control what commands the shell can execute and what files it could open. The downside is that this requires target server reconfiguration and target server OS/CPU architecture-specific agent binary to be developed, installed, and maintained.
We wanted to avoid this kind of configuration and maintenance burden on target systems. We have found a way to do the command restrictions on the gateway level in a secure way (agentless) and applied a patent for the solution.
For more details about the PrivX 25 release, read the full release notes.
In this release we have improved PrivX functionality in multiple areas:
- Real-Time Auditing SSH Connections
- Login to PrivX with a JWT token from a trusted token provider
- Displays certificates configured in PrivX
- Import filter for SCIM directory
- ICAP antivirus checks for file transfers using SFTP
In some situations, it is important to get real-time visibility of the content inside the SSH connections. PrivX can be configured so that it will send SSH events to the audit log. Supported SSH event types to audit are stdin, stdout, stderr, channel_request, and global_request. Output can be then integrated into the SIEM system for automatic event handling.
Users, whether they are human or non-human, can log into PrivX using multiple authentication methods (LDAP, Azure AD, OIDC, Public-Key, Client-Certificate, etc.).
In addition to the existing methods, it is possible to use an external identity provider to issue and exchange a PrivX access token with a trusted external JWT token.
This can be used especially in machine-to-machine connections.
Certificates have different life cycles, and it is important to renew the needed certificates before they expire. Now it is possible to display Certificates used by PrivX directly from the UI. This helps the admin to identify the certificates which are expired or to be expired soon.
System for Cross-domain Identity Management is a protocol for automating the exchange of user information between identity domains and IT systems. In addition to user data, it can also be used to import host data to PrivX. For cloud provider hosts, existing PrivX cloud provider-specific directory types are sufficient, but for on-prem hosts, using SCIM to import the data would be one option. Support for SCIM was introduced already in 2021.
Now this feature is enhanced with the possibility to narrow down the number of users to be imported. This is done using a filtering attribute in directory settings.
Already in PrivX 22, we introduced a possibility to send files to an external system to be scanned e.g. for malware. Based on the results PrivX either sends files to the target or blocks them. In PrivX 24, we added support for native SSH connections.
Introduction
The main feature of this release is Password Rotation. This helps companies in their journey towards passwordless privileged access management. In addition to that, we have improved some of our existing features:
- Network Target Access was introduced in PrivX 22. Now it is also possible to establish network target sessions to the non-routable targets behind Extenders.
- File scanning with external systems using ICAP can be now done for SSH proxy and native SCP.
- Support for Microsoft Graph as a user directory has been added in this release.
- Additional operating systems supported for host-deployment scripts.
- UI improvements on the PrivX status page.
With PrivX, we have been always promoting certificate-based authentication when providing access to critical resources (see the whitepaper – From permanent credentials to ephemeral certificates).
We want to help companies on their journey to move gradually to passwordless and keyless environments. We also understand there will be always systems where certificate-based authentication cannot be applied, and the security policies require password rotation. We have now introduced the password rotation feature for Linux and Windows accounts. Functionality is built based on password rotation requirements of large banking environments.
PrivX will automatically rotate passwords:
- Assign a new password to target accounts according to your password rotation policy.
- Automatically store and update the new password to the PrivX vault.
Password rotation policies define:
- How often passwords are rotated.
- The strength of automatically generated passwords.
- Fall-back behavior in case of failures in automation.
Password rotation scripts are Shell scripts, which PrivX runs to rotate passwords on target accounts. In addition to predefined scripts, it is possible to create custom scripts.
Further reading:
Now it is also possible to establish network target sessions to the non-routable targets behind Extenders.
Scanning files during RDP and Web file transfers were introduced in PrivX 22. Now it is possible also on SSH proxy (browser) and native SCP file transfers.
Azure AD Graph is on a deprecation path and is being replaced by Microsoft Graph by the end of 2022. PrivX will support both directory types to help to get through the transition.
PrivX provides a host deployment script. It is a Python script that can be executed on target hosts to automatically set up certificate authentication.
Supported operating systems:
- Amazon Linux, CentOS, Fedora, Debian, OpenSUSE, Red Hat, Rocky Linux, Ubuntu
- New: Arch Linux, FreeBSD, Gentoo Linux, MacOS
The status page shows the health status of PrivX components and other details of the components. The page provides the health of the PrivX running status and indicators in case of abnormal status.
The components are:
- PrivX node or all nodes in a HA cluster
- All PrivX microservices
- Optional components
- Carrier, Web Proxy, and Extender
For more details about the PrivX 23 release, read the full release notes.
In this release, we have been focusing on delivering features that are mainly designed for OT environments but are of course usable in IT environments as well. Highlighted features and improvements of this release are described below.
Before jumping on details on this feature it is important to understand that OT environments can be somewhat different from IT environments. Networks can be built on modern technology but quite often there are also legacy elements in the picture. Targets vary from traditional servers to control logics, HMIs, SCADA servers, or remote control software used on factories, paper mills, cranes, ships, etc.
Managing access to this kind of hybrid environment can be challenging. Applications can use vendor-specific protocols and might not have the needed security controls built-in, providing the access granularity might be complex, time-consuming, and lead to potential human errors.
How to make sure that the right persons have access to the right resources at the right level at right time? Downtime and disruptions are the biggest fears from the business point of view. Increasing productivity and cutting down costs plays also a big role. Providing access with the right authorizations is important for employees but especially for external users like 3rd party vendors (e.g. maintenance engineers, software admins). Granting access to needed resources should happen fast but in a secure manner.
Managing access to traditional resources (like servers, applications, and network devices) using protocols like SSH, RDP, HTTPS, or VNC has been the core of PrivX. For these connections, PrivX provides Role-Based Access Control (RBAC) with Session Recording and Audit events. The built-in Workflow/approval process helps in managing and automating the authorizations Just-in-Time.
When there is a need to use specific client applications which do not support above mentioned protocols things get trickier. One solution is to run the application on the server (jump host/VDI) and use PrivX to manage access to the server running that client application (using e.g. SSH or RDP). This way the Role-based access control happens still through PrivX and you will have session recording and audit events available. This method can be used for example for DB tools, service and maintenance SW, control logics, etc.
Sometimes this is not even enough, there is a need to run the client software (using proprietary protocol) on the client machine (PC) e.g. SIMATIC for controlling the PLCs. Normally the access control is then done with VPN/Firewall solutions. This solution does not provide the needed granularity and is quite often complex to manage (configure/maintain).
PrivX 22 enhances the existing access management capabilities with the possibility to control access to targets on the network level. This will bring the needed additional granularity from the security point of view. Role-based access control makes it easy to manage. Network target is a service, system, or subnet which is accessed using arbitrary TCP/IP protocols.
PrivX 22 introduces a new PrivX Router component. It is controlled by PrivX and provides the Role-based Access Control to specific IP or IP range even on port or port range level. It is also possible to limit the used protocol to TCP or UDP. This brings a Zero Trust access control mechanism to your existing legacy network environment.
As an extension to the existing VPN/Firewall solution PrivX controls access based on user's roles and user's location within the network by configuring external router/firewall components to allow/deny access (layer 3/4). In addition to VPN connection, users will establish network access sessions to specific network targets through PrivX.
- Users can easily select the available network targets from the PrivX UI. Available targets are visible based on the user’s current role.
- As an example user can make a connection to a specific IP/port only if a specific VPN connection exists and the user has a valid role to make the network target connection.
- The user can request a needed role with a built-in workflow and approval process.
- Admins can inspect users' sessions via audit events and terminate access sessions when necessary.
-
Audit events are generated when network access sessions are opened and closed, and when changes are made to the network target configuration.
-
Each network access session is also stored as a connection to the connection manager. This allows admins to inspect detailed metadata of ongoing and past network access sessions, and to request ongoing network access sessions to be terminated.
-
Network targets are configured in PrivX UI by defining:
- Roles that can access the network targets
- User instructions are displayed to the end-user when the network access session is opened
- Destination IP address range (IPv4/IPv6)
- Destination port range (optional)
- Traffic selectors for allowed TCP/IP traffic (optional)
- DNAT parameters (optional)
- Source NAT can be enabled/disabled per network target
- Exclusivity, meaning that users cannot open concurrent sessions to this network target
We recommend tunneling the VNC connections over SSH. In some cases, the destination cannot run the SSH server and plain text VNC is the only option. Now it is possible to configure PrivX to allow plain text VNC connections. We recommend making sure that the network between PrivX and target hosts is secured by other means if you allow this type of access. This feature is disabled by default.
Malware can spread through file transfers. When ICAP is enabled for RDP connections, all users' file uploads and downloads are scanned. Uploaded files are scanned before they are sent to target hosts; downloads are scanned before they travel from the shared directory to the users' machines. Files that do not comply with corporate policy are blocked.
The current version of PrivX supports file scanning for RDP and HTTPS access via the PrivX GUI. Other protocols (native RDP and SSH) will be coming later.
When creating a workflow:
- Approvers can revoke the approved roles within the same role request
- Workflow can limit the type of allowed membership
- Workflow can limit membership duration that are available for users to request
When requesting a role:
- Only roles eligible are listed to users
- List views in PrivX UI show the size of the list
- Display host tags in available Connections
- PrivX UI shows details of the status of Extender/Carrier/Web Proxy
For more details about the PrivX 22 release, read the full release notes.
Important features of earlier versions of PrivX
PrivX 21.0
- User specific password manager
- File Transfers in Web Target Connections
PrivX 20.0
- Modern Kubernetes Container Deployment
- Native clients' OIDC login
- Zero Trust Application launcher
PrivX 19.0
- SSH login with X.509 certificate
PrivX 18.0
- SOCKS and Http Proxy Support for SSH Bastion
- Remote desktop access to host via VNC
- GitLab and GitHub Enterprise
PrivX 17.0
- Simplified SSH Certificate Login, immutable configuration
PrivX 16.0
- SSH private key import for roles
- Public key authentication to SSH bastion
- Auditor access to connection
PrivX 15.0
- API clients use RBAC
PrivX 14.0
- Access groups (light multi-tenancy)
- Secret data vault
PrivX 13.0
- Role Specific Contextual Restrictions
PrivX 12.0
- Client-certificate authentication into PrivX