Guacamole

PrivX and Apache Guacamole have both been designed to overcome similar hurdles, however the full extent of functionality, architecture and security implementation greatly differ between them. As per an analogy of two vehicles that get you from A to B, both allow you to arrive at your end destination however the ride, comfort and the manner in which you arrive can be entirely different. Equally in this case, the ease of use in multifaceted hybrid environments, added security mechanisms, increased functionality, enterprise level improvements and support of PrivX make it the preferred choice for those who want to focus on achieving their business goals and not building out what is fundamentally a basic tool which requires time and effort to develop and maintain.

Although PrivX makes some use of Guacamole (~10%) which is predominately for the rendering of web-based RDP sessions (with many improvements over the basic functionality provided by Guacamole) the majority of its capabilities are owed to its own proprietary code base including similar functionality that is present within Guacamole. PrivX has been designed from the ground up with many considerations for todays distributed, heterogeneous, and BYOD environments, and for this reason SSH.COM choice to develop PrivX in its own way ensuring it continuously caters to its target markets in the most secure and effective manner possible. As of September 2021, PrivX is in its 20th iteration and boasts 100s of improvements since its initial release.

The below list provides some insight into the extent of PrivX capabilities over and beyond that of Guacamole:
• Password-less authentication via ephemeral certificates/virtual smartcard for RDP & OpenSSH
• X.509 certificate authentication for SSH endpoints such as network switches & routers
• SSH key authentication to PrivX and SSH targets
• Secrets vaulting allowing users access to targets without exposing target account credentials
• Proxied web access (http/s) with vaulted password injection preventing credential exposure
• Connecting to private networks such as VPCs, VNETs and DMZs from a central location
• SSH & RDP native client access with audit trails and recording capabilities retained
• HSM integration adding an additional layer of security
• Role-based access control for target hosts and PrivX management
• Role-based access control to session recordings
• Integration to identity providers (AD, AAD, LDAP, AWS Cognito, OIDC, SCIM)
• Cloud Host indexing, auto discovery and health checks
• Audit events for user & admin actions within PrivX
• Contextual restrictions for target access (day/time, source IP)
• Temporary role memberships (start/end time or in hours)
• Workflow management for Ad-hoc access requests
• Connect to private networks such as VPCs, VNETs and DMZs from a central location
• Enterprise grade high-availability (HA) architecture
• Operational Technology (OT) capabilities

Was this page helpful?