Miscellaneous
Does PrivX have the Ability to generate reports?
No reporting engine at this time. Part of roadmap. SDK is available to pull data from PrivX, reporting would then be provided via 3rd party tools.
Does Firefox in Sandbox manage Tabs or is there one sandbox for each Web Service?
A new Firefox container is launched for each user session.
How does PrivX clean up machine IP Addresses and names in dynamic environments where the IP or name may be reused?
If PrivX is used with cloud based hosts and the host scanning feature is being used, PrivX will automatically remove terminated hosts (and detect new ones). IP address changes can be detected dynamically (separate config option in PrivX directory settings)
What is the largest PrivX instance deployed and have there been any scalability issues?
One of our largest customer deployments is HA environment spanning three continents (US, Europe, Australia), all instances belonging to the same installation. Users in each continent are directed to local PrivX instance, all three continents are sharing the same database cluster.
Largest number of users in customer env is around 80000.
One customer experienced some out of memory issues, when running ~400 simultaneous RDP connections through three PrivX instances (with 12 GB memory each).
A single PrivX instance can handle several thousands simultaneous SSH users.
Does the PrivX architecture itself need to be spun up in only one environment?
Individual PrivX instances can run on any cloud. It's possible to have instances of the same deployment running in different cloud providers. However it's recommended (and often easier) to run PrivX HA setup on one cloud provider and then use PrivX Extenders for other cloud providers.
Can you separate user audit storage from session recording storage and file transfer storage?
Audit logs and file transfers share the same storage space, whilst recordings are stored separately. Logs are stored indefinitely however retention for recordings can be defined.
If user access is revoked, how quickly are their permissions taken away?
PrivX does all role permission checks against roles real time. If user is deleted, new logins will be blocked immediately. Logged in users have 60 second cache in place for performance reasons (configurable), before role changes take effect.
Already opened connections will be terminated on the next reauthorization interval (default is 300 seconds, configurable).
Is application to application access via PrivX, e.g. managing Ansible AWS access to remote customer servers possible? i.e. Allows shared services to connect multiple customers using customer provided credentials
PrivX SSH Bastion supports M2M connectivity via scripting. AWS API access via temporary session credentials is also supported.
What PrivX components require internet connectivity?
Only the license manager component along with any external NTP source that you may be using will require internet access.
Which MFA/2FA solutions are compatible with PrivX? (Only used for accessing PrivX, not targets)
It's possible to integrate any TOTP based solution.
Microsoft Entra multifactor authentication - https://learn.microsoft.com/en-us/entra/identity/authentication/concept-mfa-howitworks
How do you prevent users escalating their privileges to root from a standard user on SSH targets?
Root access to SSH targets is controlled through PrivX role mappings in order to authorize the users access to any given target and the account to be used. Privilege escalation can be restricted by the use of sudo config files which we recommend be managed and distributed through orchestration tools such as Chef, Ansible, or similar. In many cases we will be able to provide play/cook book files to help with this.
Can PrivX restrict shell/SSH commands from being executed?
Roadmap item. Command restrictions using PrivX directly is not possible however the SUDO config file can be used create command restrictions and distributed using orchestration tools such as Chef and Ansible.
Do SSH.COM provide scripts for hardening the Linux/Centos builds that will host PrivX?
A post install script is provided as part of the initial deployment package which enables the local firewall and opens necessary ports, we do not at this time provide scripts specifically for hardening the underlying OS/servers to be used for hosting PrivX components. Customers will need to use hardened builds of their own specification or follow industry known best practice guides, alternatively SSH can carry out the necessary work and build hardened servers for you as part of a wider professional services project.
How frequently do access certificates require rotation in order to protect our systems from unauthorized access?
When using certificate based authentication the certs for accessing targets are ephemeral and therefore expire after 5 minutes leaving no trace i.e. not stored in any way. Master CA’s (used by Windows DC’s when smart card auth is in use for example) have an expiry of 5 years and is at this point where the certificates will need to be replaced across the PrivX systems and target machines. If required, SSH will provide the necessary documentation outlining the steps to carry out this procedure.
Can I give users restricted access and/or permissions to limit their visibility to connection details only i.e. details of connections that have already taken place?
Users can be mapped to an auditor type role which will have visibility of all connection details under the monitor tab.
As per above but the role is assigned to an access group (will require its own unique CA) to limit the connections visible to specific machines only.
Access to specific/unique connection details can be provided (regardless of access group) by assigning an access role to the individual connection log in question (no other logs for that target will be accessible).
Note: Users with minimal audit type permissions ("connection-view" only) will see the default tabs (connections, secrets and requests – all of which will be empty) with the addition of the monitor tab. No settings/config or targets will be accessible or visible.
Can the solution be secured by firewalling all appropriate connections/traffic?
Yes, all appropriate information regarding ports for allowing access and preventing PAM bypass will be made available upon deployment.
Which Cisco network devices and/or IOS versions support X.509 Certificate based authentication?
Supported Cisco devices and their respective IOS versions can be found on Cisco's device support pages along with their feature navigation page (https://cfnng.cisco.com) for more recent devices.
Was this page helpful?