Network Target Access
The PrivX network target access feature brings role based access control to network level targets.
Network Targets
Network targets in PrivX are target networks, nodes or services to which the access is controlled. They are different from hosts in the sense that PrivX only controls access to network targets and does not issue credentials needed for accessing. Also network target access is protocol agnostic.
The network target configuration objects define target destinations and roles that grant access to the target.
Destinations are defined by traffic selectors matching the protected targets:
- IPv4 / IPv6 address ranges
- Optional protocol: "tcp" or "udp"
- Optional port ranges
Each destination can specify optional destination network address translation (DNAT) address and port. When DNAT parameters are specified the PrivX router modifies the destination address / port of IP packets it forwards to the destinations, and performs the reverse translation for return packets from the destinations.
Similarly source network address translation (SNAT) can be enabled for a network target. When this is enabled the PrivX router replaces source address with the router's IP address of IP packets it forwards to the target, and performs the reverse translation for respective packets in the reverse direction.
Note that when forwarding IP packets the PrivX router component associates ICMP errors to the IP flow that triggered the ICMP error. This means that even if network target destination specifies only TCP or UDP protocol the related ICMP errors are forwarded between the client and the target.
Network Access Sessions
Users request access to network targets via the PrivX UI.
When a user requests access to a network target the network access manager performs the following checks:
- User's client IP address is resolved and compared to the remote access client IP address pool of each configured PrivX router. If the client IP is not from any router's pool, then the access is denied.
- Network target is resolved by its unique name.
- Access to network target is verified from user's roles.
- Existing network access sessions are checked to detect if access to requested network target would create overlapping router rules.
If all above checks pass the network access manager generates router rules from user's client IP and the network target's destinations, and configures the rules to PrivX routers that handle traffic from user's client IP address.
Network access manager checks periodically that the user still has access rights to the network target, and that the user has not lost connectivity.
The network session is closed when either the user closes it explicitly, PrivX admin requests to terminate the session, network access manager detects that user has longer access rights to the network target, or network access manager detects that user has lost network connectivity to PrivX. Network access manager then removes the router rules thereby revoking user's network level access to the target.
Overlapping Sessions
PrivX does not allow overlapping network access sessions for a single user's client IP address. This means that when the user requests access to a network target the access is denied if any of the following conditions is met:
- Another user has ongoing network access sessions that use the same client IP address.
- User has such ongoing network access sessions that use the same client IP and that the requested network target's destinations would overlap the session's destinations.
Thus when there are multiple configured network targets with overlapping destination traffic selectors then a user can have simultaneous ongoing network access sessions only to network targets that do not have overlapping destination traffic selectors.
A network target can optionally be marked as requiring exclusive access. When exclusive access is enabled and there is an ongoing network access session to such target, then no other user can open new network access sessions that would have destination traffic selectors that overlap the exclusive access target's destinations. Also when access to an exclusive network target is requested, it can be accepted only if there are no ongoing network access sessions that have overlapping destination traffic selectors.
Auditing of Network Access Sessions
Audit events are generated when network access sessions are opened and closed, and when changes are made to the network target configuration.
Each network access session is also stored as a connection to connection manager. This allows admins to inspect detailed metadata of ongoing and past network access sessions, and to request ongoing network access sessions to be terminated.
Network access sessions cannot be session recorded.