Skip to main content
Version: v41

Network Target Access

The PrivX network target access feature brings role-based access control to network-level targets.

See Preparing for Deployment (PrivX Router) to understand the prerequisites for configuring network target access.

Network Targets

Network targets in PrivX are networks, nodes or services to which the access is controlled. They are different from hosts in the sense that PrivX only controls access to network targets and does not issue access credentials. In addition, network target access is protocol-agnostic.

The network target configuration objects define target destinations and roles that grant access to the target.

Destinations are defined by traffic selectors matching the protected targets:

  • IPv4 / IPv6 address ranges
  • Optional protocol: "tcp" or "udp"
  • Optional port ranges

Each destination can optionally define a Destination Network Address Translation (DNAT) IP address and port. When DNAT is configured, the PrivX Router modifies the destination address and/or port of outgoing IP packets and performs the reverse translation for incoming response packets.

Similarly, Source Network Address Translation (SNAT) can be enabled for a network target. When SNAT is active, the PrivX Router replaces the source IP address in outgoing packets with its own IP address. It also performs the reverse translation for incoming responses.

Note that when forwarding IP packets, the PrivX Router associates ICMP errors with the IP flow that triggered them. This means that even if a network target is configured for TCP or UDP only, related ICMP errors will still be forwarded between the client and the target.

Network Access Sessions

Users request access to network targets through the PrivX UI. When a request is made, the Network Access Manager performs the following checks:

  • For each configured PrivX Router, the user's client IP address is resolved and compared against the router's remote access client IP address pool. If the client IP is not included in any pool, access is denied.
  • The network target is resolved by its unique name.
  • The user's access rights to the network target are verified based on assigned roles.
  • Existing network access sessions are checked to ensure the request does not result in overlapping router rules.

If all checks succeed, the Network Access Manager generates router rules based on the user's client IP and the destination addresses of the network target. These rules are then applied to the appropriate PrivX Routers handling traffic from the user's IP.

The Network Access Manager also periodically verifies that:

  • The user still has access rights to the network target.
  • The user maintains connectivity with PrivX.

A network session can be terminated in the following cases:

  • The user explicitly closes the session.
  • A PrivX admin manually terminates the session.
  • The Network Access Manager detects that the user lost access rights to the target.
  • The Network Access Manager detects that the user lost connectivity to PrivX.

When a session ends, the Network Access Manager removes the corresponding router rules, revoking the user's network-level access to the target.

Overlapping Sessions

PrivX does not allow overlapping network access sessions for the same client IP address. This means that when a user requests access to a network target, the request is denied if either of the following conditions is met:

  • The same client IP is already in use by another active session.
  • The user has other ongoing sessions using the same client IP, and the requested network target's destinations overlap with those sessions.

As a result, when multiple network targets are configured with overlapping destination traffic selectors, a user can only have simultaneous sessions to targets that do not overlap in their destination selectors.

Additionally, a network target can be marked as requiring exclusive access. When this option is enabled:

  • If a session is already active for an exclusive network target, no other users can open sessions that would overlap with its destination traffic selectors.
  • A user can only start a session to an exclusive network target if no overlapping sessions are currently active.

Network Target Static Configuration

When using PrivX Routers of type exec or sshexec, you can specify a router integration provider in the network target configuration. This defines the static configuration passed to the router.

If the provider is set to generic, any valid JSON object will be sent as the final (optional) parameter to the router. However, if the provider is set to NQX, the static configuration must follow this format:

{
  "type": "l3rules",
  "source_id": "custom source UUID",
  "source_name": "custom source name"
}

NQX integration supports the following types: l3rules, tunnel, and combo.

Auditing of Network Access Sessions

Audit events are generated when:

  • A network access session is opened or closed.
  • Changes are made to the network target configuration.

Each session is also recorded as a connection in the Connection Manager. This allows admins to:

  • Inspect detailed metadata for both active and past network sessions.
  • Terminate active sessions if needed.
info

Note that network access sessions cannot be session-recorded.