RedFox Bastion Features

Complete list of modules and capabilities.

Browser-based access

SSH terminal

Full terminal emulator (xterm.js) over WebSocket. Copy/paste, resize, UTF-8, colour support. No client software or VPN required.

RDP access Coming Soon

Remote Desktop via custom Rust proxy (IronRDP). Clipboard, file transfer, multi-monitor. Rendered in the browser with no ActiveX or plugin. Code written, currently in testing.

Application Access (ZTNA) Enterprise

Secure reverse proxy for internal web applications (Grafana, Kibana, admin panels). Identity-aware routing with per-app policy enforcement, no VPN required.

Database proxy Enterprise Coming Soon

Proxied access to PostgreSQL, MySQL, MSSQL. Query logging, role-based restrictions, no direct database exposure. Code written, currently in testing.

Identity & access control

Entra ID authentication (OIDC)

Native OpenID Connect with Microsoft Entra ID. SSO, MFA enforcement inherited from Conditional Access policies. No local passwords.

SAML & LDAP Enterprise

Federate with any SAML 2.0 IdP or LDAP directory. Attribute mapping, group sync, multi-IdP support.

RBAC

Role-based access control: define roles, assign targets per role, restrict by time window or IP range.

JIT access Enterprise

Just-in-time privilege elevation with configurable TTL. Approval workflows, automatic revocation, audit trail.

Security & audit

WORM audit logs

Immutable, append-only log for every connection, command and session event. Tamper-proof by design — compliant with SOC 2, ISO 27001, NIS2.

Session recording

Full SSH session replay (asciinema-compatible). Searchable by user, target, date. Exportable for forensic review.

Credential vault Enterprise

AES-256 encrypted storage for SSH keys and service accounts. Users never see secrets — RedFox injects credentials at connection time.

Operations

Docker Compose deployment

All services are built and run via a single docker-compose.yml. Non-root containers, CI vulnerability scanning (Trivy, cargo-deny, gosec).

HA deployment Enterprise

High-availability via docker-compose-ha.yml: PostgreSQL streaming replication, Redis Sentinel, 2x API instances, Loki + Promtail + Grafana monitoring.

Air-gap deployment Enterprise Planned

Offline licence, pre-built image tarballs, no outbound internet required. Designed for classified and air-gapped environments. Not yet available.