Features
- vendor independent access management
- workflow-driven with versioning of all major objects
- easy extension of policy to additional security products
- no vendor lock-in
- IPv4, IPv6 and FQDN based access control
- detailed role-based access control
- responsive WebUI with light and dark color modes
- OpenAPI 3.1 with full documentation
Roles
CroGuard takes a different approach on firewall rule management by splitting the parts of a firewall rule up by their responsible teams:
Resource Administrator
The owners of all your business applications and services, know best what network connections are required to access them.
An arbitrary number of groups can have this role assigned, enabling to map your organization structure.
Network Object Administrator
Manage single IPv4/6 addresses (“hosts“), networks and groups of the just mentioned. Those objects are used as the source of access requests.
Requester
Create, modify or request deletion of access requests. Thanks to the simple nature of CroGuard this role can be assigned to all employees without the need for special knowledge about networking or firewalls. Access requests need to be approved by a member of each requested resource owner group prior to handing them over to firewall admins for implementation.
Firewall Administrator
Implement changes of objects, resources and access requests. All objects are fully versioned, echoing who created, changed or deleted the same, adding reason and timestamp.
Application Administrator
Manage users, user groups and their assigned roles. The users` role is the sum of directly assigned and group roles.
Auditor
Can view a timeline of all those changes.
Supported Products
- Cisco Secure Firewall Management Center
- Check Point Quantum Security Management
- Fortinet FortiManager
- HPE Aruba Networking EdgeConnect SD-WAN Orchestrator
- Versa Secure SD-WAN Concerto
System Architecture
CroGuard is a web based application delivered as container image that can be run using Docker, Podman or Kubernetes.
It usually requires two CPU cores and 4GB of memory for the application and another two CPU cores and 8GB of memory for its PostgreSQL database.
No specific version is currently required but the latest version is generally recommended by the PostgreSQL team.
CroGuard release 2.1@ 2024-10-21
New Features
- OpenID Connect authentication and authorization
Authenticating users with OpenID Connect is available in CroGuard 2.1. Each tenant can configure its authentication to use OpenID Connect (or short OIDC) with auto-user provisioning.
Authorization can also be offloaded to the OpenID Connect Identity Provider by automatically assigning group memberships to users on login.
The configuration is easy as it supports OpenID Connect Discovery which makes the process less error-prone and is supported by all major identiy provider solutions like Keycloak, Microsoft Entra ID and Okta just to name a few.
- OpenAPI version 2.1
The CroGuard OpenAPI version 2.1 was extended for tenants to configure their OpenID Connect authentication and authorization.
CroGuard release 2.0@ 2024-07-02
New Features
- Multi-Tenancy
A multi-level tenancy model is available in CroGuard 2.0. It enables service providers and multinational corporations to host several isolated tenants with a secure role-model for all configured levels. This includes a new 'Tenant Admin' role as well as a foreign tenant access listing.
- First Time Wizard
The new first time wizard makes installing the license and creation of the initial administrator user a breeze.
- OpenAPI version 2.0
The CroGuard OpenAPI version 2.0 enables multi-tenancy, returns more granular HTTP response codes and uses stricter validation for even more detailed error messages and improved vendor compatibility.
Improvements
- keep forms open on error
- auto focus input fields when adding list items
- highlight selected version in all timelines and history tables
- improved performance of all network object pages
- improved user permission visualization
- new main menu icons for easier recognition
- extended role permissions
To ease the work of several roles by granting them more read-only permissions.