Introduction
Proper whitelisting of TraceSecurity resources is an important part of your vendor relationship with us, helping to facilitate our assessment and testing services as well as your own software access where applicable. This guide is a compendium of how to whitelist TraceSecurity proprietary applications/appliances as well as trusted third-party applications/appliances and their approved web traffic. Please consult the specific URLs provided to you as part of software and/or service scoping. If you are unsure which URLs are applicable for your organization's use case, please ask your Customer Success Manager for clarification on your contracted services and/or software access.
For any questions or concerns relating to the technical information contained in this guide, you may reach out to TraceSecurity Support at tracesupport@tracesecurity.com.
Whitelisting & Authentication Information for Qualys Policy Compliance Scanning Services
This information is intended for clients who are receiving a Qualys-based Ransomware Preparedness Assessment. If you are unsure whether this information applies to your organization, please consult with your Customer Success Manager.
Qualys Internal Virtual Scanner Appliance Whitelisting
ACCESS TO REQUIRED EXTERNAL RESOURCES
In order to function, the scanner must have outbound access to the following external resources:
162.159.152.21 and 162.159.153.243 (Cloudflare Dedicated IPs)
qualysguard.qg3.apps.qualys.com:443
distribution.qg3.apps.qualys.com:443
monitoring.qg3.apps.qualys.com:443
qgadmin.qg3.apps.qualys.com:443
scanservice1.qg3.apps.qualys.com:443
qualysapi.qg3.apps.qualys.com:443
- If there is a firewall separating the scanner from the Internet, outbound access must be allowed to these resources.
- Any device (hardware or software) that filters outbound traffic will need to allow the scanner to access these resources. Specifically, TraceSecurity has documented issues with web content filtering systems (e.g., Websense, WebTitan, Barracuda, etc.), and the scanner's traffic should be excluded from examination by those systems.
- Why? To perform filtering on SSL-protected sites, many web content filtering systems require each client to install a specific certificate that allows the filter to read the traffic. The scanner appliance does not have this certificate and will not be able to communicate outbound.
ACCESS TO INTERNAL TARGETS
In addition to allowing the scanner to access the necessary external resources, the scanner's IP address may also need to be whitelisted in any security solutions in place on your internal network and/or target devices. This will ensure the scanner is able to route to and scan all ports on all target IP addresses throughout all intended subnets unimpeded.
-
Antivirus/Endpoint Protection/EDR Software
- Ensure the IP address of the internal scanner is whitelisted in all areas of any endpoint antivirus/endpoint protection/EDR software in use.
- Why? Many of these solutions will see the scanning traffic to the target devices as malicious and block traffic from the scanning appliance, resulting in limited or no results and an incomplete picture of vulnerabilities in the network.
- Ensure the IP address of the internal scanner is whitelisted in all areas of any endpoint antivirus/endpoint protection/EDR software in use.
-
Intrusion Detection/Intrusion Prevention Systems
- Any intrusion prevention or detection systems in place should be configured to ignore the scanner.
- Why? The scanning traffic will trigger most IDS/IPS systems as the traffic is suspicious to these devices. In this case, the IDS/IPS may block all traffic from the scanner and prevent full scanning of targets.
- Any intrusion prevention or detection systems in place should be configured to ignore the scanner.
-
Firewalls and Proxy Services
- Firewalls should be configured to allow the scanner to route to all target IPs unimpeded and to scan all ports on all target IPs throughout intended subnets. If there are any proxy services, they should be configured to ignore scanner setups.
- Why? Misconfigured proxy services and firewalls, most often transparent proxies, can interfere with scanning by responding on behalf of inactive IPs, a process which clutters the scanning and scan results with invalid information while slowing scans by an order of magnitude.
- Firewalls should be configured to allow the scanner to route to all target IPs unimpeded and to scan all ports on all target IPs throughout intended subnets. If there are any proxy services, they should be configured to ignore scanner setups.
AUTHENTICATION TO INTERNAL TARGETS
For this service, the scanner must also be able to authenticate to the target Windows devices. Please consult https://tracedownload.s3.amazonaws.com/Qualys/Guides/TraceInsight_Authenticated_Scanning_Guide_(Windows).pdf for detailed instructions on creating the account to be used for authentication, adding those credentials to Vuln Manager, and configuring your Windows devices for successful authenticated scanning.
This information will need to be supplied to whomever maintains the applicable system(s) for your organization. If any of these systems are maintained by a third-party vendor, please pass the applicable information along to them. For any questions or concerns relating to this information, you or they may reach out to TraceSecurity Support at tracesupport@tracesecurity.com.
Whitelisting for External Penetration Testing Services
This information is intended for clients who are receiving an External Penetration Testing service. If you are unsure whether this information applies to your organization, please consult with your Customer Success Manager.
Why should I whitelist?
During the defined testing period, the analyst must rapidly scan and test discovered services, which may cause an IPS to temporarily block or permanently blacklist the analyst's source IP address(es). This can limit the ability to test services that may otherwise be available, and consequently limit the ability to identify vulnerabilities on those services. Because of this, TraceSecurity recommends conducting external penetration tests with the testing source IP addresses whitelisted in any deployed intrusion prevention systems. This allows the analyst to simulate the evasion tactics that might be available to a real-world attacker, providing a means to generate the most complete and accurate assessment possible.
How do I whitelist?
The intrusion detection system/intrusion prevention system (IDS/IPS) management team will need to allow ping sweeps and port scans from the designated source IP addresses listed below. The IDS/IPS management team SHOULD NOT allow access to any otherwise filtered ports on any supporting firewall. The purpose of the whitelisting will be limited to preventing the source IP addresses from being completely blocked for breaking any IDS/IPS behavior rules such as ping sweeps or port scans.
The analyst IP addresses used for manual external testing are as follows:
174.69.226.251
174.69.226.254
Whitelisting for Qualys Vulnerability Scanning Services
This information is intended for clients who are receiving a Qualys-based Vulnerability Assessment (VA), Enhanced Vulnerability Assessment (EVA), or Comprehensive Network Vulnerability Assessment (CNVA). If you are unsure whether this information applies to your organization, please consult with your Customer Success Manager.
Qualys External Vulnerability Scanner & Analyst Manual External Testing Whitelisting
During the defined Vulnerability Assessment, the external scanners (and analyst in the case of an EVA or CNVA) must rapidly scan discovered services, which may cause an IPS to temporarily block or permanently blacklist the source IP address. This can limit the ability to scan services that may otherwise be available, and consequently limit the ability to identify vulnerabilities on those services. Because of this, TraceSecurity recommends conducting external vulnerability scanning (and manual external testing in the case of an EVA or CNVA) with the source IP addresses whitelisted in any deployed intrusion prevention systems.
The Qualys External Scanners' traffic will originate from one of the following IPs:
139.87.104.123
139.87.117.66
64.39.96.0/20 (64.39.96.1-64.39.111.254)
139.87.112.0/23 (139.87.112.1-139.87.113.254)
139.87.116.188
For EVA and CNVA services, manual external testing by the analyst will originate from one of the following IPs:
174.69.226.251
174.69.226.254
Qualys Internal Virtual Scanner Appliance Whitelisting
ACCESS TO REQUIRED EXTERNAL RESOURCES
In order to function, the scanner must have outbound access to the following external resources:
162.159.152.21 and 162.159.153.243 (Cloudflare Dedicated IPs)
qualysguard.qg3.apps.qualys.com:443
distribution.qg3.apps.qualys.com:443
monitoring.qg3.apps.qualys.com:443
qgadmin.qg3.apps.qualys.com:443
scanservice1.qg3.apps.qualys.com:443
qualysapi.qg3.apps.qualys.com:443
- If there is a firewall separating the scanner from the Internet, outbound access must be allowed to these resources.
- Any device (hardware or software) that filters outbound traffic will need to allow the scanner to access these resources. Specifically, TraceSecurity has documented issues with web content filtering systems (e.g., Websense, WebTitan, Barracuda, etc.), and the scanner's traffic should be excluded from examination by those systems.
- Why? To perform filtering on SSL-protected sites, many web content filtering systems require each client to install a specific certificate that allows the filter to read the traffic. The scanner appliance does not have this certificate and will not be able to communicate outbound.
ACCESS TO INTERNAL TARGETS
In addition to allowing the internal scanner to access the necessary external resources, the internal scanner's IP address may also need to be whitelisted in any security solutions in place on your internal network and/or target devices. This will ensure the scanner is able to route to and scan all ports on all target IP addresses throughout all intended subnets unimpeded.
-
Antivirus/Endpoint Protection/EDR Software
- Ensure the IP address of the internal scanner is whitelisted in all areas of any endpoint antivirus/endpoint protection/EDR software in use.
- Why? Many of these solutions will see the scanning traffic to the target devices as malicious and block traffic from the scanning appliance, resulting in limited or no results and an incomplete picture of vulnerabilities in the network.
- Ensure the IP address of the internal scanner is whitelisted in all areas of any endpoint antivirus/endpoint protection/EDR software in use.
-
Intrusion Detection/Intrusion Prevention Systems
- Any intrusion prevention or detection systems in place should be configured to ignore the scanner.
- Why? The scanning traffic will trigger most IDS/IPS systems as the traffic is suspicious to these devices. In this case, the IDS/IPS may block all traffic from the scanner and prevent full scanning of targets.
- Any intrusion prevention or detection systems in place should be configured to ignore the scanner.
-
Firewalls and Proxy Services
- Firewalls should be configured to allow the scanner to route to all target IPs unimpeded and to scan all ports on all target IPs throughout intended subnets. If there are any proxy services, they should be configured to ignore scanner setups.
- Why? Misconfigured proxy services and firewalls, most often transparent proxies, can interfere with scanning by responding on behalf of inactive IPs, a process which clutters the scanning and scan results with invalid information while slowing scans by an order of magnitude.
- Firewalls should be configured to allow the scanner to route to all target IPs unimpeded and to scan all ports on all target IPs throughout intended subnets. If there are any proxy services, they should be configured to ignore scanner setups.
CSO Internal Virtual Scanner Appliance Whitelisting (EVA and CNVA Services Only)
For EVA and CNVA services, manual internal testing will require an additional virtual scanner appliance for which different whitelisting will need to be implemented. If your organization is contracted for an EVA or CNVA, please also review Whitelisting Information for TraceCSO Internal Penetration Testing Services for the applicable whitelisting information.
This information will need to be supplied to whomever maintains the applicable system(s) for your organization. If any of these systems are maintained by a third-party vendor, please pass the applicable information along to them. For any questions or concerns relating to this information, you or they may reach out to TraceSecurity Support at tracesupport@tracesecurity.com.
Whitelisting for Remote Social Engineering Phishing Services
This information is intended for clients who are receiving a Remote Social Engineering Phishing service. If you are unsure whether this information applies to your organization, please consult with your Customer Success Manager.
Phishing Mailserver Whitelisting (Recommended/Required in Majority of Environments)
To facilitate successful delivery of our phishing emails into your mail environment, you must whitelist inbound traffic from 35.174.83.75. This is the IP address of the TracePhishing mailserver which sends the simulated phishing emails to the target email addresses.
If your organization is unable to apply this inbound whitelisting into your environment for any reason, please let your CSM know that you will be requiring a "Shields Up" Phishing test wherein your organization leaves email protections in place for the duration of the simulation.
Phishing Listener Whitelisting
To facilitate successful tracking of Email Opened and Clicked Link findings, you may also need to whitelist outbound traffic from your environment to 18.218.235.190. This is the IP address of the TraceInsight web server which listens for phishing events while the campaign is running.
This kind of outbound whitelisting is usually only required in the most stringent firewall environments. If you are unsure whether this setting applies to your organization, we recommend consulting with your IT provider and/or firewall vendor.
Domain- or Sender-Specific Whitelisting
If IP-based whitelisting is not supported in your environment and domain- or sender-specific whitelisting is required instead, please consult with your CSM and the analyst performing the phishing service. This information will vary depending on which email templates you choose in scoping and on evolving best practices in our phishing software and service.
Whitelisting Information for TraceCSO Internal Penetration Testing Services
This information is intended for clients who are receiving an Internal Penetration Test (IPT) or Wireless Assessment and Penetration Test (WAPT) enabled by TraceCSO-based remote access. If you are unsure whether this information applies to your organization, please consult with your Customer Success Manager.
TraceCSO Internal Virtual Scanner Appliance & WAPT Device Whitelisting
ACCESS TO REQUIRED EXTERNAL RESOURCES
In order to function, the scanner or WAPT device must have outbound access to the following external resources:
-
cso.tracesecurity.com over port 443 (SSL)
- All communication with the TraceCSO web application occurs over SSL to this domain name.
- If there is a firewall separating the scanner/WAPT device from the Internet, outbound access must be allowed to this domain name over port 443.
- Any device (hardware or software) that filters outbound traffic will need to allow the scanner/WAPT device to access this resource. Specifically, TraceSecurity has documented issues with web content filtering systems, and the scanner's/WAPT device's traffic should be excluded from examination by those systems.
- All communication with the TraceCSO web application occurs over SSL to this domain name.
-
18.216.164.53 over port 22 (SSH)
- Communication with our remote access host is necessary to establish a successful remote connection to the scanner/WAPT device for internal service testing.
- If there is a firewall separating the scanner/WAPT device from the Internet, outbound access must be allowed to this IP over port 22.
- If a destination port must be specified when whitelisting this communication, please use 2201-2220 to accommodate the range of temporary ports used when the scanner/WAPT device creates the reverse SSH tunnel.
- Communication with our remote access host is necessary to establish a successful remote connection to the scanner/WAPT device for internal service testing.
ACCESS TO INTERNAL TARGETS (Does Not Apply to WAPT Devices)
In addition to allowing the scanner to access the necessary external resources, the scanner's IP address may also need to be whitelisted in any security solutions in place on your internal network and/or target devices. This will ensure the scanner is able to route to and scan all ports on all target IP addresses throughout all intended subnets unimpeded.
-
Antivirus/Endpoint Protection/EDR software
- Ensure the IP address of the scanner is whitelisted in all areas of any endpoint antivirus/endpoint protection/EDR software in use.
- Why? Many of these solutions will see the testing traffic to the target devices as malicious and block traffic from the scanning appliance, resulting in limited or no results and an incomplete picture of vulnerabilities in the network.
- Ensure the IP address of the scanner is whitelisted in all areas of any endpoint antivirus/endpoint protection/EDR software in use.
-
Intrusion Detection/Intrusion Prevention Systems
- Any intrusion prevention or detection systems in place should be configured to ignore the scanner.
- Why? The testing traffic will trigger most IDS/IPS systems as the traffic is suspicious to these devices. In this case, the IDS/IPS may block all traffic from the scanner and prevent full testing of targets.
- Any intrusion prevention or detection systems in place should be configured to ignore the scanner.
-
Firewalls and Proxy Services
- Firewalls should be configured to allow the scanner to route to all target IPs unimpeded and to scan all ports on all target IPs throughout intended subnets. If there are any proxy services, they should be configured to ignore scanner setups.
- Why? Misconfigured proxy services and firewalls, most often transparent proxies, can interfere with testing by responding on behalf of inactive IPs, a process which clutters the scanning and scan results with invalid information while slowing scans by an order of magnitude.
- Firewalls should be configured to allow the scanner to route to all target IPs unimpeded and to scan all ports on all target IPs throughout intended subnets. If there are any proxy services, they should be configured to ignore scanner setups.
This information will need to be supplied to whomever maintains the applicable system(s) for your organization. If any of these systems are maintained by a third-party vendor, please pass the applicable information along to them. For any questions or concerns relating to this information, you or they may reach out to TraceSecurity Support at tracesupport@tracesecurity.com.
Whitelisting Information for TraceCSO Vulnerability Scanning Services
This information is intended for clients who are receiving a TraceCSO-based Vulnerability Assessment (VA), Enhanced Vulnerability Assessment (EVA), or Comprehensive Network Vulnerability Assessment (CNVA). If you are unsure whether this information applies to your organization, please consult with your Customer Success Manager.
TraceCSO External Vulnerability Scanner & Analyst Manual External Testing Whitelisting
During the defined Vulnerability Assessment, the external scanners (and analyst in the case of an EVA or CNVA) must rapidly scan discovered services, which may cause an IPS to temporarily block or permanently blacklist the source IP address. This can limit the ability to scan services that may otherwise be available, and consequently limit the ability to identify vulnerabilities on those services. Because of this, TraceSecurity recommends conducting external vulnerability scanning (and manual external testing in the case of an EVA or CNVA) with the source IP addresses whitelisted in any deployed intrusion prevention systems.
The CSO External Scanners' traffic will originate from one of the following IPs:
- 52.15.220.7
- 18.219.67.183
For EVA and CNVA services, manual external testing by the analyst will originate from one of the following IPs:
- 174.69.226.251
- 174.69.226.254
TraceCSO Internal Virtual Scanner Appliance Whitelisting
ACCESS TO REQUIRED EXTERNAL RESOURCES
In order to function, the scanner must have outbound access to the following external resources:
-
cso.tracesecurity.com over port 443 (SSL)
- All communication with the TraceCSO web application occurs over SSL to this domain name.
- If there is a firewall separating the scanner from the Internet, outbound access must be allowed to this domain name over port 443.
- Any device (hardware or software) that filters outbound traffic will need to allow the scanner to access this resource. Specifically, TraceSecurity has documented issues with web content filtering systems, and the scanner's traffic should be excluded from examination by those systems.
- All communication with the TraceCSO web application occurs over SSL to this domain name.
-
18.216.177.78 over port 873 (rsync)
- Communication with our plugin update host is necessary for the scanner to obtain updates to its library of vulnerability detection scripts/plugins.
-
18.216.164.53 over port 22 (SSH)
- Communication with our remote access host is necessary to establish a successful remote connection to the scanner for internal service testing (in the case of an EVA or CNVA) or Support troubleshooting.
- If there is a firewall separating the scanner from the Internet, outbound access must be allowed to this IP over port 22.
- If a destination port must be specified when whitelisting this communication, please use 2201-2220 to accommodate the range of temporary ports used when the scanner creates the reverse SSH tunnel.
- Communication with our remote access host is necessary to establish a successful remote connection to the scanner for internal service testing (in the case of an EVA or CNVA) or Support troubleshooting.
ACCESS TO INTERNAL TARGETS
In addition to allowing the internal scanner to access the necessary external resources, the internal scanner's IP address may also need to be whitelisted in any security solutions in place on your internal network and/or target devices. This will ensure the scanner is able to route to and scan all ports on all target IP addresses throughout all intended subnets unimpeded.
-
Antivirus/Endpoint Protection/EDR Software
- Ensure the IP address of the internal scanner is whitelisted in all areas of any endpoint antivirus/endpoint protection/EDR software in use.
- Why? Many of these solutions will see the scanning/testing traffic to the target devices as malicious and block traffic from the scanning appliance, resulting in limited or no results and an incomplete picture of vulnerabilities in the network.
- Ensure the IP address of the internal scanner is whitelisted in all areas of any endpoint antivirus/endpoint protection/EDR software in use.
-
Intrusion Detection/Intrusion Prevention Systems
- Any intrusion prevention or detection systems in place should be configured to ignore the scanner.
- Why? The scanning/testing traffic will trigger most IDS/IPS systems as the traffic is suspicious to these devices. In this case, the IDS/IPS may block all traffic from the scanner and prevent full scanning/testing of targets.
- Any intrusion prevention or detection systems in place should be configured to ignore the scanner.
-
Firewalls and Proxy Services
- Firewalls should be configured to allow the scanner to route to all target IPs unimpeded and to scan all ports on all target IPs throughout intended subnets. If there are any proxy services, they should be configured to ignore scanner setups.
- Why? Misconfigured proxy services and firewalls, most often transparent proxies, can interfere with scanning/testing by responding on behalf of inactive IPs, a process which clutters the scanning and scan results with invalid information while slowing scans by an order of magnitude.
- Firewalls should be configured to allow the scanner to route to all target IPs unimpeded and to scan all ports on all target IPs throughout intended subnets. If there are any proxy services, they should be configured to ignore scanner setups.
This information will need to be supplied to whomever maintains the applicable system(s) for your organization. If any of these systems are maintained by a third-party vendor, please pass the applicable information along to them. For any questions or concerns relating to this information, you or they may reach out to TraceSecurity Support at tracesupport@tracesecurity.com.
Whitelisting for Web Application Penetration Testing Service
This information is intended for clients who are receiving a Web Application Penetration Test. If you are unsure whether this information applies to your organization, please consult with your Customer Success Manager.
Why should I whitelist?
During the defined testing period, the analyst must rapidly scan and test discovered services, which may cause an IPS or WAF to temporarily block or permanently blacklist the analyst's source IP address(es). This can limit the ability to test services that may otherwise be available, and consequently limit the ability to identify vulnerabilities on those services. Because of this, TraceSecurity recommends conducting web application tests with the testing source IP addresses whitelisted in any deployed intrusion prevention systems or web application firewalls. This allows the analyst to simulate the evasion tactics that might be available to a real-world attacker, providing a means to generate the most complete and accurate assessment possible.
How do I whitelist?
The intrusion detection system/intrusion prevention system (IDS/IPS) and/or WAF management team will need to allow ping sweeps and port scans from the designated source IP addresses listed below. The team SHOULD NOT allow access to any otherwise filtered ports on any supporting firewall. The purpose of the whitelisting will be limited to preventing the source IP addresses from being completely blocked for breaking any IDS/IPS/WAF behavior rules such as ping sweeps or port scans.
The analyst IP addresses used for manual external testing are as follows:
174.69.226.251
174.69.226.254
This information will need to be supplied to whomever maintains the applicable system(s) for your organization. If any of these systems are maintained by a third-party vendor, please pass the applicable information along to them.
For any questions or concerns relating to this information, please discuss with your assigned analyst on the scoping call so expectations are appropriately set for the engagement.