Whitelisting Information for TraceCSO Internal Penetration Testing Services

This information is intended for clients who are receiving an Internal Penetration Test (IPT) or Wireless Assessment and Penetration Test (WAPT) enabled by TraceCSO-based remote access. If you are unsure whether this information applies to your organization, please consult with your Customer Success Manager.

TraceCSO Internal Virtual Scanner Appliance & WAPT Device Whitelisting

ACCESS TO REQUIRED EXTERNAL RESOURCES

In order to function, the scanner or WAPT device must have outbound access to the following external resources:

  • cso.tracesecurity.com over port 443 (SSL)

    • All communication with the TraceCSO web application occurs over SSL to this domain name.
      • If there is a firewall separating the scanner/WAPT device from the Internet, outbound access must be allowed to this domain name over port 443.
      • Any device (hardware or software) that filters outbound traffic will need to allow the scanner/WAPT device to access this resource. Specifically, TraceSecurity has documented issues with web content filtering systems, and the scanner's/WAPT device's traffic should be excluded from examination by those systems.

  • 18.216.164.53 over port 22 (SSH)

    • Communication with our remote access host is necessary to establish a successful remote connection to the scanner/WAPT device for internal service testing.
      • If there is a firewall separating the scanner/WAPT device from the Internet, outbound access must be allowed to this IP over port 22.
      • If a destination port must be specified when whitelisting this communication, please use 2201-2220 to accommodate the range of temporary ports used when the scanner/WAPT device creates the reverse SSH tunnel.

ACCESS TO INTERNAL TARGETS (Does Not Apply to WAPT Devices)

In addition to allowing the scanner to access the necessary external resources, the scanner's IP address may also need to be whitelisted in any security solutions in place on your internal network and/or target devices. This will ensure the scanner is able to route to and scan all ports on all target IP addresses throughout all intended subnets unimpeded.

  • Antivirus/Endpoint Protection/EDR software

    • Ensure the IP address of the scanner is whitelisted in all areas of any endpoint antivirus/endpoint protection/EDR software in use.
      • Why? Many of these solutions will see the testing traffic to the target devices as malicious and block traffic from the scanning appliance, resulting in limited or no results and an incomplete picture of vulnerabilities in the network.

  • Intrusion Detection/Intrusion Prevention Systems

    • Any intrusion prevention or detection systems in place should be configured to ignore the scanner.
      • Why? The testing traffic will trigger most IDS/IPS systems as the traffic is suspicious to these devices. In this case, the IDS/IPS may block all traffic from the scanner and prevent full testing of targets.

  • Firewalls and Proxy Services

    • Firewalls should be configured to allow the scanner to route to all target IPs unimpeded and to scan all ports on all target IPs throughout intended subnets. If there are any proxy services, they should be configured to ignore scanner setups.
      • Why? Misconfigured proxy services and firewalls, most often transparent proxies, can interfere with testing by responding on behalf of inactive IPs, a process which clutters the scanning and scan results with invalid information while slowing scans by an order of magnitude.

This information will need to be supplied to whomever maintains the applicable system(s) for your organization. If any of these systems are maintained by a third-party vendor, please pass the applicable information along to them. For any questions or concerns relating to this information, you or they may reach out to TraceSecurity Support at tracesupport@tracesecurity.com.