Whitelisting Information for TraceCSO Vulnerability Scanning Services
This information is intended for clients who are receiving a TraceCSO-based Vulnerability Assessment (VA), Enhanced Vulnerability Assessment (EVA), or Comprehensive Network Vulnerability Assessment (CNVA). If you are unsure whether this information applies to your organization, please consult with your Customer Success Manager.
TraceCSO External Vulnerability Scanner & Analyst Manual External Testing Whitelisting
During the defined Vulnerability Assessment, the external scanners (and analyst in the case of an EVA or CNVA) must rapidly scan discovered services, which may cause an IPS to temporarily block or permanently blacklist the source IP address. This can limit the ability to scan services that may otherwise be available, and consequently limit the ability to identify vulnerabilities on those services. Because of this, TraceSecurity recommends conducting external vulnerability scanning (and manual external testing in the case of an EVA or CNVA) with the source IP addresses whitelisted in any deployed intrusion prevention systems.
The CSO External Scanners' traffic will originate from one of the following IPs:
- 52.15.220.7
- 18.219.67.183
For EVA and CNVA services, manual external testing by the analyst will originate from one of the following IPs:
- 174.69.226.251
- 174.69.226.254
TraceCSO Internal Virtual Scanner Appliance Whitelisting
ACCESS TO REQUIRED EXTERNAL RESOURCES
In order to function, the scanner must have outbound access to the following external resources:
-
cso.tracesecurity.com over port 443 (SSL)
- All communication with the TraceCSO web application occurs over SSL to this domain name.
- If there is a firewall separating the scanner from the Internet, outbound access must be allowed to this domain name over port 443.
- Any device (hardware or software) that filters outbound traffic will need to allow the scanner to access this resource. Specifically, TraceSecurity has documented issues with web content filtering systems, and the scanner's traffic should be excluded from examination by those systems.
- All communication with the TraceCSO web application occurs over SSL to this domain name.
-
18.216.177.78 over port 873 (rsync)
- Communication with our plugin update host is necessary for the scanner to obtain updates to its library of vulnerability detection scripts/plugins.
-
18.216.164.53 over port 22 (SSH)
- Communication with our remote access host is necessary to establish a successful remote connection to the scanner for internal service testing (in the case of an EVA or CNVA) or Support troubleshooting.
- If there is a firewall separating the scanner from the Internet, outbound access must be allowed to this IP over port 22.
- If a destination port must be specified when whitelisting this communication, please use 2201-2220 to accommodate the range of temporary ports used when the scanner creates the reverse SSH tunnel.
- Communication with our remote access host is necessary to establish a successful remote connection to the scanner for internal service testing (in the case of an EVA or CNVA) or Support troubleshooting.
ACCESS TO INTERNAL TARGETS
In addition to allowing the internal scanner to access the necessary external resources, the internal scanner's IP address may also need to be whitelisted in any security solutions in place on your internal network and/or target devices. This will ensure the scanner is able to route to and scan all ports on all target IP addresses throughout all intended subnets unimpeded.
-
Antivirus/Endpoint Protection/EDR Software
- Ensure the IP address of the internal scanner is whitelisted in all areas of any endpoint antivirus/endpoint protection/EDR software in use.
- Why? Many of these solutions will see the scanning/testing traffic to the target devices as malicious and block traffic from the scanning appliance, resulting in limited or no results and an incomplete picture of vulnerabilities in the network.
- Ensure the IP address of the internal scanner is whitelisted in all areas of any endpoint antivirus/endpoint protection/EDR software in use.
-
Intrusion Detection/Intrusion Prevention Systems
- Any intrusion prevention or detection systems in place should be configured to ignore the scanner.
- Why? The scanning/testing traffic will trigger most IDS/IPS systems as the traffic is suspicious to these devices. In this case, the IDS/IPS may block all traffic from the scanner and prevent full scanning/testing of targets.
- Any intrusion prevention or detection systems in place should be configured to ignore the scanner.
-
Firewalls and Proxy Services
- Firewalls should be configured to allow the scanner to route to all target IPs unimpeded and to scan all ports on all target IPs throughout intended subnets. If there are any proxy services, they should be configured to ignore scanner setups.
- Why? Misconfigured proxy services and firewalls, most often transparent proxies, can interfere with scanning/testing by responding on behalf of inactive IPs, a process which clutters the scanning and scan results with invalid information while slowing scans by an order of magnitude.
- Firewalls should be configured to allow the scanner to route to all target IPs unimpeded and to scan all ports on all target IPs throughout intended subnets. If there are any proxy services, they should be configured to ignore scanner setups.
This information will need to be supplied to whomever maintains the applicable system(s) for your organization. If any of these systems are maintained by a third-party vendor, please pass the applicable information along to them. For any questions or concerns relating to this information, you or they may reach out to TraceSecurity Support at tracesupport@tracesecurity.com.