Whitelisting Appcheck on Your Firewalls and IPS
To gain the best coverage from your security assessment, the AppCheck Scanner IP address ranges should be added to the “whitelist” of any IPS or gateway device that could “black list” AppCheck based on one or more of its security checks. In this context, black listing means that the offending IP address is prevented making future connections to the systems being scanned.
Addresses to Whitelist
|CIDR Notation||Range Notation|
What is whitelisting?
Modern firewalls and Intrusion Prevention Systems (IPS) can be configured to persistently ban IP addresses that submit requests containing known attack signatures. Whitelisting is a configuration option to allow security scanners to be used against the protected environment without being blacklisted. White listing does not require that additional ports and services be allowed by the firewall.
Why is whitelisting required?
The AppCheck NG system scans for thousands of vulnerabilities in your web applications and network infrastructure. Any IPS system regardless of its levels of sophistication will detect many of the submitted security checks as malicious traffic. If the IPS system then prevents further connections from the scanning IP address, the scan become ineffective at identifying vulnerabilities that could otherwise be exploited.
Does whitelisting AppCheck make it an unfair test?
Whilst AppCheck employs many of the same techniques as the attacker, it is not designed to be a simulated attack in every sense. Advanced vulnerability scanning solutions such as AppCheck aim to detect as many security flaws as possible, safely and accurately. Conversely, many genuine attacks target just one popular vulnerability and employ a single malicious payload which is far less likely to be detected. The attacker can also use a range of IP addresses using proxies, VPN’s and other anonymising tools such as TOR, each AppCheck scan is completed from one IP address to ensure our traffic can be easily identified.
Can AppCheck be used to test my Intrusion Prevention System (IPS)?
AppCheck, like all vulnerability scanners will trigger IPS rules. There are several approaches that can be adopted to test the IPS as well as the target applications and systems.
A common approach is to run two scans, one with white listing enabled and another without. It recommended that the IPS system is configured to block known attacks, but not black list the IP address.
AppCheck adopts a first principals approach to detecting vulnerabilities. In short this means each application component is methodically tested, starting with subtle manipulation of each client request building up to more complex payloads that full exploit the security flaw. In many cases this allows AppCheck to accurately detect security flaws without submitting fully formed payloads that are detected by the IPS.