Permitting access for the Agent (allowlist)
Overview
When performing security assessments, it is commonly recommended to make a few adjustments to the firewall's allowlist configuration to ensure the accuracy of testing, as well as to maximize the time spent on assessments. These allowlist configurations can allow testing procedures to operate without interruptions or being blocked by security controls such as IDS and IPS.
It should be noted that, if the client does not wish to allowlist the source IP addresses, testing activities may be limited and, therefore, the results may not be as detailed.
Allowlisting vPenTest's external IP address
NOTE This is only required for external security assessments.
There are some situations when you might want to allowlist Vonahi's public IPs used for pentesting to simulate a situation where your security controls are not functioning as expected:
- 34.203.65.38
- 54.157.67.248
- 3.92.230.194
Permitting outbound access
NOTE This is only required for internal security assessments.
In most cases, if your organization allows port 443/tcp (https) and 80/tcp (http) outbound traffic without restrictions to the destination domains, your Agent should not experience any communication issues. However, in the event that you are or simply want to explicitly allowlist the endpoints that the Agent needs in order to communicate, please use the following list of endpoints.
Allow port 443/tcp (https) outbound for all of the following endpoints:
- 708332864587.dkr.ecr.us-east-1.amazonaws.com
- 708332864587.dkr.ecr-fips.us-east-1.amazonaws.com
- api.ecr.us-east-1.amazonaws.com
- app.vpentest.io
- ec2messages.us-east-2.amazonaws.com
- ecr-fips.us-east-1.amazonaws.com
- ecr.us-east-1.amazonaws.com
- kms.us-east-2.amazonaws.com
- ssm-fips.us-east-2.amazonaws.com
- ssm.us-east-2.amazonaws.com
- ssmmessages.us-east-2.amazonaws.com
- sts.amazonaws.com
- registry.community.greenbone.net
Allow port 443/tcp (https) and 80/tcp (http) outbound for all of the following endpoints:
- *.ubuntu.com
- *.docker.com
- *.github.io
- *.rubygems.org
- *.canonical.com
NOTE Your firewall will also need to permit NTP (123/udp) traffic as well, which is required for the provisioning of remote access.
During some troubleshooting purposes, you may be asked to create an additional allowlist so that our development team can temporarily connect directly to your Agent. The endpoint for this will vary and, therefore, has not been provided in this list.
Permitting exclusions
NOTE These exclusions are optional depending on if you're trying to test the efficacy of your tools or if you want to bypass the tools to perform your assessments.
Modern and advanced security tools/features such as IPS/IDS, EDR, MDR, SOC, XDR are all designed to analyze, detect and take some sort of action against potential malicious activity. A pentest is ethical but follows the methodology and same steps a malicious attacker would take and therefore could be detected as such by the various tools. To avoid issues, business disruption or false alarms we recommend that you allowlist our external IP for external assessments and internal Agent IP for internal assessments.
If you're unable to allowlist an IP on some of the tools, then it would be best to temporarily disable options such as "disconnect from network" as an example in Sentinel One.