More and more I am being asked by clients why we request that our scans be whitelisted when we are performing external security assessments. Many people believe that a blocked scan is the same as blocking a vulnerability which is present on a host. This could not be further from the truth.
Let us start by discussing what your firewall is probably doing and not doing. When a firewall triggers on a scan it is usually caused by a few prospective things. These could include:
1. Lots of port requests from a single source IP
2. Failure to build a full TCP connection to multiple ports (SYN scanning)
3. A single IP attempting to connect to several IP addresses behind your firewall
There are other things, but these are the primary ways a vulnerability or port scan will get an IP address blocked in a firewall. The firewall is not usually deciding based on a payload in the network stream although some can do that. With this in mind, why would you ever want to whitelist your penetration tester?
Let’s start with getting the most for your money. If we try to avoid detection for your security overlays (Firewalls, MSSP, IDS/IPS) it will take significantly more time to test each individual port on each individual IP address. With 65,535 ports potentially available on each IP address it is much more efficient to allow the testing entity to automate this process. For fiscal efficiency, allowing the tester to scan each device will cost less in the long run.
Next is accuracy. Kevin Thomas, one of our cofounders, used the following analogy for me. “Let’s say you have a home with several ground-floor windows and one of those windows is open. If I tried 2 or 3 closed windows and your security system caught me before I got to the open window it did catch me, but that window is still open the next time I want to try. The next time I try, I might try that one first.” While the security overlay stopped the attempts, it does not protect the open window. The open window will be whatever service is allowed to run on the device and/or face the Internet. Even if that service is normally blocked by your firewall configuration it would be best to run all services as securely as possible and to be aware of what may be vulnerable on the host platform.
Lastly, is to have a complete picture of your risk profile. Knowing the potential vulnerabilities on each host that is used to generate revenue and/or reputation for your organization lets you plan a more complete strategy to protect them. Security overlays are fantastic pieces of technology that have automated some previously very difficult tasks. One of the downsides of these overlays is that they can provide a false sense of security if proper testing is not done.
With all of that said, Contextual Security Solutions is happy to perform our testing in whatever manner you believe best serves your organization. There are examples of organizations that will need their security overlays tested in conjunction with the underlying hosts. Organizations that have access to classified material, sensitive data that can cause harm, and others need to know if their protections can be penetrated. It is helpful to be aware that those efforts take more time and therefore cost more money.