Before setting up an AppCheck Private Scan Hub on your internal network, you will need to ensure you are able to meet the following requirements:
Once you have confirmed you can meet these requirements, proceed to the setup guide.
System Access
You will need access to the following, either directly or via a colleague:
- Your organisation's VM hosting platform.
- Your organisation's network administration interface.
- Your organisation's firewall and IPS/WAF administrative interface(s).
VM Specifications
The standard hardware requirements are as follows, but see below for further details.
-
- 16GB RAM
- 4 CPU cores
- 60GB storage.
Memory
The standard amount of memory is 16GB. This makes a hub capable of a maximum of 5 concurrent scans. Each additional 2GB of memory adds an additional concurrent scan slot, thought in real-world use some scan targets may use up more RAM than others. The number of scans you can run concurrently is also limited by your AppCheck Licence.
You may need to increase this in future depending on the number and size of scans you run, but this is difficult to estimate ahead of time.
The amount of memory assigned should not be less than 16GB even if you do not wish to run multiple scans concurrently. Certain background tasks and update processes can require a large amount of memory.
CPU
The number of assigned cores should match the maximum number of concurrent scans that you want to run, plus one core for other OS functions, with a minimum requirement of 4 cores.
For example, to support 4 concurrent scans, assign 5 CPU cores.
The CPU must support the AVX instruction set. Consult your VM platform's documentation if you are unsure how to enable this.
Disk Capacity
60GB, either statically or dynamically. There is no benefit to increasing this value, but decreasing it is not supported.
Firmware Type
BIOS. The AppCheck software does not currently support UEFI. Your VM creation interface may ask for this explicitly or in other terms (for example VirtualBox refers to Gen 1 and Gen 2).
If you see a failure to boot after installation, this may be the cause. It will usually be possible to correct this setting later if you miss it on creation.
Network Interface
The nature of the network connection you assign to the VM is up to you, for example it may be bridged or NATed. You only need to ensure that the VM has access both to the targets you wish to scan, and to the internet for communication with AppCheck (see Requirements - VM Network Access).
Operating System Installation / Optical Drive
You may be asked about OS installation when you create the VM. Choose the option of installing from a CD/DVD and select the AppCheck ISO. Alternatively you can select no operating system, then attach the ISO image to the virtual optical drive before starting the VM.
If asked to select an OS type for the image, select something like Ubuntu Linux x86_64.
VM Network Access
The VM hosting the scan hub will require the following network access.
Outbound
Outbound network access is required to AppCheck's servers (see table below) in addition to any internal hosts you intend to scan.
All access granted is outbound from your scan hub; it is not required or recommended to allow any inbound connectivity from the public internet.
Source |
Destination Host |
Destination (IP) |
Port(s) |
Protocol |
Purpose: Hub system and OS updates and provisioning |
||||
(internal hub) |
assets.appcheck-ng.com |
167.99.85.223 |
|
TCP |
(internal hub) |
*.archive.ubuntu.com |
- |
|
TCP |
(internal hub) |
docker.appcheck-ng.com |
68.183.33.54 |
|
TCP |
Purpose: Hub command & control communication with AppCheck cloud platform |
||||
(internal hub) |
|
178.128.173.89 |
|
TCP |
(internal hub) |
wire3.appcheck-ng.com |
178.128.163.167 |
|
TCP |
(internal hub) |
lograbbit.appcheck-ng.com |
178.62.17.110 |
|
TCP |
Purpose: DNS / hostname resolution |
||||
(internal hub) |
dns.google |
|
|
TCP, UDP |
Purpose: Scan hub software licence activation and renewal |
||||
(internal hub) |
licensing.appcheck-ng.com |
104.248.173.23 |
|
TCP |
(internal hub) |
licensing-master.appcheck-ng.com |
142.93.43.105 |
|
TCP |
Bypass HTTP Proxy If Present
The deployed internal hub will, during normal operation, call out to the AppCheck cloud platform on ports 80 and 443 in order to retrieve Command & Control (C&C) tasking, and to report back results. These connections are initiated outbound from your network to the AppCheck cloud.
Because of the use of ports 80 and 443, some customers may find that the traffic is intercepted by operated HTTP proxies. Despite using port 80 and 443 (among others), the traffic is not HTTP traffic (it uses a custom protocol), so it is necessary to bypass the HTTP proxy or add an exception for each of the below endpoints:
Source |
Destination Host |
Destination IP |
Protocol |
Scan hub |
|
178.128.173.89 |
TCP |
Scan hub |
licensing.appcheck-ng.com |
104.248.173.23 |
TCP |
Scan hub |
licensing-master.appcheck-ng.com |
142.93.43.105 |
TCP |
Scan hub |
docker.appcheck-ng.com |
68.183.33.54 |
TCP |
Scan hub |
lograbbit.appcheck-ng.com |
178.62.17.110 |
TCP |
Scan hub |
assets.appcheck-ng.com |
167.99.85.223 |
TCP |
Even if your system allows the traffic through it may modify the messages in a manner that would be harmless for HTTP traffic but interferes with AppCheck’s custom protocol, so completely bypassing proxies (or any service that performs Deep Packet Inspection) is recommended.
Inbound
No inbound access from AppCheck is required.
Given the scan hub's likely privileged location on your network we recommend restricting access to the hub in your firewall so non-essential access is blocked.
The only inbound access required is administrative access to the scan hub's local web GUI, which should be accessible only from your internal network.
Source |
Destination |
Port |
Protocol |
Purpose |
Administrators such as the user setting up the hub and users performing future maintenance |
The scan hub's internal IP address |
8080 |
HTTPS |
Access to the hub's local web GUI |
Comments
0 comments
Article is closed for comments.