Can AppCheck scan my network devices such as firewalls, switches, routers and VPNs?
Can AppCheck scan network hardware?
Yes, AppCheck is able to target any device for scanning that is present on the network at level 3/4 or higher of the network stack on the standard OSI model (see image below) - i.e. any device that presents an IP address may be targeted for scanning. This typically includes devices dedicated to routing or filtering traffic (rather than serving it) such as firewalls, Unified Threat Managers (UTMs), Web Application Firewalls (WAFs), routers, switches, Application Delivery Controllers (ADCs), and Intrusion Detection/Prevention Devices (IDS/IPSs).
The ability to scan a given device is dependent upon the access perspective - that is, if an IP address is bound to a specific interface connected to a local network segment, then AppCheck can only scan that IP address if deployed either on that local network segment, or in such a way that it is able to route to it. Since AppCheck scans from cloud (internet) based scanners by default, access to LAN-only interfaces for scanning will typically require deployment of an internal hub - please contact your account manager for more information.
What type of testing can AppCheck perform on network hardware?
AppCheck performs three types of network-based scanning by default, as below, depending on your scan configuration:
- Infrastructure scanning of an IP address or hostname by making a series of connections and requests to ports and services on a target host
- Web Application scanning of a URL. The key difference with a web application scan is that it is an extensive and focused scan of one or more web applications found to be operating on a given port at a given URL
- Port scanning to check for open ports and report on services found
All 3 are typically possible against network hardware, so long as they present an IP interface. Web application scanning is dependent upon the device operating an "admin GUI" or web admin interface for device configuration - this is typical but not universal. As above, ability to perform all 3 forms of scanning may require an internal scan hub if the admin IP is bound to a local (non publicly routable) network interface only, as is typical.
See 3 Types of Scanning - Port Scanning, Web Application Scanning, and Infrastructure Scanning for more information
Can AppCheck report on insecure configuration on network devices?
By default, AppCheck performs network-based scanning in a request-response or probe fashion from either a cloud-based scanner or (where deployed) an internal hub deployed on the customer network. These devices scan the target device across the network from a "black box" perspective and do not have access to the device to probe its configuration natively, instead relying on vulnerability detection via observed device behaviour/response in response to traffic and requests sent to it.
However AppCheck also offers credentialed infatrctures scanning (see https://appcheck.zendesk.com/hc/en-us/articles/360011113914-Credentialed-Infrastructure-Scanning ) in which the customer configures authentication for the scanner to log on to the target device in order check the device in a "white box" or open-book fashion for vulnerabilities that cannot be determined from scanning a host externally.
This type of check can find a greater range of vulnerabilities including missing patches and a wider range of security mis-configurations or insecure configurations.
However this detection is dependent upon the target device presenting a remote login functionality and this remote login functionality being supported by AppCheck. Since the OS used varies dramatically by manufacturer and product line, no complete list is provided here of supported devices, but typically those based on a common OS such as Linux are supported.
What types of vulnerability can AppCheck report on network devices?
- Vulnerabilties exposed via an active web admin interface on the network device, such as weak or default credentials for the admin GUI, weak cipher suites in use, insecure cookie usage etc.
- Vulnerabilities exposed via (unauthenticated) infrastructure scanning, such as weak encryption strength or ciphers, lack of encryption/plaintext ports.
- Vulnerabilities exposed by port scanning, such as inadvertently exposed ports on the public internet; and
- Vulnerabilities exposed by credentialed infrastructure scanning (where applicable) such as missing patches or insecure configuration.
What types of issue can AppCheck NOT report on network devices?
Typically, AppCheck is restricted to the detection of common technical vulnerabilities. It is not able without the addition of additional manual tasking to perform a full firewall review as may be required
under compliance requirements for your customer environment. These may include items such as:
- Analysis of traffic in transit across the device for detection of plaintext protocol usage within the network
- Manual review of personnel security such as training records, ACL user lists under SML (start mover leaver) review
- Log analysis such as log audit for privileged access escalations
- Network architecture/deployment review for appropriate firewall placing and screening
- Rulebase review for appropriateness and correctness of individual firewall policies or rules
- Physical access review of firewall physical deployment security