...
| Info |
|---|
NOTE: If your supported solution is already cloud-based and/or is Internet-facing then it’s even easier to link the platform to your chosen scanning solution. Just follow the Connecting External Vulnerability Scanning Solutionsthe Platform to Externally Hosted Scanners guide to get started. |
Access Controls for the Platform
For those scanning solutions that are only internal to your infrastructure and organisation (i.e. the scanners are not exposed to the Internet) you will need to allow access from the platform application platform through your Internet firewall(s) or via a Reverse Proxy. This is necessary so that the platform can establish an inbound connection to your scanning solution(s) and retrieve scan results.
...
What IP Addresses does the Platform use?
Example Deployment - Platform access to Nessus via NAT/PAT Firewalls
Using Tenable’s Nessus Professional platform in the following example, if your organisation has deployed one or more ‘standalone’ Tenable Nessus Professional scanners across your internal network, and you are not using Tenable’s centralised scanner management platforms (e.g. Tenable.IO or Tenable.SC), each scanner must be exposed to the platform application via your primary Internet firewall(s) allowing the platform to retrieve scan results from each of the scanner’s API
...
| Note |
|---|
For deployments where the Internet firewall uses Port Forwarding or Port Address Translation (PAT), a corresponding port mapping rule will be required to map an available TCP port on the Firewall’s public IP address to the scanner’s TCP port (typically 8834 for Nessus) |
Example Deployment - Platform access to Nessus via Reverse Proxies
Using Tenable’s Nessus Professional platform in the following example, if your organisation has deployed one or more ‘standalone’ Tenable Nessus Professional scanners across your internal network, and you are not using Tenable’s centralised scanner management platforms (e.g. Tenable.IO or Tenable.SC), each scanner must be accessible to the platform application via an interim Reverse Proxy allowing the platform to retrieve scan results from each of the scanner’s API
...
| Info |
|---|
This example assumes the Tenable Nessus Professional Scanner is using the default management port of TCP-8834. If you are using alternative ports, please adjust the Reverse Proxy server-side rule accordingly. For the purpose of this example and in the context of Reverse Proxies, the Nessus Professional WebUI and API is considered the destination “Web Service” or “Web Application” Rootshell Security The platform team have successfully tested this deployment using nginx as a Reverse Proxy |
...
| Note |
|---|
The TCP port defined for the Client-Side Request URL can be any available port - TCP-8834 has been used here for simplicity |
| Info |
|---|
Where access to multiple internal ‘standalone’ Tenable Nessus Professional scanners is required via a Reverse Proxy, the recommended approach would be to configure separate public DNS A records for each scanner along with separate Client-Side & Server-Side rules for each scanner. |
Example Deployment - Platform access to Burpsuite Enterprise via NAT/PAT Firewalls
| Info |
|---|
NOTE: Since the platform utilises the Burpsuite Enterprise API hosted on the Burpsuite Enterprise Manager, the platform does not require direct access to any Burpsuite Enterprise Scanning Engines/Agents. |
...
| Note |
|---|
For deployments where the Internet firewall uses Port Forwarding or Port Address Translation (PAT), a corresponding port mapping rule will be required to map an available TCP port on the Firewall’s public IP address to the Manager’s TCP port (typically 8080) |
Example Deployment - Platform access to Burpsuite Enterprise via Reverse Proxies
...
| Info |
|---|
This example assumes the Burpsuite Enterprise Manager is using the default web management port of TCP-8080. If you are using alternative ports, please adjust your Reverse Proxy rules accordingly. For the purpose of this example and in the context of Reverse Proxies, the Burpsuite Enterprise WebUI and API is considered the destination “Web Service” or “Web Application” |
...
The platform team have successfully tested this deployment using nginx as a Reverse Proxy |
Information regarding the Burpsuite Enterprise Deployment Architecture can be found here
...
Client-Side Request URL | Server-Side Request URL |
|---|---|
Example Deployment - Platform access to Rapid7 InsightVM Security Console via NAT/PAT Firewall
Using Rapid7’s InsightVM Security Console in the following example, if your organisation has deployed an InsightVM Security Console platform (with one or more InsightVM scan engines), the InsightVM Security Console API must be accessible to the Platform application to retrieve scan results from the InsightVM Security Console.
...
| Note |
|---|
For deployments where the Internet firewall uses Port Forwarding or Port Address Translation (PAT), a corresponding port mapping rule will be required to map an available TCP port on the Firewall’s public IP address to the scanner’s TCP port (typically 3780 for InsightVM Security Console) |
Example Deployment - Platform access to Rapid7 InsightVM Security Console via Reverse Proxies
Using Rapid7’s InsightVM Security Console in the following example, if your organisation has deployed an InsightVM Security Console platform (with one or more InsightVM scan engines), the InsightVM Security Console API must be accessible to the platform application to retrieve scan results from the InsightVM Security Console. This can be achieved via an interim Reverse Proxy allowing the platform to retrieve scan results from the InsightVM Security Console API
| Note |
|---|
NOTE: Rapid7’s cloud-based Insight Platform is not currently supported by the Platform. Limitations in the Insight Platform API prevent the platform from retrieving results on a per-scan basis. |
...
| Info |
|---|
This example assumes the InsightVM Security Console is using the default management port of TCP-3780. If you are using alternative ports, please adjust the Reverse Proxy server-side rule accordingly. For the purpose of this example and in the context of Reverse Proxies, the InsightVM Security Console WebUI and API is considered the destination “Web Service” or “Web Application” |
...
The platform team have successfully tested this deployment using nginx as a Reverse Proxy |
Assume the following scenario:
...