What are internal scan hubs?
AppCheck can provide customers with internal scan hubs that they can deploy within their own estate (hosted or cloud) to allow customers to scan applications and infrastructure from within their network perimeter (behind their perimeter firewalls).
The hub is bound to just your account such that only your account is able to access and control it - you have exclusive use of the hub and other customers may not access or use it.
It sends scan results back to our central cloud platform so that they are available as normal via your scan portal.
Internal scan hub Licencing
The certificate applied to them for encryption is mirrored to expire once your main customer account license expires.
You will need to open up some ports for the hub to make an outbound connection to our services.
The full up to date list of target endpoints is provided in our Internal Hub Setup Guide, which you should receive a copy of when setting up an internal hub and is available on request from email@example.com - we will also be shortly publishing this to our website Help & Suppport area.
The outbound connectivity we typically recommend is enabled for ports 80 and 443 however in the event that access through these ports is not possible, the scan hubs will attempt access on the following (server/destination) ports also:
These ports do not map to the typical services (eg port 25 is not actually connecting via SMTP), they are all bound on the AppCheck hosts to the same "wire" service used for scan hub command and control (C&C) functions - the ports have simply been chosen as there is a good chance that in many cases firewalls already allow outbound traffic to these ports globally.
The internal hub will make connections to several services - customers should refer to the Internal Hub Setup Guide for the most up to date list of services that connection is required to, however these include:
wire1.appcheck-ng.com and wire-2.appcheck-ng.com - the "wire" command and cotnrol (C&C) service for hub remote management
assets.appcheck-ng.com - this is where it check for updates to the scanning software.
sentinel.appcheck-ng.com - This is an out of band detection server, so payloads that trigger after the event call out to this server, this is used in the detection of 2nd order attacks (for example an XSS triggering in an admin interface)
*.archive.ubuntu.com - From time to time updates will also need to be made to the underlying OS of the internal hub, which is currently based on Ubuntu