How do AppCheck scans normally work?
The majority of AppCheck scans for our customers are launched from our dedicated public scan hubs. These are cloud-based scanners that operate from dedicated address space/IP ranges and perform scans across the public internet, targeting web applications and infrastructure that are presented on the public internet, such as public websites.
Public scan hubs act as a shared (multi-tenanted) resource pool available for launching scans for any of our customers.
What limitations do public scan hubs have?
Public scan hubs can only target applications and infrastructure that are presented on the public internet, such as companies' public websites and services. However, some systems such as internal company web portals (intranets, HR and admin systems for example) may only be presented on internal (RFC1918) IP addresses and not be accessible across the public internet to customers (or AppCheck's public scan hubs). In order to scan such systems, an alternative is needed.
What are internal scan hubs and how do they differ?
AppCheck can provide customers with internal scan hubs that they can deploy within their own estate (hosted or cloud) to allow customers to scan applications and infrastructure from within their network perimeter (behind their perimeter firewalls).
An internal hub is bound to a single customer account as a dedicated (single customer) device such that only that customer account is able to access and control it - the customer has exclusive use of the hub and other customers may not access or use it.
Internal scan hubs send scan results back to our central cloud platform so that they are available as normal via the central (cloud) scan portal, as with any other scan result
What are some common use cases for internal scan hubs?
Internal scan hubs might be useful in the following circumstances
- Where a customer wishes for a dedicated scan hub that is assigned to themselves only such that they have full access to its resources, rather than sharing scan hub resources in a contention ratio with other customers.
- Where a customer wishes to perform scanning against web portals and endpoints or infrastructure that is available only within the organisation (such as employee internal services and portals) and is not presented on a public IP or resolvable across the public internet
- Where a customer wishes to scan hosts or services within cloud accounts such as AWS or Azure and which are source IP restricted or not presented on a public IP
Internal scan hubs are licenced on an annual basis and multi-year licences are available (contact your account manager for details). A certificate is applied to the internal scan hub that is valid for the duration of the licence purchased, and the internal scan hub certificate will expire either once its licence expires, or in the event that the owning customer account license expires.
Deployment and setup
Our hubs are supplied as virtual machine images in both OVA and VHD formats as virtual appliances (machine images). They can be found along with our Internal Hub Setup Guide at https://appcheck-ng.com/get-help/downloads/.
We do not supply the AppCheck internal hubs as application binaries/executables for installation on top of existing VMs/OSes, they must be deployed as machine images on an underlying hypervisor such as VMWare.
You can find details on the required (outbound) network access for hubs in the latest copy of our Internal Hub Setup Guide, available at our online support and documentation pages at https://appcheck-ng.com/get-help/documentation/