Skip to content
VigilGuard Logo VigilGuard
Contact Us
EASM Platform VendorGuard ITRM Platform

Network Defense

Network Defense

Section titled “Network Defense”

5 automated security scanners

DDoS Protection

Section titled “DDoS Protection”

Purpose: The DDoS Protection Scanner evaluates Distributed Denial of Service (DDoS) protection mechanisms to ensure that systems are equipped with adequate defenses against attacks. This includes detecting rate limiting, testing connection throttling, analyzing traffic filtering capabilities, checking for volumetric attack mitigation, and validating application-layer DDoS defenses.

What It Detects:

  • Rate Limiting Detection: The scanner tests request rate limiting on a domain to prevent resource exhaustion from rapid requests. It measures response time degradation and checks for HTTP 429 (Too Many Requests) status codes to detect rate limit thresholds.
  • Connection Throttling: It verifies concurrent connection limits, ensuring that connections are not unduly limited or throttled, which can protect against slowloris attacks and resource exhaustion.
  • Traffic Filtering Analysis: The scanner checks for Web Application Firewall (WAF) or DDoS protection headers such as Cloudflare, AWS Shield, and Akamai to identify any traffic filtering mechanisms in place. It also detects challenge pages like CAPTCHA and JS challenges that can help in bot detection and geographic filtering.
  • Response Pattern Analysis: The scanner measures baseline response times under normal conditions and tests how the system handles load simulation to detect graceful degradation or service unavailability thresholds. It analyzes error handling capabilities under stress.
  • Protection Service Detection: The scanner identifies any DDoS mitigation providers, checks for CDN-based protection, detects cloud-based DDoS services, and verifies the presence of a protection layer to flag unprotected infrastructure.

Inputs Required:

  • domain (string): A fully qualified domain name (e.g., ekkatha.com) that needs to be evaluated for its DDoS protection capabilities.

Business Impact: Inadequate DDoS protection can lead to significant risks, including network bandwidth saturation from volumetric attacks, exhaustion of server resources by application-layer attacks, and vulnerability to slowloris attacks if rate limiting is missing. Unprotected endpoints are highly vulnerable to such attacks, potentially leading to service unavailability and significant financial losses or reputational damage.

Risk Levels:

  • Critical: If the scanner identifies no DDoS protection mechanisms at all, this would be critical severity as it represents a severe lack of security that could lead to immediate system compromise.
  • High: High risk is associated with missing rate limiting and unprotected endpoints vulnerable to slowloris attacks, which can exhaust server resources without significant detection.
  • Medium: Medium risk applies when traffic filtering mechanisms are absent or ineffective, allowing for potential amplification attacks and contributing to service degradation.
  • Low: Low risk findings include the presence of WAF headers but no CAPTCHA challenges or other protective measures that could enhance user experience while still providing some level of protection.
  • Info: Informational findings pertain to baseline response times and average load handling, which might indicate operational performance without significant security implications.

Example Findings:

  1. The domain does not implement any rate limiting mechanisms, posing a high risk as it is highly vulnerable to resource exhaustion attacks.
  2. Lack of traffic filtering on the endpoint allows for potential amplification attacks, indicating medium risk in terms of service resilience against DDoS threats.

This documentation provides a clear and detailed overview of the purpose and functionality of the DDoS Protection Scanner, detailing what it detects, required inputs, business impact, and possible risk levels based on its findings.

Enterprise Firewall Effectiveness

Section titled “Enterprise Firewall Effectiveness”

Purpose: The Enterprise Firewall Effectiveness Scanner evaluates how well an enterprise firewall is performing by assessing various aspects such as port filtering, detection of exposed management interfaces, validation of egress filtering, and analysis of perimeter defense mechanisms. This tool aims to identify security gaps created by misconfigured firewalls that can lead to unauthorized access, data exfiltration, and other vulnerabilities.

What It Detects:

  • Port Exposure Analysis: The scanner tests common service ports like HTTP (80), HTTPS (443), SSH (22), RDP (3389), FTP (21), and Telnet (23) to check if they are open, which could allow unauthorized access. It also checks for specific management ports like 8080, 8443, and 9000 that might expose administrative interfaces.
  • Service Banner Detection: Identifies the services running on these ports to detect version disclosures and other information leakage through banners or headers.
  • Firewall Fingerprinting: The scanner performs tests to identify the TCP/IP stack fingerprinting of firewalls, detects specific behaviors unique to certain firewall types, and assesses packet filtering patterns.
  • Egress Filtering Validation: It checks outbound connection restrictions to prevent data exfiltration through DNS queries or HTTP(S) traffic.
  • Defense Layer Analysis: Evaluates the presence of multiple defense layers such as Web Application Firewalls (WAF), Intrusion Prevention Systems (IPS), and Content Delivery Networks (CDN) that can enhance perimeter security.

Inputs Required:

  • domain (string): A fully qualified domain name (e.g., ekkatha.com) is required to perform the scan, as it helps in resolving the IP address for port scanning.

Business Impact: Firewall misconfigurations can significantly weaken an organization’s security posture by creating entry points for unauthorized users and facilitating data exfiltration. This scanner plays a crucial role in maintaining the integrity of enterprise networks by identifying and mitigating such risks proactively.

Risk Levels:

  • Critical: If the scanner detects more than 10 open ports, it indicates a severe lack of firewall effectiveness that could lead to critical vulnerabilities.
  • High: Exposed management interfaces or database ports can be considered high risk if they are not properly protected by the firewall.
  • Medium: The presence of non-standard port services and version disclosures might pose medium risks as they contribute to information leakage.
  • Low: Informational findings such as detecting default configurations in service banners do not directly impact security but still need attention for optimization.

Example Findings:

  1. A web server is detected running on an open HTTP port (80), which might expose sensitive data or administrative interfaces without proper authentication.
  2. RDP (3389) is found to be exposed, allowing remote desktop access that could bypass firewall restrictions and provide direct entry points into the network.

Advanced Proxy Security

Section titled “Advanced Proxy Security”

Purpose: The Advanced Proxy Security Scanner is designed to analyze proxy and reverse proxy configurations for potential security vulnerabilities. It aims to identify issues such as proxy presence, header manipulation, misconfigured load balancers, and backend server exposure that could lead to critical security vulnerabilities including IP-based access controls bypass, cache poisoning attacks, internal routing exposure, HTTP request smuggling, and unauthorized disclosure of internal infrastructure details.

What It Detects:

  • Proxy Detection: Identifies the presence of reverse proxies or CDNs, detects proxy server headers like Via, X-Cache, X-Proxy, identifies load balancer headers such as X-LB, X-Backend, and determines the technology used (e.g., nginx, Apache, HAProxy, Cloudflare).
  • X-Forwarded Header Analysis: Tests handling of the X-Forwarded-For header for manipulation detection, validates the X-Forwarded-Proto header, checks processing of the X-Forwarded-Host header, and verifies acceptance of the X-Real-IP header.
  • Proxy Header Manipulation: Assesses hop-by-hop header filtering, handles Connection headers, processes Transfer-Encoding, manipulates Content-Length, and detects request smuggling vectors through inconsistent proxy parsing.
  • Backend Server Exposure: Checks for internal IP disclosure in headers, tests server error message leakage, verifies that backend server headers are stripped, identifies exposure of internal hostnames, and flags debug headers present in production environments.

Inputs Required:

  • domain (string): A fully qualified domain name (e.g., ekkatha.com) is required as input to perform the scan.

Business Impact: Misconfigurations in proxy settings can lead to significant security vulnerabilities, such as bypassing IP restrictions based on X-Forwarded headers, enabling cache poisoning attacks through header injection, exposing internal routing details that could be exploited for various types of attacks, and facilitating unauthorized access to backend servers via request smuggling.

Risk Levels:

  • Critical: This severity level applies when critical issues are identified such as bypassing IP restrictions or severe misconfigurations leading to direct exposure of internal infrastructure.
  • High: Applies when high-risk vulnerabilities like header injection, improper handling of X-Forwarded headers, and significant risk factors in backend server exposure are detected.
  • Medium: Indicates medium severity where less critical but still significant risks such as partial bypasses or misconfigurations that could be exploited for limited access exist.
  • Low: Used for informational findings or low-risk conditions that do not pose immediate threats to security but may indicate areas needing attention.
  • Info: Reserved for purely informative purposes, indicating the scanner has identified a condition without significant impact on security.

Example Findings:

  1. A detected reverse proxy does not properly filter hop-by-hop headers, potentially allowing unauthorized access to internal network details.
  2. The X-Forwarded-For header is being manipulated in a way that bypasses intended IP restrictions, leading to uncontrolled access patterns.

This documentation provides a clear and detailed overview of the Advanced Proxy Security Scanner’s purpose, functionalities, inputs, business impact, risk levels, and example findings. It emphasizes the importance of addressing detected vulnerabilities to maintain robust security measures in proxy configurations.

Remote Access VPN Security

Section titled “Remote Access VPN Security”

Purpose: The Remote Access VPN Security Scanner is designed to assess the security of remote access VPN configurations by identifying potential vulnerabilities such as weak encryption, outdated protocols, and authentication weaknesses that could allow unauthorized access or man-in-the-middle attacks. This tool helps in securing remote access infrastructure by detecting and addressing SSL VPN portals, testing SSL/TLS configurations, analyzing authentication mechanisms, assessing protocol security, and preventing information disclosure.

What It Detects:

  • VPN Endpoint Detection: The scanner identifies the presence of SSL VPN portals on a domain, checks for common paths like /vpn, /remote, /ssl-vpn, and verifies if they contain login pages or respond as VPN gateways.
  • SSL/TLS Configuration: It evaluates the supported SSL/TLS versions, weak cipher suites, certificate validity, chain issues, and detects any vulnerabilities related to SSL/TLS configurations.
  • Authentication Mechanism Analysis: The scanner identifies available authentication methods, tests for multi-factor authentication, checks password policies, verifies session management, and detects potential bypass vectors for authentication.
  • Protocol Security Assessment: It identifies the protocols in use (e.g., PPTP, L2TP, OpenVPN, WireGuard), flags deprecated protocols, assesses modern protocol support, and tests against protocol downgrade attacks to ensure adequate encryption strength.
  • Information Disclosure: The scanner checks for version disclosures, vendor identifications, error message handling, detects configuration leakage, and flags any exposure of sensitive information.

Inputs Required:

  • domain (string): A fully qualified domain name (e.g., ekkatha.com) is required as the input to perform the security assessment on the remote access VPN configurations associated with this domain.

Business Impact: Ensuring robust security for remote access infrastructure is crucial as weak encryption and outdated protocols can lead to unauthorized interception of traffic, bypassing authentication mechanisms that could result in MITM attacks or direct access without proper authorization. This directly impacts the confidentiality, integrity, and availability of sensitive information accessed through these VPNs.

Risk Levels:

  • Critical: Vulnerabilities that allow for weak encryption, outdated protocols, or significant exposure of configuration details are considered critical as they pose a high risk to security.
  • High: Issues such as unsupported SSL/TLS versions, lack of multi-factor authentication, and misconfigured certificate validation mechanisms are classified as high risk due to their potential impact on data protection and integrity.
  • Medium: Medium risk findings involve configurations that may not meet current security standards but do not pose an immediate threat to critical systems or sensitive information.
  • Low: Informational findings such as version disclosures in error messages, which while not directly risky, can be indicators of a less secure configuration that might lead to other vulnerabilities being exploited.
  • Info: These are generally non-critical issues providing baseline security posture information without immediate risk.

Example Findings:

  1. A detected SSL VPN portal using an outdated protocol like PPTP instead of more secure alternatives such as OpenVPN or WireGuard, which could be flagged as a critical issue due to the inherent risks associated with weak encryption and lack of modern security features.
  2. Misconfigured certificate validation that fails to detect invalid certificates, leading to potential man-in-the-middle attacks, is considered a high risk finding as it compromises both data confidentiality and integrity.

DNS Security

Section titled “DNS Security”

Purpose: The DNS Security Scanner is designed to evaluate and report on the security posture of a domain’s DNS infrastructure. It assesses various aspects including DNSSEC validation, analysis of DNS records, zone transfer testing, detection of DNS amplification risks, and identification of misconfigurations that could be exploited for hijacking, tunneling, or man-in-the-middle attacks.

What It Detects:

  • DNSSEC Validation: The scanner checks for the presence of DNSSEC signatures (RRSIG, DNSKEY) to ensure a chain of trust and validates its functionality.
  • DNS Record Analysis: It enumerates critical DNS records such as A, AAAA, MX, TXT, NS, and CAA, assessing the presence of SPF/DMARC records and examining suspicious TXT records for potential issues.
  • Zone Transfer Testing: The tool attempts AXFR (Authoritative Name Server Zone Transfer) and IXFR (Incremental Zone Transfer) to verify if zone transfer restrictions are properly configured.
  • DNS Amplification Risk: It tests for open DNS recursion, ANY query responses, and evaluates the potential for DNS reflection attacks based on misconfigured resolvers.
  • DNS Configuration Issues: The scanner checks for wildcard DNS records, subdomain enumeration resistance, and verifies DNS TTL settings to identify any load balancing or misconfigurations that could be exploited.

Inputs Required:

  • domain (string): A fully qualified domain name (e.g., ekkatha.com) which serves as the primary input for all analyses.

Business Impact: DNS vulnerabilities pose significant risks to infrastructure security, including enabling cache poisoning attacks, amplifying DDoS threats through open recursion, exposing sensitive data via unauthorized zone transfers, facilitating data exfiltration through DNS tunneling, and making subdomains susceptible to takeover through wildcard records. These issues can lead to severe consequences such as data breaches, service disruptions, and loss of trust in the organization’s digital security practices.

Risk Levels:

  • Critical: Missing DNSSEC is highly critical as it leaves systems vulnerable to cache poisoning attacks.
  • High: Open DNS recursion poses a risk for amplification of DDoS attacks, while publicly accessible zone data can lead to unauthorized exposure of domain infrastructure.
  • Medium: Misconfigurations in DNS settings such as wildcard records and subdomain enumeration could be exploited by attackers to gain unauthorized access or hijack domains.
  • Low: Informational findings like dangling DNS records and misconfigured TTLs generally pose lower risks but should still be addressed for optimal security.

Example Findings:

  1. A domain is found to have no DNSSEC configured, which could allow for cache poisoning attacks if the DNS server’s responses are manipulated.
  2. An MX record points to an IP address that does not host mail servers, leading to potential email delivery issues and increased risk of spoofing or interception.

This scanner provides a comprehensive evaluation of DNS security, identifying critical vulnerabilities and providing actionable insights for enhancing network defense mechanisms.