Should I whitelist my penetration tester’s IP address range on my intrusion prevention system? Variations of this question have featured in numerous information security forums and mailing lists. Unfortunately the factors and variables in play here are considerable so a worthy response is unlikely to be short or universal. This blog post aims to highlight why, in the majority of instances, taking this somewhat counter-intuitive action is likely to enhance the value of the penetration test and provide you with a more comprehensive and accurate assessment of your organisation’s overall security posture. Please note that this is different from firewall whitelisting. Rarely should changes to firewall rules be required for a penetration test.
A common response, which I shall seek to address, is the following: “a real black hat hacker wouldn’t have their IP address whitelisted, so why should your pentester’s be?” While the initial part of this statement is irrefutable (well, a skilled social engineer may be able to make that happen but let’s not digress), the second part has two very good reasons why, which deserve some elaboration.
The first is that the statement overlooks a very important point: the primary value of a standard pentest is not derived from its simulatory properties but rather from the issues it uncovers. The time a penetration tester has to discover and exploit vulnerabilities will always be limited while a real-life attacker will rarely face similar constraints. Sanctioned penetration tests for small to medium-sized network segments typically last somewhere between three to five days. Pentesters are on the clock and their time is rarely cheap. What the client has to ask themselves is whether they would rather that time is consumed by their pentester slowing down to a snail’s pace all scans and requests in order to avoid triggering the IPS or if they would prefer them to use that time finding and exploiting the vulnerabilities residing in their infrastructure and applications.
Some clients may perceive an IP whitelisting request from their pentester to be them wanting a free pass. In reality, although most pentesters would love to spend time tinkering with an IPS, they are all too aware that a test conducted under those conditions would likely return far fewer issues than it should or could do. Although pentesting and vulnerability scans should never be conflated, it is worth pointing out that the Payment Card Industry Security Standards Council recognise this and in fact require that the source IP addresses conducting PCI ASV scans are whitelisted on any IPS. This ensures that the scanning will check all open ports for vulnerabilities. An IPS will often not detect and block someone trying to exploit a specific vulnerability, so it makes little sense blocking a legitimate scan as soon as it is detected. Within the conventional pentesting paradigm accurate adversary emulation is never a realistic task, so making the comparison in the first instance is relatively futile.
The second important consideration relates to Bruce Schneier’s famous dictum “security is a process not a product”. Indeed, an over-reliance on a single security solution can invite some unsavoury consequences and whilst an IPS is an important element it should never be regarded as infallible. After all they are no more immune from the same types of flaws that plague other networked devices such as missing patches, misconfigurations and hardware failures. Furthermore, the documentation for these systems is often found online and can be quite detailed, revealing the sequence of events or probes that typically cause it to take defensive action. Attackers with time can learn how to subvert these technologies by utilising various tools, proxies and techniques.
Returning to my earlier disclaimer, the argument outlined above certainly does not apply to all scenarios. For instance, you may have recently undergone a security assessment with your IPS disabled and be curious to know how effective your current device truly is. You may also have a large security budget which enables you to undergo prolonged tests, where skilled red team members seek to circumvent your most intelligent security mechanisms.
In most cases, however, those tasked with securing networks and applications ought to prioritise issue discovery over role-playing accuracy. When your pentester’s IP address range is whitelisted, more vulnerabilities are likely to be uncovered. This should be viewed as a positive; it means that you will be made aware of more ways in which your systems may be prone to attack or compromise, enabling you to work on and improve your defences. There are numerous other factors that could be elaborated upon but hopefully the points raised in this post will assist you, the customer, to decide what best serves your interests.