Endpoint details
Last updated
Last updated
Click the 'Add Endpoint' button.
Enter the URL or IP address to be monitored as the target.
Assign a description and tags.
Confirm that you are authorized to analyze the endpoint.
Define what you want to monitor with Enginsight. It is best to enable all features at the beginning.
Select at least one observer to perform the monitoring. If you are an on-premises customer and have not yet added an Observer, install an Observer. In the SaaS platform, you can also use two provisioned observers (Germany, USA).
Add the endpoint.
Permanent monitoring of the Observer can only be ensured if the IP addresses from which monitoring is performed are not blocked by firewall rules. If necessary, unblock the following IP addresses when using the observers available on the SaaS platform:
164.90.185.111 164.90.231.250 142.93.119.55 142.93.119.52 138.68.93.235 138.68.71.130 139.59.155.98
Optionally allow all A-records from this domain: observers.enginsight.com
Here you will find a list of all your endpoints, including the current risk score and associated severity.
Clicking on an endpoint will take you to the detailed view.
Several windows give you quick information about the security status of your endpoint.
You can find out what is behind each tile below:
Find out from which region your website is monitored and any details about availability, response time and offline time. The timeline next to it visualizes the availability over the hours. The gray markers stand for reachable times of your website, while pink markers show you at which times your website had problems.
The view allows you to search for checks that have been carried out. Quickly record the existing criticality of individual checks, as well as their associated category, the corresponding module and the recorded risk score.
Use the top search bar or the filters on the left-hand side to display the relevant results. Click on a top category in the filter bar on the left to select all characteristics or select the desired filters separately from the list.
Get an overview of existing vulnerabilities.
At the beginning of the entry you will find a classification of the severity. You will also find the official CVSS score (Common Vulnerability Scoring System) for the CVE (Common Vulnerable Exposure) in question and the associated software.
Use the multiedit function to appease several entries with just one click. Furthermore, you can select in the overlay whether the specific CVEs are to be selected or all associated CVEs of the following Common Platform Enumeration.
Select individual vulnerabilities and then click on "Apply" in the top right-hand corner of the screen. The following overlay will then open:
If required, enter a comment which will then be attached to the selected vulnerabilities.
Select the category: "Specific CVEs". Below this you will find a list of all previously selected CVEs.
Confirm your entry by clicking on: "Add action".
Select individual vulnerabilities and then click on "Apply" in the top right-hand corner of the screen. The overlay then opens.
If required, enter a comment, which will then be attached to the selected vulnerabilities.
Select the category: "Common Platform Enumeration".
Then enter the corresponding values under "Vendor", "Product" and "Version". You can easily copy this information from the CVSS vector strings and paste it in the right place.
Confirm your entry by clicking on: "Add action".
Under Settings you will find the destination, and you also have the option of adding a description to your endpoint. Get an overview of assigned tags or add them if required. In the "Regions" area, you will find information about the assignment of the observers.
Advanced settings
You can activate the "Human Accessibility" option in the advanced settings. This setting determines that your website is only displayed as accessible if it returns the HTTP status code 200 (OK). If this option is activated, the website is considered unavailable if it returns a different status code (e.g. 404, 500), even if the server is technically accessible. If you do not activate this option, only the technical accessibility of the server is taken into account, regardless of the status code returned.
Responsibilities
Select a technical manager who is responsible for the maintenance and operation of the server. This person should have sound technical knowledge and be able to solve technical problems quickly.
You should also appoint a specialist from your organization. This person is responsible for the content and functional aspects of the endpoint and ensures that the server meets the business requirements.
Geo-IP Visualisierung
Below the responsibility assignment, you will find a map that shows the geo-IP of your endpoint. This map gives you a visual representation of the geographical location of the server based on the IP address. The blue circle shows the area in which the server is located. Use this information to get a better overview of the geographic distribution of your servers and to assess the potential impact on performance and compliance.
The view shows you which checks your endpoint does not pass and where your configuration fails. Use this information to tackle the issue of compliance in a targeted manner. Work through this list in a targeted manner and use it as proof of legal compliance.
In the technical guideline BSI TR-03116-4, the German Federal Office for Information Security (BSI) provides specifications and recommendations for secure SSL/TLS configuration. The guideline is a good indicator for evaluating the SSL/TLS configuration.Check the compliance of your endpoint.
Use the overview to keep an eye on all applications associated with the endpoint.
Here you will find all information about the application environment of the endpoint that can be detected externally. The Observer creates a footprint of the endpoint and checks for e.g.
CMS,
Web Server,
Frameworks or
Libraries.
The more information an endpoint reveals about the technologies used, the more starting points there are for hackers to launch targeted attacks on the applications. Ideally, an endpoint is configured and programmed in such a way that little can be learned about the technical basis.
All detected applications are presented to you in a clear list. You receive an assessment of how security-critical it is to detect the application from the outside.
Make sure you keep your applications as up-to-date as possible to ensure the security of your systems.
With this in mind, we have decided on the following categorization:
HIGH: Backend-relevant technologies that pose a high risk of serious attacks. e.g. CMS, wikis, blogs, ecommerce, CI, programming languages, databases, runtimes, operating systems, message boards, web server extensions, hosting panels, issue trackers
MEDIUM: Technologies with a medium level of risk, e.g. web servers, development, managed CMS
LOW: Other technologies e.g. UI frameworks or JavaScript libraries
If no version is recognizable, the criticality is reduced. Backend-relevant technologies receive a medium rating, apps categorized as medium receive a low rating.
As proof, you can find out where the Observer detected the application: in an HTTP header, a cookie or in the code of the website itself.
If known vulnerabilities (CVE) are found for the detected version, these are indicated in the list. All application vulnerabilities are also listed separately under Vulnerabilities.
You use the Domain Name System (DNS) to configure various aspects of your domain. DNS is necessary, for example, to assign the appropriate IP to the domain. Proper configuration is necessary for the smooth operation of the website. Monitor your DNS settings by monitoring your DNS records.
You receive all DNS records in a clear list. In addition, Enginsight checks specific, security-relevant DNS records.
To prevent misuse of your domain and secure the SSL/TLS connection, you should use DNS records specially developed for this purpose: CAA, SPF, DMARC. The Observer therefore specifically checks for these three records.
With a CAA record, the domain owner determines which Certificate Authority Authorization may issue an SSL/TLS certificate. The Observer checks for:
Missing contact address for DNS CAA No contact address has been assigned (iodef).
Invalid contact address for DNS CAA The contact address (iodef) contains invalid characters for emails and/or an invalid email format (not abc@def.com)
Unconventional certification authority The certification authority used (issue, wildissue) is not on our whitelist. This includes: letsencrypt.org, globalsign.com, sectigo.com, camerfirma.com, accv.es, actalis.it, amazon.com, pki.apple.com, atos.net, buypass.com, aoc.cat, certigna.fr, www.certinomis.com, ecert.gov.hk, certsign.ro, certum.pl
The SPF protocol makes it possible to authorize IP addresses to send emails with the domain. In this way, third parties can be prohibited from misusing the domain name. The record is effective in preventing phishing emails with the domain. We validate:
Outdated SPF version Check the SPF version used (v), currently only SPF1 exists.
Multiple SPF entries exist Never use multiple SPF entries. Instead, combine several SPFs in a single entry.
SPF entry contains characters after ALL No further entries may follow the optional ALL entry.
Incorrect SPF syntax The entry contains unknown entries (known are: spf1, mx, ip4, ip6, exists, include, all, a, redirect, exp, ptr) and/or unauthorized characters.
The DMARC record defines a procedure for what should be done if the domain is used by an unauthorized IP to send an e-mail. Enginsight checks:
Invalid DMARC policy The DMARC policy (p) has no usual value. Usual values are: none: The sending of emails is not affected. You will only receive a notification. quarantine: Emails that do not pass the DMARC check will end up in the recipient's spam folder. reject: Emails that do not pass the DMARC check should be rejected by the recipient.
Invalid DMARC subdomain policy The DMARC subdomain policy (sp) has no normal value (for values see: DMARC policy)
Invalid DMARC percentage filter specification The optional percentage filter specification (pct) can be used to specify the percentage of messages to be filtered. The value must therefore be between 1 and 100.
Invalid DMARC address for report emails The report email address contains invalid characters or an invalid email format (not abc@def.com)
Invalid DMARC protocol version The version of DMARC (v) must be DMARC1.
Alerts: Invalid SPF DNS record, Invalid CAA DNS record
To receive immediate notification of incorrect DNS records, switch alerts to your endpoints. With the "Invalid CAA DNS record" alert, you can be informed about incorrect CAA DNS records. The "Invalid SPF DNS record" alert warns you of incorrect SPF records.
Here you will receive an analysis and evaluation of the HTTP connection configuration you have made via HTTP headers.
All set HTTP headers are listed and evaluated in an overview:
OK: The HTTP configuration complies with the recommendations.
Avoidable HTTP header: The configuration made unnecessarily reveals a lot of information and therefore makes the HTTP connection potentially vulnerable.
Unknown HTTP header: An unknown HTTP header has been detected that potentially reveals information. Please check the necessity of the HTTP header and remove it if necessary.
The system checks whether all headers important for security have been set. These are:
Name | Recommendation | Description |
---|---|---|
Content-Security-Policy | The HTTP content security policy regulates which resources can be loaded or executed in the browser in a certain way. | |
Expect-CT | max-age=0 | The Expect-CT (Certificate Transparency) HTTP header defines how the CT policy is to be applied. |
Feature-Policy | accelerometer 'none'; camera 'none'; geolocation 'none'; gyroscope 'none'; magnetometer 'none'; microphone 'none'; payment 'none'; usb 'none' | The feature policy determines which functions or APIs of a browser may be used. |
Referrer-Policy | no-referrer-when-downgrade | The referrer policy ensures that referrer information may only be sent under certain conditions. |
Strict-Transport-Security | max-age=31536000; includeSubDomains | HTTP Strict Transport Security (HSTS) is a security mechanism for HTTPS connections that protects against both connection encryption and session hijacking. |
X-Content-Type-Options | nosniff | The only defined value "nosniff" prohibits Internet Explorer from using MIME sniffing to determine and apply a content type other than the declared content type. |
X-Frame-Options | DENY (SAMEORIGIN) (ALLOW-FROM https://example.com/) | The X-Frame-Options can be used to determine whether a calling browser may render the target page in a , or , i.e. embed it. |
X-XSS-Protection | 1; mode=block | X-XSS protection can prohibit browsers from loading a target page if a cross-site scripting (XSS) attack is detected. |
If headers are not set correctly, a recommendation is issued.
Here you can analyze your ports that are accessible through the Observer. The rating (low, medium, high) indicates whether the ports should normally be publicly accessible.
The Observer checks the following common ports:
Port | IANA Services |
---|---|
21 | ftp |
22 | ssh |
23 | telnet |
25 | smtp |
53 | domain |
80 | http |
106 | 3com-tsmux |
110 | pop3 |
111 | sunrpc |
123 | ntp |
135 | epmap |
137 | netbios-ns |
138 | netbios-dgm |
139 | netbios-ssn |
143 | imap |
161 | snmp |
389 | ldap |
443 | https |
445 | microsoft-ds |
465 | urd |
587 | submission |
993 | imaps |
995 | pop3s |
1433 | ms-sql-s |
1512 | wins |
1723 | pptp |
2222 | EtherNet-IP-1 |
2483 | ttc |
2484 | ttc-ssl |
3306 | mysql |
3389 | ms-wbt-server |
4369 | epmd |
5432 | postgresql |
5666 | nrpe |
5672 | amqp |
5984 | couchdb |
6379 | redis |
8080 | http-alt |
8443 | pcsync-https |
8983 | apache solr |
27017 | mongodb |
With the "New open port" endpoint alert, you can set an alert as soon as the Observer detects a new open port.
Gain insight into your SSL/TLS configurations and check whether the encryption complies with current security standards.
The overview provides information on the certificate used, e.g. the validity, the public key used, which domain the certificate was assigned to and which certification authority issued it.
Our security checks check the SSL/TLS encryption for known vulnerabilities caused by misconfigurations or the use of outdated technologies.
Our security checks check the SSL/TLS encryption for known vulnerabilities caused by misconfigurations or the use of outdated technologies. These are:
Title | Description |
---|---|
Supports SSL/TLS compression | The use of compression is not recommended, as it makes SSL/TLS vulnerable (especially for CRIME, Compression Ratio Info-leak Made Easy). |
No support for secure renegotiation | Secure Renegotiation ensures that no overload is possible if a client is constantly requesting new keys. Requests are then blocked and a DDoS attack is prevented. |
Supports weak SSL/TLS ciphers | SSL/TLS ciphers determine which encryption algorithms are used to exchange keys and how communication is secured. If insecure SSL/TLS ciphers are offered, the established connection is no longer secure. |
Weak Diffie-Hellman parameter | An insecure key exchange method is used. |
Supports anonymous ciphers | Anonymous ciphers are insecure and should not be used. |
Supports vulnerable ciphers | Ciphers that contain insecure cryptographic procedures should not be offered. |
Insecure SSL/TLS protocol | Only secure protocols should be offered for encryption. |
Susceptible to NULL pointer dereference | |
Susceptible to DROWN | The outdated SSLv2 can be used to crack recorded TLS traffic. |
Susceptible to FREAK | In a FREAK attack, the communication partners are tricked into agreeing on an insecure encryption method, even though secure methods are available. |
Does not support the latest protocol (TLSv1.3) | The latest and most secure protocol TLSv1.3 is not supported. |
Susceptible to logjam attacks | Attackers can obtain the secret keys by exploiting a vulnerability in the Diffie-Hellman key exchange. |
Cipher supports MD5 | MD5 is no longer considered sufficiently secure and should therefore not be used. |
Supports zero-cipher encryption | A zero cipher means that no encryption is used at all. This is never recommended beyond testing purposes. |
Supports ciphers susceptible to Poodle attacks | Poodle attacks exploit a vulnerability in SSL 3.0 so that encrypted information from an SSL 3.0 connection can be exposed. |
Supports RC4 ciphers | RC4 is no longer considered sufficiently secure and should therefore not be used. |
Susceptible to SLOTH attack | Weak hash functions (MD5, SHA-1) allow a SLOTH (Security Losses from Obsolete and Truncated Transcript Hashes) attack. |
Vulnerable according to the BSI | SSL/TLS encryption does not comply with the requirements of the BSI (German Federal Office for Information Security). |
No support for Perfect Forward Secrecy (PFS) | Perfect Forward Secrecy ensures that the newly negotiated session key cannot be reconstructed from the long-term key. |
No support for Authenticated Encryption (AEAD) ciphers | |
Susceptible to Sweet32 attacks | The stream cipher RC4 makes the connection vulnerable to Sweet32 attacks. |
Supports weak protocols | Weak, outdated protocols jeopardize the security of the SSL/TLS connection. |
No certificate issuer can be determined | SSL/TLS certificates are issued by Certification Authorities (CA). The issuer must be identifiable. |
Certificate CRL not available | |
Certificate signature cannot be decrypted | The signature of a certificate enables a third party to confirm the identity of the certificate owner. It should therefore be legible. |
CRL signature cannot be decrypted | |
Public key cannot be decoded | The public key is used to enable secure key exchange. It should therefore be decodable. |
Invalid certificate signature | |
Invalid CRL (Certificate Revocation List) signature | |
Invalid certificate | Trust has been withdrawn from invalid certificates. They should no longer be used. |
Invalid expiration date of the certificate | The expiration date of the certificate used is incorrect. |
Invalid CRL (Certificate Revocation List) | The certificate revocation list used is invalid. |
Expiry of the validity of the CRL (Certificate Revocation List) | The validity period of the certificate revocation list used has expired. |
Format error in the notbefore field of the certificate | The notbefore field contains an invalid time. |
Format error in the notafter field of the certificate | The notafter field contains an invalid time. |
Format error in the lastupdate field of crl | The lastupdate field contains an invalid time. |
Self-signed certificate | Even signed certificates are not able to confirm authenticity and are therefore not recommended. |
Self-signed certificate in the certificate chain | Even signed certificates are not able to confirm authenticity and are therefore not recommended |
Local exhibitor certificate not available | |
The first certificate could not be verified | |
Certificate chain too long | |
Revoke certificate | The certificate used has been revoked and should no longer be used. |
Invalid CA certificate | The certificate issued by the Certificate Authority is invalid. |
Path length limit exceeded | |
Unsupported certificate purpose | |
Certificate is not trustworthy | The certificate used is not considered trustworthy. |
Certificate rejected | The certificate used causes problems and is therefore rejected. |
Deviation between certification body and issuer | Certification body and exhibitor do not fit together. |
Mismatch between certification body and serial number of the issuer | Certification authority and serial number of the issuer do not match. |
The key usage does not take into account the signing of certificates | |
Expired certificate | If the certificate has expired, it becomes invalid and you can no longer carry out secure transactions. |
It can happen that a certificate is marked as unverifiable in Enginsight, although your browser does not display an error message when you call up the domain there. This is not a false positive. In this case, your browser has cast the certificate chain of a common Certification Authority (CA), which is why it can trace the certificate chain. However, this is not a correct configuration of your SSL/TLS encryption, as the reference to the root certificate is missing in the certificate chain.
You receive an overview of all supported protocols, which are compared with best practice. A rating indicates how critical deviations from the recommendation are.
The "OK" label means that the certificates comply with current security standards and have no critical security gaps.
You receive an overview of all supported ciphers, which are compared with best practice. A rating indicates how critical deviations from the recommendation are.