Endpoint details
Add endpoint
Click the 'Add Endpoint' button.
Enter the URL or IP address to be monitored as the target.
Assign a description and tags.
Confirm that you are authorized to analyze the endpoint.
Define what you want to monitor with Enginsight. It is best to enable all features at the beginning.
Select at least one observer to perform the monitoring. If you are an on-premises customer and have not yet added an Observer, install an Observer. In the SaaS platform, you can also use two provisioned observers (Germany, USA).
Add the endpoint.
Permanent monitoring of the Observer can only be ensured if the IP addresses from which monitoring is performed are not blocked by firewall rules. If necessary, unblock the following IP addresses when using the observers available on the SaaS platform:
164.90.185.111 164.90.231.250 142.93.119.55 142.93.119.52 138.68.93.235 138.68.71.130 139.59.155.98
Optionally allow all A-records from this domain: observers.enginsight.com
Overview
Here you will find an overview of the endpoint from a bird's eye view. You'll get first data and a rating on website-response-times, HTTP-headers, SSL/TLS, Apps and PortScan.
Website
Here you can observe the availability and response times of your website.
You get the following value for each region from which you monitor the website:
Designation | Declaration |
---|---|
connect | The time the establishment of the connection with the server was completed. |
dnsLookup | The time when the Domain Name Lookup was finished. |
preTransfer | The time at which the transfer of the actual document begins. |
total | The time when the visitor received the last byte of the document from the server or when the transport-connection was closed. |
firstContentfulPaint | The time at which the first element has been loaded and gets visible for the visitor. |
domComplete | The time when the entire page with all its sub-resources is loaded and the processing is completed. |
If you only want to monitor the technical accessibility and do not want to consider the status code, deactivate the Human Accessible option in the Advanced settings.
Redirects
Here you first get an overview of how the Observer is redirected when the endpoint is accessed.
You can also manually specify which redirects to check in the settings. To add verification to a redirect, do the following.
BSI
In the technical guideline BSI TR-03116-4, the German Bundesamt für Sicherheit in der Informationstechnik (BSI) provides specifications and recommendations for secure SSL/TLS configuration. The guideline is a good indicator for evaluating the SSL/TLS configuration.
For each added endpoint, Enginsight automatically determines the percentage of requirements and recommendations that are implemented. From a percentage of 85%, we assume a good SSL/TLS configuration. If less than 70% are implemented, we define the configuration as critical.
DNS
With the Domain Name System (DNS) you configure various aspects of your domain. DNS is necessary, for example, to assign the domain the appropriate IP. Proper configuration is necessary for the smooth operation of the website. Control your DNS settings by monitoring your DNS records.
All DNS records are displayed in a clearly arranged list. In addition, Enginsight checks specific, security relevant DNS records.
DNS validation tests
In order to prevent misuse of your domain and to secure the SSL/TLS connection, you should use specially developed DNS records: CAA, SPF, DMARC. The observer therefore checks specifically for these three records and validates the set values. If the record passes a validation, you get a green check mark. Otherwise Enginsight gives a warning.
CAA-Record (Certification Authority Authorization)
With a CAA record, the domain owner determines which Certificate Authority Authorization may issue an SSL/TLS Certificate. The Observer checks for:
Missing Contact Address for DNS CAA There is no contact address assigned (iodef).
Invalid Contact address for DNS CAA The contact address (iodef) contains invalid characters and/or an invalid e-mail format for e-mails (not abc@def.com)
Uncommon Certification Authority The certification body used (issue, wildissue) is not on our whitelist. This includes: letsencrypt.org, globalsign.com, sectigo.com, camerfirma.com, accv.es, actalis.it, amazon.com, pki.apple.com, atos.net, buypass.com, aoc.cat, certigna.fr, www.certinomis.com, ecert.gov.hk, certsign.ro, certum.pl
SPF-Record (Sender Policy Framework)
The SPF protocol allows IP addresses to be authorized to send e-mail using the domain. Thus, third parties can be prohibited from misusing the domain name. The record is effective in preventing phishing emails with the domain. We validate:
Deprecated SPF version Check the SPF version used (v), currently only SPF1 exists
Multiple SPF entries available Never use multiple SPF entries. Instead, combine multiple SPFs into a single entry.
SPF record contains characters after ALL No further entries may follow the optional ALL entry.
Invalid SPF syntax The entry contains unknown entries (known are: spf1, mx, ip4, ip6, exists, include, all, a, redirect, exp, ptr) and/or illegal characters.
DMARC-Record (Domain-based Message Authentication, Reporting and Conformance)
The DMARC record specifies a procedure to be taken if the domain is used by an unauthorized IP to send an e-mail. Enginsight checks:
Invalid DMARC Subdomain Policy The DMARC Policy (p) has no ordinary value. Ordinary values are: none: The sending of e-mails is not affected. You will only receive a notification. quarantine: E-mails which do not pass the DMARC check will end up in the spam folder of the recipient. reject: E-mails which do not pass the DMARC check should be rejected by the recipient.
Invalid DMARC policy The DMARC Subdomain Policy (sp) has no usual value (values see: DMARC Policy)
Invalid DMARC filtering percentage The optional percentage filter specification (pct) can be used to specify the percentage of messages that are subject to filtering. The value must therefore be between 1 and 100.
Invalid DMARC aggregate report email The report e-mail address contains invalid characters or an invalid e-mail format (not abc@def.com)
Invalid DMARC protocol version The version of DMARC (v) must be DMARC1.
Alerts: Invalid SPF DNS record, Invalid CAA DNS record
To receive immediate notification of faulty DNS records, switch alerts to your endpoints. With the alert "Invalid CAA DNS record" you can be informed about faulty CAA DNS records. The alert "Invalid SPF DNS-Record" warns you about faulty SPF-Records.
SSL/TLS
Get insights on your SSL/TLS configurations and verify that the encryption conforms to current security standards.
Certificate
In the overview you will find information about the used certificate, e.g. about the validity, the used public key, which domain the certificate was assigned to and which certification authority issued it.
Security Checks
Our security checks examine the SSL/TLS encryption for known vulnerabilities caused by misconfiguration or the use of outdated technologies. These are:
Title | Description |
---|---|
Supports SSL/TLS compression | It is not recommended to use compression because it makes SSL/TLS attackable (especially for CRIME, Compression Ratio Info-leak Made Easy). |
No Support for Secure Renegotiation | Secure Renegotiation ensures that no overloading is possible if a client constantly requests new keys. Requests are then blocked and a DDos attack prevented. |
Supports Weak SSL/TLS Cipher (Parameter) | SSL/TLS ciphers define which encryption algorithms are used to exchange keys and how the communication gets secured. If insecure SSL/TLS ciphers get offered, the established connection is no longer secure. |
Supports Anonymous Ciphers | Anonymous ciphers are insecure and should not be used. |
Supports Beast Vulnerable Ciphers | Ciphers that contain insecure cryptographic procedures should not be offered. |
Insecure SSL/TLS Protocol | Only secure protocols should be offered for encryption. |
Vulnerable against NULL Pointer Dereference | |
Vulnerable against DROWN | Using the outdated SSLv2, recorded TLS traffic can be hacked. |
Vulnerable against FREAK | During a FREAK attack, the communication partners are forced to agree on an insecure encryption method, although secure methods are available. |
No Support for latest Protocol (TLSv1.3) | The newest and most secure protocol TLSv1.3 is not being supported. |
Vulnerable against logjam attack | By exploiting a vulnerability in the Diffie-Hellman-key-exchange, attackers can obtain the secret keys. |
Cipher supports MD5 | MD5 is no longer considered sufficiently safe and should therefore not be used. |
Supports Null Encryption Cipher | A null-cipher means that no encryption is used. This is never recommended except for test purposes. |
Supports vulnerable poodle attack ciphers | Poodle attacks use a vulnerability in SSL 3.0 so that encrypted informations of a SSL 3.0 connection can be disclosed. |
Supports RC4 Ciphers | RC4 is no longer considered sufficiently safe and should therefore not be used. |
Vulnerable against SLOTH attack | Weak hash functions (MD5, SHA-1) allow a SLOTH (Security Losses from Obsolete and Truncated Transcript Hashes) attack. |
Vulnerable according to BSI | The SSL/TLS encryption does not meet the requirements of the BSI. |
Vulnerable according to GDPR | The SSL/TLS encryption is contrary to the current state of the technology and therefore violates Art. 32 DSVGO. |
No Support for Perfect Forward Secrecy | Perfect Forward Secrecy ensures that the newly negotiated session-key cannot be reconstructed from the long-term-key. |
Weak Diffie-Hellman Parameter | |
Supports Common DH Prime | |
No Support for authenticated encryption (AEAD) ciphers | |
Vulnerable against Sweet32 attack | The RC4 stream cipher makes the connection vulnerable to Sweet32 attacks. |
Supports Weak Protocols | Weak, outdated protocols endanger the security of the SSL/TLS connection. |
Unable to get issuer certificate | SSL/TLS certificates are issued by Certification Authorities (CA). The issuer must be identifiable. |
Unable to get certificate crl | |
Unable to decrypt certificate's signature | The signature of a certificate enables a third party to confirm the identity of the certificate owner. It should therefore be readable. |
Unable to decrypt crl's signature | |
Unable to decode issuer public key | The public key is used to enable a secure key-exchange. It should therefore be decodable. |
Invalid certificate signature | |
Invalid CRL (Certificate Revokation List) signature | |
Invalid certificate | Invalid certificates have had their trust revoked. They should no longer be used. |
Invalid Certificate Expiry | The expiration date of the certificate used is incorrect. |
Invalid CRL (Certificate Revokation List) | The certificate-revocation-list used is invalid. |
Invalid CRL (Certificate Revokation List) expiry | The validity period of the certificate-revocation list used has expired. |
Format error in certificate's notbefore field | The notbefore-field contains an invalid time. |
Format error in certificate's notafter field | The notafter field contains an invalid time. |
Format error in crl's lastupdate field | The lastupdate field contains an invalid time. |
Self signed certificate | Self-signed certificates are not able to confirm authenticity and are therefore not recommended. |
Self signed certificate in certificate chain | Self-signed certificates are not able to confirm authenticity and are therefore not recommended. |
Unable to get local issuer certificate | |
Unable to verify the first certificate | |
Certificate chain too long | |
Certificate revoked | The certificate used has been revoked and should no longer be used. |
Invalid CA certificate | The certificate issued by the Certificate Authority is invalid. |
Path length constraint exceeded | |
Unsupported certificate purpose | |
Certificate not trusted | The certificate used is not considered trustworthy. |
Certificate rejected | The used certificate causes problems and is therefore rejected. |
Subject issuer mismatch | Certification-body and -issuer do not match. |
Authority and subject key identifier mismatch | Certification body and issuer's serial number do not match. |
Authority and issuer serial number mismatch | Certification body and issuer's serial number do not match. |
Key usage does not include certificate signing | |
Invalid Certificate | If the certificate is invalid, you will no longer be able to run secure transactions. |
Expired Certificate | If the certificate is expired it becomes invalid, you will no longer be able to run secure transactions. |
Invalid Hostname Validation |
Supportet Protocols
You get an overview of all supported protocols, which are compared with the Best Practice. A rating indicates how critical deviations from the recommendation are.
Supported Ciphers
You will receive an overview of all supported ciphers, which will be compared with the Best Practice. A rating indicates how critical deviations from the recommendation are.
Apps
Here you will find all information about the endpoint's application environment that can be detected from the outside. The Observer creates a footprinting of the endpoint and examines e.g. for
programming languages,
CMS,
Web Server,
Frameworks or
Libraries.
The more information an endpoint reveals about the technologies used, the more opportunities there are for hackers to attack the applications targeted. Ideally, an endpoint is configured and programmed in such a way that little can be learned about its technical basis.
All detected applications are presented to you in a clearly arranged list. You will get an assessment of how safety critical it is to detect the application from the outside. That means how much damage could be caused by successful manipulation of the application.
The detection of technologies in combination with version detection is especially critical. Versions make it possible to look up known security vulnerabilities (CVE) for the corresponding technologies and subsequently to target attacks.
Against this background, we have decided on the following categorization:
HIGH: Backend-relevant technologies that pose a high risk for serious attacks. e.g. CMS, Wikis, Blogs, Ecommerce, CI, Programming languages, Databases, Runtimes, Operating systems, Message boards, Web server extensions, Hosting panels, Issue trackers.
MEDIUM: Technologies with medium risk level. e.g. Web server, Development, Managed CMS
LOW: Other technologies e.g. UI Frameworks or JavaScript Libraries
**If no version is identifiable, the categorization is reduced. Backend-relevant technologies receive a medium rating, apps categorized as medium receive a low rating **.
Translated with www.DeepL.com/Translator (free version)
As proof, you can see where the Observer recognized the application: in an HTTP header, a cookie or in the code of the website itself.
If known vulnerabilities (CVE) are found for the detected version, they are indicated in the list. All vulnerabilities of applications are also listed separately under 'Vulnerabilities'.
HTTP-Headers
Here you receive an analysis and evaluation of the configuration of the HTTP connection that you made via HTTP headers.
Set HTTP-Headers
All set HTTP headers are listed and evaluated in an overview:
OK: The HTTP configuration complies with the recommendations.
Avoidable HTTP headers: The configuration unnecessarily reveals a lot of information and makes the HTTP connection potentially vulnerable.
Unknown HTTP Header: An unknown HTTP header was detected, which potentially reveals information. Please check the necessity of the HTTP header and remove it if necessary.
Test for required HTTP-Headers
Here it is checked whether all headers important for security have been set. These are:
Name | Recommendation | Description |
---|---|---|
Content-Security-Policy | The HTTP Content Security Policy controls which resources can be loaded or run in the browser in a certain way. | |
Expect-CT | max-age=0 | The Expect-CT (Certificate Transparency) HTTP header defines how the CT policy should be used. |
Feature-Policy | accelerometer 'none'; camera 'none'; geolocation 'none'; gyroscope 'none'; magnetometer 'none'; microphone 'none'; payment 'none'; usb 'none' | The feature policy determines which functions or APIs of a browser are permitted to be used. |
Referrer-Policy | no-referrer-when-downgrade | The referrer policy ensures that referrer information may only be sent under certain conditions. |
Strict-Transport-Security | max-age=31536000; includeSubDomains | HTTP Strict Transport Security (HSTS) is a security mechanism for HTTPS connections that protects against both connection encryption and session hijacking.. |
X-Content-Type-Options | nosniff | The only defined value "nosniff" forbids Internet Explorer by MIME sniffing to determine and apply another content type than the declared one.. |
X-Frame-Options | DENY (SAMEORIGIN) (ALLOW-FROM https://example.com/) | The X-frame options can be used to determine whether a browser may embed the target page in a <frame>, <iframe> or <object> render. |
X-XSS-Protection | 1; mode=block | The X-XSS protection can forbid browsers to load a target page if a Cross-Site Scripting (XSS) attack is detected. |
If headers are not set correctly, a recommendation is issued.
Portscan
Here you can analyze your ports that are accessible by the Observer. The rating (low, medium, high) tells you if the ports should normally be publicly accessible.
The Observer checks the following common ports:
Port | IANA Service |
---|---|
21 | ftp |
22 | ssh |
23 | telnet |
25 | smtp |
53 | domain |
80 | http |
106 | 3com-tsmux |
110 | pop3 |
111 | sunrpc |
123 | ntp |
135 | epmap |
137 | netbios-ns |
138 | netbios-dgm |
139 | netbios-ssn |
143 | imap |
161 | snmp |
389 | ldap |
443 | https |
445 | microsoft-ds |
465 | urd |
587 | submission |
993 | imaps |
995 | pop3s |
1433 | ms-sql-s |
1512 | wins |
1723 | pptp |
2222 | EtherNet-IP-1 |
2483 | ttc |
2484 | ttc-ssl |
3306 | mysql |
3389 | ms-wbt-server |
4369 | epmd |
5432 | postgresql |
5666 | nrpe |
5672 | amqp |
5984 | couchdb |
6379 | redis |
8080 | http-alt |
8443 | pcsync-https |
8983 | apache solr |
27017 | mongodb |
With the endpoint-alert "New Open Port" you can switch an alert as soon as the Observer detects a new open port.
Vulnerabilities
If the version number of a detected application can be verified, Enginsight checks the appropriate version for known vulnerabilities (CVE). In the overview you can see all found vulnerabilities listed and evaluated.
As soon as a security vulnerability has been closed (e.g. by an update), it automatically disappears from the overview during the next scan by the Observer.
Settings
General settings
Define as a target which endpoint should be monitored (e.g. IP address or domain). Assign a meaningful description and use tags to group the endpoints.
Which features should be monitored?
Select the parameters you want to monitor.
Which observer should monitor?
Define the observer(s) that will perform the monitoring. Always assign your observers to a region. The regions are then available for selection here.
If several Observers are assigned to the same region, they automatically share the monitoring of the endpoints among themselves (load balancing).
Responsibilities
Assign responsibilities. The technical manager will receive a notification when an alarm is triggered to the corresponding endpoint if the Inform responsible persons option is active. You can also set Responsibilities for the entire organization.
Redirects
By default, Enginsight monitors how the observer is forwarded. However, you can also manually define redirects that should be active. This way, you can ensure that no redirects go unnoticed when your website is being rebuilt or during selective adjustments.
Click on "Add redirect".
Specify the source, target address, and the corresponding status code of the forwarding.
Check the HTTP/HTTPS and WWW/Non-WWW options if you always want to monitor both HTTP and HTTPS and WWW and Non-WWW.
Save the changes.
Advanced settings
In the advanced settings of your endpoints, you can specify when a web page should be considered reachable. By default, we assume human reachability. That is, when the status code 200 is returned. If you deactivate the 'Human Accessible' option, the status code is no longer taken into consideration and only the technical accessibility is checked.
Reports
Reports are summaries of endpoints that are displayed in a PDF. You can create reports in the respective endpoints. Under Endpoints -> Reports these are displayed collectively.
To create a PDF report for an endpoint, go to 'Endpoints' in the top menu and then select the endpoint. Go to 'Reports' in the left sidebar menu.
Then click on Create Report.
Wait a few seconds until the PDF report has been created. It will be downloaded to your PC and displayed in the list.
Last updated