Endpoint details

Add endpoint

Click the 'Add Endpoint' button.
Enter the URL or IP address to be monitored as the target.
Assign a description and tags.
Confirm that you are authorized to analyze the endpoint.
Define what you want to monitor with Enginsight. It is best to enable all features at the beginning.
Select at least one observer to perform the monitoring. If you are an on-premises customer and have not yet added an Observer, install an Observer. In the SaaS platform, you can also use two provisioned observers (Germany, USA).
Add the endpoint.

Permanent monitoring of the Observer can only be ensured if the IP addresses from which monitoring is performed are not blocked by firewall rules. If necessary, unblock the following IP addresses when using the observers available on the SaaS platform:

164.90.185.111 164.90.231.250 142.93.119.55 142.93.119.52 138.68.93.235 138.68.71.130 139.59.155.98

Optionally allow all A-records from this domain: observers.enginsight.com

Overview

Here you will find a list of all your endpoints, including the current risk score and associated severity.

Clicking on an endpoint will take you to the detailed view.

Dashboard

Several windows give you quick information about the security status of your endpoint.

You can find out what is behind each tile below:

Find out from which region your website is monitored and any details about availability, response time and offline time. The timeline next to it visualizes the availability over the hours. The gray markers stand for reachable times of your website, while pink markers show you at which times your website had problems.

Assessments

The view allows you to search for checks that have been carried out. Quickly record the existing criticality of individual checks, as well as their associated category, the corresponding module and the recorded risk score.

Use the top search bar or the filters on the left-hand side to display the relevant results. Click on a top category in the filter bar on the left to select all characteristics or select the desired filters separately from the list.

Vulnerarbilities

Get an overview of existing vulnerabilities.

At the beginning of the entry you will find a classification of the severity. You will also find the official CVSS score (Common Vulnerability Scoring System) for the CVE (Common Vulnerable Exposure) in question and the associated software.

Appease vulnerabilities

Use the multiedit function to appease several entries with just one click. Furthermore, you can select in the overlay whether the specific CVEs are to be selected or all associated CVEs of the following Common Platform Enumeration.

Specific CVEs

Select individual vulnerabilities and then click on "Apply" in the top right-hand corner of the screen. The following overlay will then open:

If required, enter a comment which will then be attached to the selected vulnerabilities.
Select the category: "Specific CVEs". Below this you will find a list of all previously selected CVEs.
Confirm your entry by clicking on: "Add action".

Common Platform Enumeration

Select individual vulnerabilities and then click on "Apply" in the top right-hand corner of the screen. The overlay then opens.
If required, enter a comment, which will then be attached to the selected vulnerabilities.
Select the category: "Common Platform Enumeration".
Then enter the corresponding values under "Vendor", "Product" and "Version". You can easily copy this information from the CVSS vector strings and paste it in the right place.

Confirm your entry by clicking on: "Add action".

Settings

Under Settings you will find the destination, and you also have the option of adding a description to your endpoint. Get an overview of assigned tags or add them if required. In the "Regions" area, you will find information about the assignment of the observers.

Advanced settings

You can activate the "Human Accessibility" option in the advanced settings. This setting determines that your website is only displayed as accessible if it returns the HTTP status code 200 (OK). If this option is activated, the website is considered unavailable if it returns a different status code (e.g. 404, 500), even if the server is technically accessible. If you do not activate this option, only the technical accessibility of the server is taken into account, regardless of the status code returned.

Responsibilities

Select a technical manager who is responsible for the maintenance and operation of the server. This person should have sound technical knowledge and be able to solve technical problems quickly.

You should also appoint a specialist from your organization. This person is responsible for the content and functional aspects of the endpoint and ensures that the server meets the business requirements.

Geo-IP Visualisierung

Below the responsibility assignment, you will find a map that shows the geo-IP of your endpoint. This map gives you a visual representation of the geographical location of the server based on the IP address. The blue circle shows the area in which the server is located. Use this information to get a better overview of the geographic distribution of your servers and to assess the potential impact on performance and compliance.

BSI

The view shows you which checks your endpoint does not pass and where your configuration fails. Use this information to tackle the issue of compliance in a targeted manner. Work through this list in a targeted manner and use it as proof of legal compliance.

In the technical guideline BSI TR-03116-4, the German Federal Office for Information Security (BSI) provides specifications and recommendations for secure SSL/TLS configuration. The guideline is a good indicator for evaluating the SSL/TLS configuration.Check the compliance of your endpoint.

Applications

Use the overview to keep an eye on all applications associated with the endpoint.

Here you will find all information about the application environment of the endpoint that can be detected externally. The Observer creates a footprint of the endpoint and checks for e.g.

CMS,
Web Server,
Frameworks or
Libraries.

The more information an endpoint reveals about the technologies used, the more starting points there are for hackers to launch targeted attacks on the applications. Ideally, an endpoint is configured and programmed in such a way that little can be learned about the technical basis.

All detected applications are presented to you in a clear list. You receive an assessment of how security-critical it is to detect the application from the outside.

Make sure you keep your applications as up-to-date as possible to ensure the security of your systems.

With this in mind, we have decided on the following categorization:

HIGH: Backend-relevant technologies that pose a high risk of serious attacks. e.g. CMS, wikis, blogs, ecommerce, CI, programming languages, databases, runtimes, operating systems, message boards, web server extensions, hosting panels, issue trackers
MEDIUM: Technologies with a medium level of risk, e.g. web servers, development, managed CMS
LOW: Other technologies e.g. UI frameworks or JavaScript libraries

If no version is recognizable, the criticality is reduced. Backend-relevant technologies receive a medium rating, apps categorized as medium receive a low rating.

As proof, you can find out where the Observer detected the application: in an HTTP header, a cookie or in the code of the website itself.

If known vulnerabilities (CVE) are found for the detected version, these are indicated in the list. All application vulnerabilities are also listed separately under Vulnerabilities.

Domain Name System

You use the Domain Name System (DNS) to configure various aspects of your domain. DNS is necessary, for example, to assign the appropriate IP to the domain. Proper configuration is necessary for the smooth operation of the website. Monitor your DNS settings by monitoring your DNS records.

You receive all DNS records in a clear list. In addition, Enginsight checks specific, security-relevant DNS records.

DNS validation tests

To prevent misuse of your domain and secure the SSL/TLS connection, you should use DNS records specially developed for this purpose: CAA, SPF, DMARC. The Observer therefore specifically checks for these three records.

CAA record (Certification Authority Authorization)

With a CAA record, the domain owner determines which Certificate Authority Authorization may issue an SSL/TLS certificate. The Observer checks for:

Missing contact address for DNS CAA No contact address has been assigned (iodef).
Invalid contact address for DNS CAA The contact address (iodef) contains invalid characters for emails and/or an invalid email format (not abc@def.com)
Unconventional certification authority The certification authority used (issue, wildissue) is not on our whitelist. This includes: letsencrypt.org, globalsign.com, sectigo.com, camerfirma.com, accv.es, actalis.it, amazon.com, pki.apple.com, atos.net, buypass.com, aoc.cat, certigna.fr, www.certinomis.com, ecert.gov.hk, certsign.ro, certum.pl

SPF-Record (Sender Policy Framework)

The SPF protocol makes it possible to authorize IP addresses to send emails with the domain. In this way, third parties can be prohibited from misusing the domain name. The record is effective in preventing phishing emails with the domain. We validate:

Outdated SPF version Check the SPF version used (v), currently only SPF1 exists.
Multiple SPF entries exist Never use multiple SPF entries. Instead, combine several SPFs in a single entry.
SPF entry contains characters after ALL No further entries may follow the optional ALL entry.
Incorrect SPF syntax The entry contains unknown entries (known are: spf1, mx, ip4, ip6, exists, include, all, a, redirect, exp, ptr) and/or unauthorized characters.

DMARC-Record (Domain-based Message Authentication, Reporting and Conformance)

The DMARC record defines a procedure for what should be done if the domain is used by an unauthorized IP to send an e-mail. Enginsight checks:

Invalid DMARC policy The DMARC policy (p) has no usual value. Usual values are: none: The sending of emails is not affected. You will only receive a notification. quarantine: Emails that do not pass the DMARC check will end up in the recipient's spam folder. reject: Emails that do not pass the DMARC check should be rejected by the recipient.
Invalid DMARC subdomain policy The DMARC subdomain policy (sp) has no normal value (for values see: DMARC policy)
Invalid DMARC percentage filter specification The optional percentage filter specification (pct) can be used to specify the percentage of messages to be filtered. The value must therefore be between 1 and 100.
Invalid DMARC address for report emails The report email address contains invalid characters or an invalid email format (not abc@def.com)
Invalid DMARC protocol version The version of DMARC (v) must be DMARC1.

Alerts: Invalid SPF DNS record, Invalid CAA DNS record

To receive immediate notification of incorrect DNS records, switch alerts to your endpoints. With the "Invalid CAA DNS record" alert, you can be informed about incorrect CAA DNS records. The "Invalid SPF DNS record" alert warns you of incorrect SPF records.

HTTP-Header

Here you will receive an analysis and evaluation of the HTTP connection configuration you have made via HTTP headers.

Set HTTP headers

All set HTTP headers are listed and evaluated in an overview:

OK: The HTTP configuration complies with the recommendations.
Avoidable HTTP header: The configuration made unnecessarily reveals a lot of information and therefore makes the HTTP connection potentially vulnerable.
Unknown HTTP header: An unknown HTTP header has been detected that potentially reveals information. Please check the necessity of the HTTP header and remove it if necessary.

Test for required HTTP headers

The system checks whether all headers important for security have been set. These are:

Name	Recommendation	Description
Content-Security-Policy		The HTTP content security policy regulates which resources can be loaded or executed in the browser in a certain way.
Expect-CT	max-age=0	The Expect-CT (Certificate Transparency) HTTP header defines how the CT policy is to be applied.
Feature-Policy	accelerometer 'none'; camera 'none'; geolocation 'none'; gyroscope 'none'; magnetometer 'none'; microphone 'none'; payment 'none'; usb 'none'	The feature policy determines which functions or APIs of a browser may be used.
Referrer-Policy	no-referrer-when-downgrade	The referrer policy ensures that referrer information may only be sent under certain conditions.
Strict-Transport-Security	max-age=31536000; includeSubDomains	HTTP Strict Transport Security (HSTS) is a security mechanism for HTTPS connections that protects against both connection encryption and session hijacking.
X-Content-Type-Options	nosniff	The only defined value "nosniff" prohibits Internet Explorer from using MIME sniffing to determine and apply a content type other than the declared content type.
X-Frame-Options	DENY (SAMEORIGIN) (ALLOW-FROM https://example.com/)	The X-Frame-Options can be used to determine whether a calling browser may render the target page in a , or , i.e. embed it.
X-XSS-Protection	1; mode=block	X-XSS protection can prohibit browsers from loading a target page if a cross-site scripting (XSS) attack is detected.

Name

Recommendation

Description

Content-Security-Policy

The HTTP content security policy regulates which resources can be loaded or executed in the browser in a certain way.

Expect-CT

max-age=0

The Expect-CT (Certificate Transparency) HTTP header defines how the CT policy is to be applied.

Feature-Policy

accelerometer 'none'; camera 'none'; geolocation 'none'; gyroscope 'none'; magnetometer 'none'; microphone 'none'; payment 'none'; usb 'none'

The feature policy determines which functions or APIs of a browser may be used.

Referrer-Policy

no-referrer-when-downgrade

The referrer policy ensures that referrer information may only be sent under certain conditions.

Strict-Transport-Security

max-age=31536000;

includeSubDomains

HTTP Strict Transport Security (HSTS) is a security mechanism for HTTPS connections that protects against both connection encryption and session hijacking.

X-Content-Type-Options

nosniff

The only defined value "nosniff" prohibits Internet Explorer from using MIME sniffing to determine and apply a content type other than the declared content type.

X-Frame-Options

DENY

(SAMEORIGIN)

(ALLOW-FROM https://example.com/)

The X-Frame-Options can be used to determine whether a calling browser may render the target page in a , or , i.e. embed it.

X-XSS-Protection

mode=block

X-XSS protection can prohibit browsers from loading a target page if a cross-site scripting (XSS) attack is detected.

If headers are not set correctly, a recommendation is issued.

Open Ports

Here you can analyze your ports that are accessible through the Observer. The rating (low, medium, high) indicates whether the ports should normally be publicly accessible.

The Observer checks the following common ports:

Port	IANA Services
21	ftp
22	ssh
23	telnet
25	smtp
53	domain
80	http
106	3com-tsmux
110	pop3
111	sunrpc
123	ntp
135	epmap
137	netbios-ns
138	netbios-dgm
139	netbios-ssn
143	imap
161	snmp
389	ldap
443	https
445	microsoft-ds
465	urd
587	submission
993	imaps
995	pop3s
1433	ms-sql-s
1512	wins
1723	pptp
2222	EtherNet-IP-1
2483	ttc
2484	ttc-ssl
3306	mysql
3389	ms-wbt-server
4369	epmd
5432	postgresql
5666	nrpe
5672	amqp
5984	couchdb
6379	redis
8080	http-alt
8443	pcsync-https
8983	apache solr
27017	mongodb

With the "New open port" endpoint alert, you can set an alert as soon as the Observer detects a new open port.

SSL/TLS

Gain insight into your SSL/TLS configurations and check whether the encryption complies with current security standards.

Certificate

The overview provides information on the certificate used, e.g. the validity, the public key used, which domain the certificate was assigned to and which certification authority issued it.

Web-Encryption-Checks

Our security checks check the SSL/TLS encryption for known vulnerabilities caused by misconfigurations or the use of outdated technologies.

Our security checks check the SSL/TLS encryption for known vulnerabilities caused by misconfigurations or the use of outdated technologies. These are:

Title	Description
Supports SSL/TLS compression	The use of compression is not recommended, as it makes SSL/TLS vulnerable (especially for CRIME, Compression Ratio Info-leak Made Easy).
No support for secure renegotiation	Secure Renegotiation ensures that no overload is possible if a client is constantly requesting new keys. Requests are then blocked and a DDoS attack is prevented.
Supports weak SSL/TLS ciphers	SSL/TLS ciphers determine which encryption algorithms are used to exchange keys and how communication is secured. If insecure SSL/TLS ciphers are offered, the established connection is no longer secure.
Weak Diffie-Hellman parameter	An insecure key exchange method is used.
Supports anonymous ciphers	Anonymous ciphers are insecure and should not be used.
Supports vulnerable ciphers	Ciphers that contain insecure cryptographic procedures should not be offered.
Insecure SSL/TLS protocol	Only secure protocols should be offered for encryption.
Susceptible to NULL pointer dereference
Susceptible to DROWN	The outdated SSLv2 can be used to crack recorded TLS traffic.
Susceptible to FREAK	In a FREAK attack, the communication partners are tricked into agreeing on an insecure encryption method, even though secure methods are available.
Does not support the latest protocol (TLSv1.3)	The latest and most secure protocol TLSv1.3 is not supported.
Susceptible to logjam attacks	Attackers can obtain the secret keys by exploiting a vulnerability in the Diffie-Hellman key exchange.
Cipher supports MD5	MD5 is no longer considered sufficiently secure and should therefore not be used.
Supports zero-cipher encryption	A zero cipher means that no encryption is used at all. This is never recommended beyond testing purposes.
Supports ciphers susceptible to Poodle attacks	Poodle attacks exploit a vulnerability in SSL 3.0 so that encrypted information from an SSL 3.0 connection can be exposed.
Supports RC4 ciphers	RC4 is no longer considered sufficiently secure and should therefore not be used.
Susceptible to SLOTH attack	Weak hash functions (MD5, SHA-1) allow a SLOTH (Security Losses from Obsolete and Truncated Transcript Hashes) attack.
Vulnerable according to the BSI	SSL/TLS encryption does not comply with the requirements of the BSI (German Federal Office for Information Security).
No support for Perfect Forward Secrecy (PFS)	Perfect Forward Secrecy ensures that the newly negotiated session key cannot be reconstructed from the long-term key.
No support for Authenticated Encryption (AEAD) ciphers
Susceptible to Sweet32 attacks	The stream cipher RC4 makes the connection vulnerable to Sweet32 attacks.
Supports weak protocols	Weak, outdated protocols jeopardize the security of the SSL/TLS connection.
No certificate issuer can be determined	SSL/TLS certificates are issued by Certification Authorities (CA). The issuer must be identifiable.
Certificate CRL not available
Certificate signature cannot be decrypted	The signature of a certificate enables a third party to confirm the identity of the certificate owner. It should therefore be legible.
CRL signature cannot be decrypted
Public key cannot be decoded	The public key is used to enable secure key exchange. It should therefore be decodable.
Invalid certificate signature
Invalid CRL (Certificate Revocation List) signature
Invalid certificate	Trust has been withdrawn from invalid certificates. They should no longer be used.
Invalid expiration date of the certificate	The expiration date of the certificate used is incorrect.
Invalid CRL (Certificate Revocation List)	The certificate revocation list used is invalid.
Expiry of the validity of the CRL (Certificate Revocation List)	The validity period of the certificate revocation list used has expired.
Format error in the notbefore field of the certificate	The notbefore field contains an invalid time.
Format error in the notafter field of the certificate	The notafter field contains an invalid time.
Format error in the lastupdate field of crl	The lastupdate field contains an invalid time.
Self-signed certificate	Even signed certificates are not able to confirm authenticity and are therefore not recommended.
Self-signed certificate in the certificate chain	Even signed certificates are not able to confirm authenticity and are therefore not recommended
Local exhibitor certificate not available
The first certificate could not be verified
Certificate chain too long
Revoke certificate	The certificate used has been revoked and should no longer be used.
Invalid CA certificate	The certificate issued by the Certificate Authority is invalid.
Path length limit exceeded
Unsupported certificate purpose
Certificate is not trustworthy	The certificate used is not considered trustworthy.
Certificate rejected	The certificate used causes problems and is therefore rejected.
Deviation between certification body and issuer	Certification body and exhibitor do not fit together.
Mismatch between certification body and serial number of the issuer	Certification authority and serial number of the issuer do not match.
The key usage does not take into account the signing of certificates
Expired certificate	If the certificate has expired, it becomes invalid and you can no longer carry out secure transactions.

Title

Description

Supports SSL/TLS compression

The use of compression is not recommended, as it makes SSL/TLS vulnerable (especially for CRIME, Compression Ratio Info-leak Made Easy).

No support for secure renegotiation

Secure Renegotiation ensures that no overload is possible if a client is constantly requesting new keys. Requests are then blocked and a DDoS attack is prevented.

Supports weak SSL/TLS ciphers

SSL/TLS ciphers determine which encryption algorithms are used to exchange keys and how communication is secured. If insecure SSL/TLS ciphers are offered, the established connection is no longer secure.

Weak Diffie-Hellman parameter

An insecure key exchange method is used.

Supports anonymous ciphers

Anonymous ciphers are insecure and should not be used.

Supports vulnerable ciphers

Ciphers that contain insecure cryptographic procedures should not be offered.

Insecure SSL/TLS protocol

Only secure protocols should be offered for encryption.

Susceptible to NULL pointer dereference

Susceptible to DROWN

The outdated SSLv2 can be used to crack recorded TLS traffic.

Susceptible to FREAK

In a FREAK attack, the communication partners are tricked into agreeing on an insecure encryption method, even though secure methods are available.

Does not support the latest protocol (TLSv1.3)

The latest and most secure protocol TLSv1.3 is not supported.

Susceptible to logjam attacks

Attackers can obtain the secret keys by exploiting a vulnerability in the Diffie-Hellman key exchange.

Cipher supports MD5

MD5 is no longer considered sufficiently secure and should therefore not be used.

Supports zero-cipher encryption

A zero cipher means that no encryption is used at all. This is never recommended beyond testing purposes.

Supports ciphers susceptible to Poodle attacks

Poodle attacks exploit a vulnerability in SSL 3.0 so that encrypted information from an SSL 3.0 connection can be exposed.

Supports RC4 ciphers

RC4 is no longer considered sufficiently secure and should therefore not be used.

Susceptible to SLOTH attack

Weak hash functions (MD5, SHA-1) allow a SLOTH (Security Losses from Obsolete and Truncated Transcript Hashes) attack.

Vulnerable according to the BSI

SSL/TLS encryption does not comply with the requirements of the BSI (German Federal Office for Information Security).

No support for Perfect Forward Secrecy (PFS)

Perfect Forward Secrecy ensures that the newly negotiated session key cannot be reconstructed from the long-term key.

No support for Authenticated Encryption (AEAD) ciphers

Susceptible to Sweet32 attacks

The stream cipher RC4 makes the connection vulnerable to Sweet32 attacks.

Supports weak protocols

Weak, outdated protocols jeopardize the security of the SSL/TLS connection.

No certificate issuer can be determined

SSL/TLS certificates are issued by Certification Authorities (CA). The issuer must be identifiable.

Certificate CRL not available

Certificate signature cannot be decrypted

The signature of a certificate enables a third party to confirm the identity of the certificate owner. It should therefore be legible.

CRL signature cannot be decrypted

Public key cannot be decoded

The public key is used to enable secure key exchange. It should therefore be decodable.

Invalid certificate signature

Invalid CRL (Certificate Revocation List) signature

Invalid certificate

Trust has been withdrawn from invalid certificates. They should no longer be used.

Invalid expiration date of the certificate

The expiration date of the certificate used is incorrect.

Invalid CRL (Certificate Revocation List)

The certificate revocation list used is invalid.

Expiry of the validity of the CRL (Certificate Revocation List)

The validity period of the certificate revocation list used has expired.

Format error in the notbefore field of the certificate

The notbefore field contains an invalid time.

Format error in the notafter field of the certificate

The notafter field contains an invalid time.

Format error in the lastupdate field of crl

The lastupdate field contains an invalid time.

Self-signed certificate

Even signed certificates are not able to confirm authenticity and are therefore not recommended.

Self-signed certificate in the certificate chain

Even signed certificates are not able to confirm authenticity and are therefore not recommended

Local exhibitor certificate not available

The first certificate could not be verified

Certificate chain too long

Revoke certificate

The certificate used has been revoked and should no longer be used.

Invalid CA certificate

The certificate issued by the Certificate Authority is invalid.

Path length limit exceeded

Unsupported certificate purpose

Certificate is not trustworthy

The certificate used is not considered trustworthy.

Certificate rejected

The certificate used causes problems and is therefore rejected.

Deviation between certification body and issuer

Certification body and exhibitor do not fit together.

Mismatch between certification body and serial number of the issuer

Certification authority and serial number of the issuer do not match.

The key usage does not take into account the signing of certificates

Expired certificate

If the certificate has expired, it becomes invalid and you can no longer carry out secure transactions.

It can happen that a certificate is marked as unverifiable in Enginsight, although your browser does not display an error message when you call up the domain there. This is not a false positive. In this case, your browser has cast the certificate chain of a common Certification Authority (CA), which is why it can trace the certificate chain. However, this is not a correct configuration of your SSL/TLS encryption, as the reference to the root certificate is missing in the certificate chain.

Supported Protocols

You receive an overview of all supported protocols, which are compared with best practice. A rating indicates how critical deviations from the recommendation are.

The "OK" label means that the certificates comply with current security standards and have no critical security gaps.

Supported Ciphers

You receive an overview of all supported ciphers, which are compared with best practice. A rating indicates how critical deviations from the recommendation are.

PreviousEndpoints (Observer)NextDomains

Last updated 2 months ago