About the Sentinel Appliance
The Sentinel Appliance is a virtual machine that enables scanning of source code or binaries for Sentinel Source, or of internal websites not accessible via the public internet.
The Sentinel Appliance enables the Sentinel Service to securely assess applications (with WhiteHat Dynamic) and source code (with WhiteHat Sentinel Source) in development or in production with the same rigorous and continuous methodology of scanning, verification and custom testing.
The purpose-built Sentinel Appliance will reside strategically behind the firewall, typically inside a customer demilitarized zone (DMZ).
The architecture will vary depending on whether you are using Whitehat Dynamic or Sentinel Source (Static scanning).
Note that DAST appliances are assigned a /24 subnet that can accommodate a total of 254 primary and associated hostnames.
Sentinel Appliance Operations
The Sentinel Appliance is a VM appliance configured by Synopsys to be deployed inside the customer’s network. It will periodically connect to Synopsys' controller (see Requirements for more details on the IP addresses and ports involved).
The controller authenticates with the satellite and negotiates a list of customer code bases (for Sentinel Source) and/or web sites (for Sentinel DAST) to test. The Sentinel appliance establishes a secure encrypted SSH tunnel back to a Controller server at Synopsys. Scanning parameters are communicated via this tunnel to a scan engine that runs on the Sentinel appliance; for Sentinel Source, this includes checking out source code from the customer’s repositories and performing the analyses. The Controller can assign virtual IP addresses to the customer’s web sites so that Synopsys' scanners can reach private RFC 1918 addresses to support WhiteHat Dynamic.
WhiteHat Dynamic uses SSH2 AES-256 key pairs; these are created when the appliance is set up. The appliance can only call one (1) IP address and then present its authentication to the receiving device. Synopsys cannot call the appliance. If the authentication fails there is no connection; the customer retains all control over what access the device has. The appliance simply opens a secure channel to Synopsys so that the scanners can route through it to your assets. WhiteHat Dynamic (DAST) appliances attempt to re-establish their SSH tunnel connection every hour; Sentinel Source (SAST) appliances also attempt to re-establish their tunnels hourly unless there is currently a scan running on the appliance.
All scanner traffic is transported within the encrypted SSH tunnel.
Deciding How to Host Your Sentinel Appliance
There are three options for hosting your appliance: on your premises, via AWS, or using Synopsys cloud hosting.
WhiteHat Cloud Hosting
If you prefer not to host your SAST appliance yourself (which can be done either via AWS or on your own premises), you can request Synopsys to host your appliance for an additional fee. Note that assets using a Synopsys-hosted appliance should typically be accessible via the public internet. Synopsys hosting for assets available only via your internal network will require you to allow bilateral traffic between your network and Synopsys.
To request that Synopsys host your SAST appliance, please click the "Request" button under "WhiteHat Cloud Hosting" on the SAST tab of the Appliance Management page, as shown:
The primary benefit of requesting that Synopsys host your appliance in the cloud is that you are totally relieved from administrative duties to support the Sentinel appliance.