Sentinel Appliance FAQ
What protocol and port numbers does our appliance use to communicate to WhiteHat’s satellite controllers?
See the tables in Network Requirements for information on the ports you can use for both DAST and SAST in EU and non-EU locations.
Can the appliance use SSH over SSL?
Why does WhiteHat use these ports instead of port 80?
Because the appliance protocol is not HTTP.
Does the appliance use port forwarding?
Can you point the appliance to our Proxy’s IP address?
Is root access available for the appliance?
Does the appliance use the customer’s network’s DNS to look up names?
When you deploy an appliance you will have the opportunity to enter your DNS information. While it is possible to use only IPs, there are typically so many that it is burdensome to supply them all; entering your DNS information simplifies this process. The appliance can only go to locations for which we have the host-name/IP address.
What does WhiteHat do with the information provided for internal assets?
Configure routes and DNS mappings used by our scanners.
Can WhiteHat access other applications beyond what is under contract?
We are only able to reach applications to which the client has given us the hostname and IP address.
Is the scanning happening from the appliance itself?
For DAST, the appliance is simply acting as a router between our production servers and the customers' internal network. For SAST, source-code scanning engines run on premises.
Does WhiteHat use any of the customer’s network resources?
The DAST or SAST appliances know just to call back to our production server. The appliance also depends on the customer’s Internet connection.
WhiteHat Sentinel Source appliances will need to download the code and, in most cases, its dependencies; note that this download is to the appliance itself and the code as a whole is not transmitted to WhiteHat.
Are my internal IP addresses going back and forth over the Internet?
For SAST appliances, DNS information will be stored on the appliance, along with any configuration files the customer uploads to Sentinel.
For DAST appliances, only the DNS information is stored on the appliance.
The appliance’s SSH key grants it access to the controller and allows the controller to send the configuration stored in WhiteHat’s datacenter over the encrypted tunnel to the appliance, which then configures itself appropriately. Double NAT is used to ensure no IP address(es) from either endpoint are exposed over the internet.
What measures does WhiteHat take to ensure the security of the appliance?
The appliance is pen-tested by our IT department, and has undergone WhiteHat’s Threat Research Center’s rigorous hardening process. In addition, WhiteHat uses 2048 bit rsa keys with aes256-cbc key exchange and we enforce hmac-md5; there are no virtual terminal logins on the appliance, just the configuration script; and the grub configuration menu is turned off.
What OS does the appliance run?
All DAST (Dynamic) appliances for Sentinel EU, along with DAST appliances for Sentinel US numbered 1800 and above, and EU 150 and above, are running Ubuntu 18.04 LTS; all other DAST appliances are using older Ubuntu LTS versions.
SAST (Static/Source) appliances for Sentinel EU numbered 200 and above, along with SAST appliances for Sentinel US numbered 2000 and above, are running Ubuntu 18.04 LTS; all other SAST appliances are using older Ubuntu LTS versions.
Is it possible to do a pen test on WhiteHat’s appliance?
We encourage you to perform unauthenticated (noninvasive) pen tests to ensure you are comfortable with the Sentinel Appliance. However, we do not allow authenticated pen tests in order to protect the confidentiality and integrity of the Sentinel Appliance.
What authentication mechanism does WhiteHat use between the satellite and the controller?
Each satellite has a unique cryptographic key and the public portion of our controller’s key. This is used by the appliance to verify that it is talking to the real controller as well as to enable the controller to know which appliance it’s talking to.