Caroline Collins
2024-07-30 17:00:42
www.hackerone.com
Our Solution: Precision Internal Network Testing with Zero Trust Control
We are excited to introduce Gateway Internal Network Testing (INT) as the latest enhancement to HackerOne Gateway, powered by Cloudflare’s Zero Trust Network Access (ZTNA) technology. Gateway is one of the key components of the HackerOne Platform, providing superior control and precision in managing security program traffic. Gateway INT addresses the critical need for secure and efficient internal network testing by routing all security program traffic through the same ZTNA. This provides the additional traceability required in regulated and compliance-driven industries, enabling external security researchers to conduct thorough testing of pre-production assets with access mechanisms built on the enhanced security principles of zero trust.
Gateway features a split tunnel, researcher-level segregation, and logging with TLS decryption, ensuring visibility and control over all testing activities. Gateway INT seamlessly integrates advanced firewall protection and industry-standard security protocols, including Cloudflare Tunnel (also known as Cloudflared) and IPsec. The solution balances ease of use with zero trust security, offering an optional dedicated virtual machine (VM) setup to facilitate the Cloudflared solution for pentesting on internal assets. Customers also have the flexibility to install and self-manage Cloudflared on their existing or new endpoints (servers).
Understanding Cloudflared and IPsec in Gateway INT Context
Cloudflared is a command-line tool that creates secure tunnels to Cloudflare’s network. This allows safe and fast access to internal applications without internet exposure. In Gateway INT, Cloudflared encrypts and securely routes all security testing traffic through a ZTNA infrastructure, supporting specialized pentests that require evaluation or network segmentation and other forms of testing that require testing from within an internal network. |
IPsec (Internet Protocol Security) is a suite of protocols that secure internet communication by authenticating and encrypting each IP packet. In Gateway INT, IPsec adds another layer of encryption and security for traffic between internal networks and security researchers, protecting sensitive data and providing continuous proof of testing.
|
Key Benefits
Program-specific Control and Visibility
The Control View manages who can access the program and assets. Gateway allows seamless setup, pausing, and resuming of access for researchers, applied on a per-researcher or overall program level. Any changes trigger email notifications for both paused and resumed actions, with filtering and search capabilities for streamlined management.
INT Advantage: Provides controlled bug bounty programs with granular reporting through Cloudflare Tunnel, ensuring proof of testing activities and transparency, while maintaining robust security and compliance.
Allowlisted IP Addresses
Allowlisted IP addresses are assigned closest to the asset location to reduce latency and improve performance. The Settings view includes separate tabs for Hackers, Pentesters, Triagers, and Program Admins, along with the ability to pause, resume, and filter actions with a single click.
INT Advantage: Maintain program-specific control over all your assets with 24/7 IP allowlisting monitoring and the ability to pause testing as needed.
Download Log View and Real-Time Log Stream
The Log Management feature, available for the Cloudflared solution, facilitates downloading a zip archive containing HTTP, session, and network logs for incident investigation and hacker activity analysis. It also supports setting up a real-time log stream to various cloud storage destinations for SIEM integration, reducing the typical 20-minute lag time.
INT Advantage: Ensures regulatory compliance with laws like GDPR, HIPAA, and SOX by providing controlled access and comprehensive logging, and enhances timely and efficient data analysis for improved security monitoring.
Security Researcher Activity Control via Activity Logs
The Activity Logs offer visibility into actual security researcher activity. They detail which researchers, Program Admins, and Triagers are accessing URLs, and filters and date ranges are available to streamline information access.
INT Advantage: Precision monitoring distinguishes between legitimate security researcher traffic and genuine threats, reducing security alerts.
Data-driven Engagement Analytics
The Analytics view specific to Gateway provides key insights to drive engagement, understand asset touch frequency, and refine your program. It includes information on active hackers, top contributors, overall activity, and asset requests per program.
INT Advantage: Advanced engagement analytics allow you to view, analyze, and download data to inform data-driven strategy adjustments and demonstrate program ROI.
Effortless Internal Network Pentesting
Providing restricted access to a testing environment, whether it be an internal application or a restricted sandbox, is always a tricky part of a pentest. For pre-release web application features, customers often need to limit access to authorized testers only. Traditionally, this involves significant adjustments like modifying firewall rules, adding VPN accounts, and granting access to virtual desktops, which can ironically compromise security and impact pentester productivity due to slow network access and cumbersome configurations.
HackerOne’s Gateway, powered by Cloudflare’s WARP technology, streamlines this process by creating a Zero Trust tunnel that connects pentesters securely to target assets without needing to collect multiple IP addresses. Organizations still adjust firewalls but avoid the complexity of managing numerous IPs. The WARP client on testers’ endpoints authenticates their identity and device, allowing easy granting, revoking, and auditing of access.
By providing seamless access to virtual desktops or VDI/VM environments, Gateway delivers higher-quality pentest results. Pentests are often on tight deadlines, and Gateway’s well-documented, performant, predictable, and repeatable solution addresses the urgency and security trade-offs typically associated with setting up access. This results in a more secure and productive pentesting process, aligning security priorities with operational demands.
Gateway INT enhances internal network security by enabling pentests that simulate real-world attacks. This latest addition to Gateway offers:
- Self-Managed Configuration Using Cloudflared: Organizations can configure the Cloudflared tunnel independently, ensuring encrypted and protected traffic without the complexity of VPN setups.
- Gateway INT Virtual Machine: This provides a virtual machine (VM) pre-configured for Gateway INT secure tunnel compatibility and loaded with an up-to-date toolkit so assessors are ready to start thorough testing within your network. This simplifies the process and ensures all security measures are in place from the start.
With the option to adopt a VM, Gateway INT facilitates pentesting on internal assets. This solution replaces the need for sending physical devices for internal network pentests and setting up individual VMs for pentesters, streamlining the entire process for both security teams and testers. The combination of Gateway VPN/Tunnel and Gateway VM ensures end-to-end support for accessing the network and conducting thorough testing from within.
Looking Ahead
This blog serves as an introduction to Gateway INT. As we observe how our customers use the solution, we continuously seek opportunities to make improvements and enhance the user experience. In upcoming posts, we will explore:
- Details of internal network pentesting and best practices.
- Detailed use cases for private bounty programs.
Get Started With Gateway INT
Ready to enhance your precision for internal network security? Meet one of our security experts to see HackerOne Gateway in action. For more information and product documentation, visit our Gateway parent page and the Gateway internal network testing page.
Support Techcratic
If you find value in our blend of original insights (Techcratic articles and Techs Got To Eat), up-to-date daily curated articles, and the extensive technical work required to keep everything running smoothly, consider supporting Techcratic with Bitcoin. Your support helps me, as a solo operator, continue delivering high-quality content while managing all the technical aspects, from server maintenance to future updates and improvements. I am committed to continually enhancing the site and staying at the forefront of trends to provide the best possible experience. Your generosity and commitment are deeply appreciated. Thank you!
Bitcoin Address:
bc1qlszw7elx2qahjwvaryh0tkgg8y68enw30gpvge
Please verify this address before sending any funds to ensure your donation is directed correctly.
Bitcoin QR Code
Your contribution is vital in supporting my efforts to deliver valuable content and manage the technical aspects of the site. To donate, simply scan the QR code below. Your generosity allows me to keep providing insightful articles and maintaining the server infrastructure that supports them.
Privacy and Security Disclaimer
- No Personal Information Collected: We do not collect any personal information or transaction details when you make a donation via Bitcoin. The Bitcoin address provided is used solely for receiving donations.
- Data Privacy: We do not store or process any personal data related to your Bitcoin transactions. All transactions are processed directly through the Bitcoin network, ensuring your privacy.
- Security Measures: We utilize industry-standard security practices to protect our Bitcoin address and ensure that your donations are received securely. However, we encourage you to exercise caution and verify the address before sending funds.
- Contact Us: If you have any concerns or questions about our donation process, please contact us via the Techcratic Contact form. We are here to assist you.
Disclaimer: As an Amazon Associate, Techcratic may earn from qualifying purchases.