26 May 2020

Remote Pen Testing: Common Questions Answered

Remote Pen Testing Common Questions Blog Header

At the end of March, we presented a refreshed remote pen testing solution to our customers. Remote pen testing is something IRM has been doing for years, but there was a clear demand for clarity around how we were planning on performing security testing that would usually be performed on-site, off-site.

(You can download a copy of our remote pen testing solution here) >

As expected, when people read about our solution, they had questions to understand how it fits in with their own requirements. We understand that organisations are under pressure to ensure everything they are doing is secure and considered. That’s why we’ve collated the common questions we’re receiving from our customers about remote pen testing. One of our Technical Team Leaders, Graeme Evans, has carefully answered these questions to ensure you fully understand the offering and our capabilities.

1.   Is there a setup cost?

There is no setup cost to our remote pen testing solution. As part of engaging with IRM, we use our own hosting solution for the bastion server in a secure cloud. Any associated costs are borne by IRM as part of the engagement. Each instance is short-lived so that data security and network integrity is protected, so there are no ongoing costs.

2.   Is there an annual fee?

There is no annual fee. Just like the setup costs, the systems in place are used for a short period of time, so the cost to IRM is small and so any fees are handled internally.

3.   What kind of virtual machine are you proposing?

We ask our customers to deploy a commonly used Linux distribution from Offensive Security called ‘Kali’. The Kali virtual machine is prepared ready-for-use with the most common hypervisors such as VMware vSphere and Microsoft Hyper-v as well as Oracle Virtualbox.

4.   What ports do you need access to?

For the period of testing, we ask only that TCP port 443 is open outbound from your environment to an IP address hosted by IRM that is dedicated to your testing period only. Additionally, UDP 1194 can be used for better performance for the consultants, however this is not mandatory.

5.   What technical support will you require during testing?

We will need the customer Virtualisation and Linux support teams to help deploy the ready to use Open Virtualisation Format image of the VM. Once deployed, we will need the customer IT support to execute a configuration script on the Linux VM tailored to this single instance with security credentials for the VPN server.

6.   How can we be assured this remote connection is secure?

IRM is using open-source and proven technologies together to make the solution as secure as possible, and we are happy to share details of each layer and how the connection is established.

Initially, a bastion server outside of the customer network and outside of the IRM network is created, on an encrypted file system. This is configured to accept only incoming Virtual Private Network traffic, and can be constrained only to the customers public IP address.

Once the Kali VM on the customer site is configured with the connection pack, this Kali VM establishes an outward bound connection to the bastion host. With an outbound connection, this often means there are no lengthy firewall changes to be made inside the customer network.

Once the encrypted link is established, a second encrypted connection is made by IRM consultants from the bastion server into the Kali VM. This results in connectivity between IRM consultants and the customer, with no direct link, and no bridging of networks.

The consultants then use the tools installed on the remote Kali VM locally within the customer network to perform the assessment.

7.   Does the solution use SSH/RDP inbound through our firewall? Is it possible to use our existing remote access VPN or VDI solutions?

The IRM solution does not accept inbound connections due to the increased risk this may pose to a business. It may be possible to use existing customer remote access solutions. Specific deployment questions would need to be discussed with one of the Senior Consultants at IRM to tailor access to your requirements. Not all customer-designed remote access solutions are suitable, but IRM is well-versed in many common customer systems, and can work with you to facilitate a successful test.

8.   Can you do it without installing anything on the host network?

The system as designed by IRM requires a Virtual Machine to be deployed within a customer network. Alternatives, whereby IRM uses existing customer VPN networks (perhaps as already used by the customer workforce) can also be utilised. We would need to discuss this approach, and how connectivity can be shared, but this option is possible.

9.   Can we set this up and leave it in place for future testing requirements?

As designed, the solution is in place for one test only. This is so that ongoing maintenance of the solution is not required by the customer; for example, to include regular operating system patching and maintenance. It is also common that one test to another requires different network access internal to a customer site, and so networking changes may be frequently required in order to re-use a virtual machine.

Finally, the single use nature of the VM gives assurances to the customer, that any data accessed via the Kali VM in the customer network is safely destroyed as part of the de-provisioning process, the same applies for the bastion server. As the bastion is backed by encrypted storage, once it is deleted, it is not recoverable.

It is certainly possible to work with IRM to have a more permanent access presence within a customer network, and a maintenance plan can be put together so that IRM can ensure that any remote solutions do not add additional risks to a customer network.

10. If remote testing is going to be an ongoing alternative to on-site testing, can you guarantee the same tester to conduct the tests?

We would be happy to facilitate this, you can speak with your Account Manager who can work with the Project Management Office. Where time frames allow, we can always work to ensure a single tester for a longer term work package.

We hope you found this blog useful to clarify some of the details of the solution. If you’re looking for a remote pen testing provider and have further queries about the solution or would like to receive a quote, contact us.