Firewall Rules
Controller to Cloud:
Must permit communications on TCP port 443 to https://<InstanceName>.infocyte.com and also "dl.infocyte.com". This communication is secured with TLS 1.2 (HTTPS).
Controller to Endpoints:
Controller will utilize multiple ports and protocols to determine which protocols are available for remote execution and file transfers.
The Controller’s agent deployment capabilities make use of several native Windows and Linux remote administration protocols to conduct scans. The Controller will attempt to use any protocol that is determined to be available during discovery. For these protocols to work, any firewalls between Controller and remote hosts to be scanned should permit communications on the following TCP ports:
TCP 22 |
SSH protocol is typically hosted on port 22. This port is mandatory for scanning Linux hosts. |
TCP 135 |
Windows Management Instrumentation (WMI) and Remote Procedure Calls (RPC) are hosted on Windows-based systems of all versions. This port is the primary method of execution on Windows systems. NOTE: WMI utilizes dynamic port ranges to maintain connections, 135 is only for negotiation and authentication. |
TCP 139 |
NetBIOS and Server Message Block (SMB) over NetBIOS. Can be used to transfer files, retrieve artifacts, and execute remote scheduled tasks when port 445 is unavailable. |
TCP 443 |
The Controller and Agent status and survey results posting is done on port 443 using an encrypted HTTPS connection. This is the port used by the Infocyte Core Service. |
TCP 445 |
Server Message Block (SMB) on Windows-based systems. Can be used to transfer files, deploy the survey, and retrieve artifacts. |
TCP 5985 |
Powershell Remoting over HTTP. Can be used to transfer files, deploy surveys, and execute the survey when it is enabled. |
TCP 1024 - 5000 |
Dynamic Port range for legacy Windows systems (2k3 & XP) is 1024-5000. Used to accept WMI and RPC connections after authentication. |
TCP 49152 - 65535 |
Dynamic Port range for modern Windows systems (Vista+ & Win2k8+) is 49152-65535. Used to accept WMI and RPC connections after authentication. |
Endpoint to Cloud:
Must permit communications on TCP port 443 to the IP Addresses for your instance.
Infocyte IP Addresses to allow:
3.221.153.58
3.227.41.20
3.229.46.33
35.171.204.49
52.200.73.72
52.87.145.239
dl.infocyte.com (Amazon CloudFront, IP Range can vary based on location. Recommended for optimal performance)
*.infocyte.com- This communication is secured with TLS 1.2/1.3 (HTTPS) and applies to both agents and agentless (temporary agents). If you are on a network with SSL Inspection/Decryption you might need to bypass decryption for your instance <CNAME>.infocyte.com, and dl.infocyte.com.
Comments
0 comments
Please sign in to leave a comment.