cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
tcilmo
Engaged Sweeper II
My organization has a need to expose a scan server to the internet in order to inventory off network assets with the LSPUSH utility. If the internet facing scan server is compromised, could an attacker gain access to the stored credentials in the database which are used to scan assets, and decrypt them, etc? What does Lansweeper recommend to harden an architecture that has an exposed server on the internet to collect inventory information through LSPUSH?
1 ACCEPTED SOLUTION
Bruce_B
Lansweeper Alumni
We also received this question via email, our reply for everyone else's benefit:

If we understood you correctly you're looking to open up inbound traffic on the listen port on one of your scanning servers (default TCP 9524) for the purpose of being able to run direct to server LsPush scans. We would not recommend this course of action as LsPush traffic currently runs over http and the agent is not designed for use over the internet. In our next release, version 6.0.100.0, which is currently in beta we did add a change that will send LsPush traffic over https instead, though we still don't officially recommend to send it over the internet. We are planning on adding an echo service in a future release to accommodate LsPush request over the internet though we currently don't have an estimated release date for this feature yet. We've tagged your ticket as a feature request to we can add you to the list of customers interested in this feature. If you wish, we could add you to our beta tester list so you are notified whenever a new release is available in beta.

In regards to the vulnerability level of opening your scanning server's listen port to the internet. While opening up any port to the internet carries some level of risk with it, your credentials would not be at direct risk. As your credentials are stored in your database, if someone were to somehow be able to access a scanning server, they would not be able to access your database without knowing your connection string. In version 6.0.100.0 we're also adding obfuscation to the connection string in your config files. On top of that, if your database were somehow compromised, your passwords would be extremely difficult to decrypt. The passwords in your database are stored as a salted hash, encrypted with the encryption file that is unique to your Lansweeper installation.

View solution in original post

1 REPLY 1
Bruce_B
Lansweeper Alumni
We also received this question via email, our reply for everyone else's benefit:

If we understood you correctly you're looking to open up inbound traffic on the listen port on one of your scanning servers (default TCP 9524) for the purpose of being able to run direct to server LsPush scans. We would not recommend this course of action as LsPush traffic currently runs over http and the agent is not designed for use over the internet. In our next release, version 6.0.100.0, which is currently in beta we did add a change that will send LsPush traffic over https instead, though we still don't officially recommend to send it over the internet. We are planning on adding an echo service in a future release to accommodate LsPush request over the internet though we currently don't have an estimated release date for this feature yet. We've tagged your ticket as a feature request to we can add you to the list of customers interested in this feature. If you wish, we could add you to our beta tester list so you are notified whenever a new release is available in beta.

In regards to the vulnerability level of opening your scanning server's listen port to the internet. While opening up any port to the internet carries some level of risk with it, your credentials would not be at direct risk. As your credentials are stored in your database, if someone were to somehow be able to access a scanning server, they would not be able to access your database without knowing your connection string. In version 6.0.100.0 we're also adding obfuscation to the connection string in your config files. On top of that, if your database were somehow compromised, your passwords would be extremely difficult to decrypt. The passwords in your database are stored as a salted hash, encrypted with the encryption file that is unique to your Lansweeper installation.