Add endpoint

1. Click the 'Add Endpoint' button.

2. Enter the URL or IP address to be monitored as the target.

3. Assign a description and tags.

4. Confirm that you are authorized to analyze the endpoint.

5. Define what you want to monitor with Enginsight. It is best to enable all features at the beginning.

6. Select at least one observer to perform the monitoring. If you are an on-premises customer and have not yet added an Observer, install an Observer. In the SaaS platform, you can also use two provisioned observers (Germany, USA).

7. Add the endpoint.

Overview

Here you will find an overview of the endpoint from a bird's eye view. You'll get first data and a rating on website-response-times, HTTP-headers, SSL/TLS, Apps and PortScan.

Website

Here you can observe the availability and response times of your website.

You get the following value for each region from which you monitor the website:

Redirects

Here you first get an overview of how the Observer is redirected when the endpoint is accessed.

You can also manually specify which redirects to check in the settings. To add verification to a redirect, do the following.

BSI

In the technical guideline BSI TR-03116-4, the German Bundesamt für Sicherheit in der Informationstechnik (BSI) provides specifications and recommendations for secure SSL/TLS configuration. The guideline is a good indicator for evaluating the SSL/TLS configuration.

For each added endpoint, Enginsight automatically determines the percentage of requirements and recommendations that are implemented. From a percentage of 85%, we assume a good SSL/TLS configuration. If less than 70% are implemented, we define the configuration as critical.

DNS

With the Domain Name System (DNS) you configure various aspects of your domain. DNS is necessary, for example, to assign the domain the appropriate IP. Proper configuration is necessary for the smooth operation of the website. Control your DNS settings by monitoring your DNS records.

All DNS records are displayed in a clearly arranged list. In addition, Enginsight checks specific, security relevant DNS records.

DNS validation tests

In order to prevent misuse of your domain and to secure the SSL/TLS connection, you should use specially developed DNS records: CAA, SPF, DMARC. The observer therefore checks specifically for these three records and validates the set values. If the record passes a validation, you get a green check mark. Otherwise Enginsight gives a warning.

CAA-Record (Certification Authority Authorization)

With a CAA record, the domain owner determines which Certificate Authority Authorization may issue an SSL/TLS Certificate. The Observer checks for:

• Missing Contact Address for DNS CAA There is no contact address assigned (iodef).

• Invalid Contact address for DNS CAA The contact address (iodef) contains invalid characters and/or an invalid e-mail format for e-mails (not abc@def.com)

• Uncommon Certification Authority The certification body used (issue, wildissue) is not on our whitelist. This includes: letsencrypt.org, globalsign.com, sectigo.com, camerfirma.com, accv.es, actalis.it, amazon.com, pki.apple.com, atos.net, buypass.com, aoc.cat, certigna.fr, www.certinomis.com, ecert.gov.hk, certsign.ro, certum.pl

SPF-Record (Sender Policy Framework)

The SPF protocol allows IP addresses to be authorized to send e-mail using the domain. Thus, third parties can be prohibited from misusing the domain name. The record is effective in preventing phishing emails with the domain. We validate:

• Deprecated SPF version Check the SPF version used (v), currently only SPF1 exists

• Multiple SPF entries available Never use multiple SPF entries. Instead, combine multiple SPFs into a single entry.

• SPF record contains characters after ALL No further entries may follow the optional ALL entry.

• Invalid SPF syntax The entry contains unknown entries (known are: spf1, mx, ip4, ip6, exists, include, all, a, redirect, exp, ptr) and/or illegal characters.

DMARC-Record (Domain-based Message Authentication, Reporting and Conformance)

The DMARC record specifies a procedure to be taken if the domain is used by an unauthorized IP to send an e-mail. Enginsight checks:

• Invalid DMARC Subdomain Policy The DMARC Policy (p) has no ordinary value. Ordinary values are: none: The sending of e-mails is not affected. You will only receive a notification. quarantine: E-mails which do not pass the DMARC check will end up in the spam folder of the recipient. reject: E-mails which do not pass the DMARC check should be rejected by the recipient.

• Invalid DMARC policy The DMARC Subdomain Policy (sp) has no usual value (values see: DMARC Policy)

• Invalid DMARC filtering percentage The optional percentage filter specification (pct) can be used to specify the percentage of messages that are subject to filtering. The value must therefore be between 1 and 100.

• Invalid DMARC aggregate report email The report e-mail address contains invalid characters or an invalid e-mail format (not abc@def.com)

• Invalid DMARC protocol version The version of DMARC (v) must be DMARC1.

Alerts: Invalid SPF DNS record, Invalid CAA DNS record

To receive immediate notification of faulty DNS records, switch alerts to your endpoints. With the alert "Invalid CAA DNS record" you can be informed about faulty CAA DNS records. The alert "Invalid SPF DNS-Record" warns you about faulty SPF-Records.

SSL/TLS

Get insights on your SSL/TLS configurations and verify that the encryption conforms to current security standards.

Certificate

In the overview you will find information about the used certificate, e.g. about the validity, the used public key, which domain the certificate was assigned to and which certification authority issued it.

Security Checks

Our security checks examine the SSL/TLS encryption for known vulnerabilities caused by misconfiguration or the use of outdated technologies. These are:

Supportet Protocols

You get an overview of all supported protocols, which are compared with the Best Practice. A rating indicates how critical deviations from the recommendation are.

Supported Ciphers

You will receive an overview of all supported ciphers, which will be compared with the Best Practice. A rating indicates how critical deviations from the recommendation are.

Apps

Here you will find all information about the endpoint's application environment that can be detected from the outside. The Observer creates a footprinting of the endpoint and examines e.g. for

• programming languages,

• CMS,

• Web Server,

• Frameworks or

• Libraries.

The more information an endpoint reveals about the technologies used, the more opportunities there are for hackers to attack the applications targeted. Ideally, an endpoint is configured and programmed in such a way that little can be learned about its technical basis.

All detected applications are presented to you in a clearly arranged list. You will get an assessment of how safety critical it is to detect the application from the outside. That means how much damage could be caused by successful manipulation of the application.

The detection of technologies in combination with version detection is especially critical. Versions make it possible to look up known security vulnerabilities (CVE) for the corresponding technologies and subsequently to target attacks.

Against this background, we have decided on the following categorization:

• HIGH: Backend-relevant technologies that pose a high risk for serious attacks. e.g. CMS, Wikis, Blogs, Ecommerce, CI, Programming languages, Databases, Runtimes, Operating systems, Message boards, Web server extensions, Hosting panels, Issue trackers.

• MEDIUM: Technologies with medium risk level. e.g. Web server, Development, Managed CMS

• LOW: Other technologies e.g. UI Frameworks or JavaScript Libraries

**If no version is identifiable, the categorization is reduced. Backend-relevant technologies receive a medium rating, apps categorized as medium receive a low rating **.

Translated with www.DeepL.com/Translator (free version)

As proof, you can see where the Observer recognized the application: in an HTTP header, a cookie or in the code of the website itself.

If known vulnerabilities (CVE) are found for the detected version, they are indicated in the list. All vulnerabilities of applications are also listed separately under 'Vulnerabilities'.

HTTP-Headers

Here you receive an analysis and evaluation of the configuration of the HTTP connection that you made via HTTP headers.

Set HTTP-Headers

All set HTTP headers are listed and evaluated in an overview:

• OK: The HTTP configuration complies with the recommendations.

• Avoidable HTTP headers: The configuration unnecessarily reveals a lot of information and makes the HTTP connection potentially vulnerable.

• Unknown HTTP Header: An unknown HTTP header was detected, which potentially reveals information. Please check the necessity of the HTTP header and remove it if necessary.

Test for required HTTP-Headers

Here it is checked whether all headers important for security have been set. These are:

If headers are not set correctly, a recommendation is issued.

Portscan

Here you can analyze your ports that are accessible by the Observer. The rating (low, medium, high) tells you if the ports should normally be publicly accessible.

The Observer checks the following common ports:

Vulnerabilities

If the version number of a detected application can be verified, Enginsight checks the appropriate version for known vulnerabilities (CVE). In the overview you can see all found vulnerabilities listed and evaluated.

As soon as a security vulnerability has been closed (e.g. by an update), it automatically disappears from the overview during the next scan by the Observer.

Settings

General settings

Define as a target which endpoint should be monitored (e.g. IP address or domain). Assign a meaningful description and use tags to group the endpoints.

Which features should be monitored?

Select the parameters you want to monitor.

Which observer should monitor?

Define the observer(s) that will perform the monitoring. Always assign your observers to a region. The regions are then available for selection here.

Responsibilities

Assign responsibilities. The technical manager will receive a notification when an alarm is triggered to the corresponding endpoint if the Inform responsible persons option is active. You can also set Responsibilities for the entire organization.

Redirects

By default, Enginsight monitors how the observer is forwarded. However, you can also manually define redirects that should be active. This way, you can ensure that no redirects go unnoticed when your website is being rebuilt or during selective adjustments.

1. Click on "Add redirect".

2. Specify the source, target address, and the corresponding status code of the forwarding.

3. Check the HTTP/HTTPS and WWW/Non-WWW options if you always want to monitor both HTTP and HTTPS and WWW and Non-WWW.

4. Save the changes.

Advanced settings

In the advanced settings of your endpoints, you can specify when a web page should be considered reachable. By default, we assume human reachability. That is, when the status code 200 is returned. If you deactivate the 'Human Accessible' option, the status code is no longer taken into consideration and only the technical accessibility is checked.

Reports

Reports are summaries of endpoints that are displayed in a PDF. You can create reports in the respective endpoints. Under Endpoints -> Reports these are displayed collectively.

To create a PDF report for an endpoint, go to 'Endpoints' in the top menu and then select the endpoint. Go to 'Reports' in the left sidebar menu.

Then click on Create Report.

Wait a few seconds until the PDF report has been created. It will be downloaded to your PC and displayed in the list.