Security Vulnerability Scans Print

  • 13

Please read this article thoroughly before performing any security vulnerability scans on your website.

Performing intensive vulnerability scanning to an Arrow Technology server, or any website that is hosted on an Arrow Technology server, without the permission of Arrow Technology (even if you have the permission of the website owner) is not permitted.

Even if you are the website owner, you do still require permission from Arrow Technology before performing vulnerability scans, with good reasons as you will discover below :)

Whilst we welcome a few small security scans, please be aware of a few things:

  • Any systems that perform security scans against sites on Arrow Technology web servers are likely to be very quickly blocked by our SiteSentinel web application firewall & intrusion prevention system.
  • Scans are almost guaranteed to be blocked; probably all vulnerability scanners have to do a variety of easily detectable attacks which are likely to cause them to be blocked.
  • Persistent scans will result in automatic permanent SiteSentinel blocks for the systems doing the scanning and these blocks will not be automatically removed after a timeout. If you run a scan from your own internet address, you will likely block yourself to all websites on that web server. Even a slow but persistent scan will be detected and blocked.
  • Some clearly malicious attacks will be blocked in just a single request. If you are aware of a known possible attack on your website framework and you attempt it to see if it works, please bear in mind you may get an instant block. You are welcome to try and we welcome your feedback. If you are blocked, SiteSentinel will advise you on how to get unblocked.
  • Note that if you use a commercial scanning service or product on a website that does not have a web application firewall, those scans can be very aggressive and can potentially cause an extremely heavy web server load. That is why you require the permission of the web server owner, because it can affect the whole web server. These scans can effectively be considered Denial of Service attacks and that may well be illegal.
  • All websites on Arrow Technology web servers are protected by the SiteSentinel web application firewall and that will block these scanners, which means there is negligible loading. However, blocking the scanner means that it does not provide much in the way of useful results to you, or it can even result in an incorrect scanning report.
  • The Arrow Technology team will not necessarily visually see all attacks as they happen, despite them being detected & blocked, but if during an audit we do happen to see that a large scan took place then we may choose to investigate more closely, particularly where we consider there may be useful results.
  • SiteSentinel keeps a significant audit history and allows us to detect & analyse scans that previously happened even many months ago.

If you are the owner of a website on an Arrow Technology server and would like to scan your website, please contact us first so that we can put in place the appropriate measures to ensure the scanner is effective at its job and does not get blocked, plus we will advise of a suitable time for this scan to take place. If you do not arrange that, you are primarily scanning a web application firewall rather than the website and that probably isn't so useful.

We will only allow vulnerability scans from approved reputable scanning service providers or pre-arranged static IP addresses.

Most vulnerability scanning services & products have different levels of scanning and you need to select an appropriate scan for your purposes. For example an intensive scan of every page in a site for SQL injection is probably significantly excessive, whereas scanning specific pages might be more useful.

If we see an approved scan that is using excessive resources, we can use SiteSentinel to throttle the request rate and reduce it to a loading that is more acceptable, without blocking the scan. That does of course mean the scan may take significantly longer, but it will then also provide useful results.

Arrow Technology SiteSentinel is our own proprietary Web Application Firewall & Intrusion Prevention System. It has no relation to any other 'Sentinel' firewalls that you may have heard about.

Was this answer helpful?

« Back