Overview
VAddy has traditionally needed to connect to a web server via the public Internet in order to scan it. With VAddy PrivateNet, you can now scan for vulnerabilities on your local development machine, on your intranet, and through continuous integration services like Travis CI and CircleCI.
Using the VAddy for PrivateNet command-line tool to send your local web server’s IP address and port number to VAddy through a remote port forwarding tunnel, you can allow VAddy to directly access your local web server.
Limitations
Because the VAddy PrivateNet command-line tool uses a combination of Java, Bash, and SSH commands, it must be run on macOS, Linux, BSD, or some other Unix-like operating system. There is currently no native Windows support, but you can use VMware, Vagrant, or another virtualized environment on Windows to provide a Linux host for the command-line tool.
VAddy PrivateNet also uses remote port forwarding with SSH, so your firewall must allow outbound SSH connections from the machine running the command-line tool to pfd.vaddy.net. This should be possible in most companies, but some large corporate environments may block external network access or filter it through a proxy in such a way that makes VAddy PrivateNet unusable.
Implementation
The command-line tool creates an SSH tunnel to use for remote port forwarding. This will expose a port on your local web server to VAddy’s servers through the SSH tunnel, allowing VAddy to scan it for vulnerabilities.
Though this does expose your local web server’s port outside of your intranet, access to that port is restricted to the VAddy servers at the other end of the SSH tunnel.
In the figure above, the VAddy PrivateNet command-line tool has connected local port 443 on a server on the customer’s intranet to a dedicated remote port (3210) for that customer on VAddy’s SSH server. When the customer initiates a scan, VAddy will send its requests through port 3210. Note that the VAddy PrivateNet command-line tool creates an SSH tunnel with a remote port (like 3210 above) that is automatically assigned to each server based on its domain name.
In this example, local port 443 is bound to remote port 3210. Because the command-line tool can only bind one local port at a time, it cannot simultaneously bind local port 80 and thus scan requests must be sent via HTTPS (TLS) on port 443.
Background SSH commands
Before opening a connection to VAddy’s SSH server, the VAddy for PrivateNet command-line tool will automatically generate an SSH key and register it through VAddy’s WebAPI.
Here is an example of the actual SSH command that is used to establish the tunnel:
$ ssh -i vaddy/ssh/id_rsa -N -R 0.0.0.0:3210:192.168.1.17:443 portforward@pfd.vaddy.net
This binds the local web server running on port 443 with an IP address of 192.168.1.17 to VAddy’s SSH server on port 3210 at pfd.vaddy.net.