A breakdown of the individual controls that exist associated with the Edgescan JumpBox.
Version Number: v1.0.3
Published Date: 18 Feb 2025
____________________________________________________________________________
- The JumpBox is not exposed to the internet as it does not need a public IP. We provide the public IP of the Cloud Control and the port and protocol that is required to access it.
- This means you can completely lock down the external connectivity of the JumpBox using standard firewall rules.
- Correspondingly, the Cloud Control box IP is restricted within Edgescan’s infrastructure only and is not accessible from the public internet. They can only be interacted with via the JumpBox.
- The JumpBox is extremely lightweight and therefore presents a very small attack surface.
- The JumpBox does not store any information about the internal network infrastructure that is scanned through it.
- The JumpBox cannot initiate connections through the tunnel to our VPC. This is due to NAT and ACL rules on the Cloud Control.
- The OpenVPN connection uses the AES-256-CBC cipher for encryption. This is regarded as impenetrable using current technology.
- Key exchange uses 2048-bit Diffie-Hellman parameters which is deemed secure against attackers with nation-state resources.
- Authentication between the JumpBox and the Cloud Control is with X509 certificates that use a 2048-bit key. The certificates are signed with an ephemeral CA, therefore an additional trusted certificate can never be generated.
- Cloud Control machines are only accessible from the JumpBox using the port and protocol required for the OpenVPN connection.
- Edgescan is ISO27001 certified (Client Reg: 2018/2714).
JumpBox Maintenance
A JumpBox is a virtual machine placed on your network to facilitate Edgescan's internal scanning services as described here.
Edgescan may offer a JumpBox maintenance service, where applicable. This includes nightly automated polling for, and installation of, security updates at the package and operating system level. An Edgescan internal observation deck records the success/failure of these patches as well as other metrics such as last JumpBox connection time.
A disconnected JumpBox cannot be updated by Edgescan, automatically nor manually. It is not altogether rare for a JumpBox to become disconnected, almost invariably as a result of a client-side network-access change, JumpBox IP change or the JumpBox maching crashing. To optimise connection time, ensure the JumpBox retains TCP egress over port 9801 to the allotted sister node IP, that Edgescan is forewarned of any JumpBox IP change, and that the JumpBox remains generally in a running state.