PenTesting / Scanning Cached/Load Balanced Targets
As part of the PCI Certification process, external facing application that are in scope of the PCI environment require a PCI ASV scan. If these external facing applications are using load balancing and/or caching, please be aware of the following; (Examples of Load Balancers include; F5 LTM, AWS Elastic Load Balancer/ AWS CloudFront.)
Any load balancer using a full proxy architecture will establish a TCP connection to the virtual load balanced IP or VIP and the load balancer will proxy your scans and connection requests to a pool of backend applications servers. The rules on your load balancer determine which member of the pool gets that second connection. This means that you have no way of knowing which pool member you have scanned. The IP of the backend server will not be returned to the initial host, the one from which you established the initial TCP connection (to the VIP). To allow a PCI ASV scan, please add scanning origin to temporarily allow direct scans of your servers.
Please consider the following when determining the number of IP address required for External Scan;
- There are no load balancers in front of any in-scope servers:
- External IP address / URL counted as individual IPs.
- All servers behind load balancers are identical and synchronized:
- The external facing VIP or load balanced URL/IP is counted as an individual IP (Allow scanning origin to temporarily allow direct scans of your servers.)
- Servers behind load balancers not identical and not synchronized:
- Need to scan each individual IP instead of the VIP. (Allow scanning origin to temporarily allow direct scans of all servers.)
- Pentesting Akamai – the_pentesters_guide_to_akamai