There are several things to consider when preparing for a penetration test. This includes learning about the penetration testing process used by your testing company and defining the scope needed for your engagement. IP whitelisting is a useful security feature that limits system access to a set number of IP addresses.
During kickoff calls, questions often come up about whitelisting IP addresses, and if it should be used during a penetration test. In general, whitelisting simply creates an exception for traffic where it would normally be blocked or denied. One of the most common scenarios for this is to allow the penetration tester to gain access to an environment or perform activities that would normally be blocked by a firewall.
Depending on the type of test, whitelisting is sometimes required just to access the target network or application. In other instances, it is meant to prevent security controls from blocking the penetration tester's traffic or automatically blacklisting their IP address while testing. Even though the firewall is a valid security control, and there is a certain amount of value in probing its strength, that singular control is usually not the primary focus of a pentesting engagement. Given enough time and resources, an attacker will be able to find their way around it.
One benefit of having their IP whitelisted is that it frees up the tester to focus on the intended scope of the engagement. This means that they can simulate a scenario where the firewall has been bypassed and help provide a clear indication of what risks your organization would face if that security control failed. While this allows them to access the resources they need during the testing, it also means that they can swap to a non-whitelisted IP address if they need to validate any perimeter concerns or issues they may have encountered. As testers, we want to ensure that the solution uses multiple independent controls to protect valuable data and information This is known as defense in depth.
Most companies have basic alerts configured, and another benefit to whitelisting is that you will usually get to validate which type of security events and alerts were triggered from the pentester's activities. Additionally, by reviewing the testing traffic generated (especially in a situation where the engagement uncovered serious flaws) you can almost always find areas to fine-tune your rules and identify key events that were previously not being noticed, which strengthens your overall security posture.\ Finally, it is a good idea for the network team to keep track of any whitelisted address used during a test. If an issue arises during the test, knowing which traffic belongs to your pentester may help your network team isolate the cause more efficiently. Any traffic that does not originate from a whitelisted source should be investigated, and if there are any questions about the traffic seen, then it is better to reach out and discuss this with your tester. Err on the side of caution. It is better to reach out to the penetration tester with your concerns than to accidentally let a malicious attacker run free in your network. After the engagement is done, the network team should revoke access. If you're interested in what goes on during an internal penetration test check out our other knowledge center articles.