Network Security & SSRF Protection - TYCHON Quantum Readiness

Security Architecture Overview

Important Security Notice

The TYCHON scanner implements context-aware network security measures. SSRF protection applies only to integration service configurations (Kafka, Elasticsearch, Splunk, S3) while allowing full network access for legitimate security scanning via -host flags.

Protected Against

• SSRF Attacks: Server-Side Request Forgery prevention
• Port Scanning: Blocked access to dangerous internal ports
• Internal Network Access: Protected localhost and private IP ranges
• DNS Rebinding: Hostname resolution validation
• URL Injection: Malformed URL and encoding attacks
• Credential Exposure: Secure logging with pattern redaction

Legitimate Use Cases

• Integration Services: Kafka, Elasticsearch, Splunk on localhost (with SSRF protection)
• S3-Compatible Storage: MinIO and other local object storage (with SSRF protection)
• Security Scanning: Any target via -host (no restrictions)
• Certificate Discovery: Internal and external TLS endpoints (no restrictions)
• Network Assessment: Private networks, localhost, cloud metadata (no restrictions)
• Vulnerability Testing: All ports and protocols for scan targets (no restrictions)

SSRF Protection Framework

Context-Aware Validation

The scanner uses a sophisticated context-aware validation system that applies different security rules based on how network inputs are being used:

Validation Contexts

ContextExternalURL

Strict SSRF protection for external URLs

ContextInternalService

Minimal validation for configured services

ContextScanTarget

Scanning validation for network targets

ContextUserProvided

Moderate protection for user inputs

Service Configuration Examples

# Integration services - PROTECTED by SSRF validation
-elasticnode "http://localhost:9200"     # Internal Elasticsearch - ALLOWED
-kafkabrokers "localhost:9092"           # Internal Kafka - ALLOWED
-splunkurl "http://10.0.0.15:8088"       # Internal Splunk - ALLOWED
-s3endpoint "http://localhost:9000"      # MinIO local storage - ALLOWED

# Integration services - BLOCKED by SSRF protection
-elasticnode "http://169.254.169.254/"   # AWS metadata - BLOCKED
-kafkabrokers "127.0.0.1:6379"          # Redis on non-Kafka port - BLOCKED
-splunkurl "http://localhost:22"         # SSH port - BLOCKED

# Scan targets - NO SSRF restrictions (legitimate security scanning)
-host "localhost:8080"                   # Local web app - ALLOWED for scanning
-host "192.168.1.100:443"               # Internal server - ALLOWED for scanning
-host "10.0.0.50:22"                    # SSH service - ALLOWED for scanning
-host "169.254.169.254:80"              # Even metadata service - ALLOWED for scanning

Blocked IP Addresses & Ranges

⚠️ For Integration Service URLs Only

These IP ranges are blocked only when configuring integration services (Kafka, Elasticsearch, Splunk, S3). Scan targets using -host can access any IP range for legitimate security assessments.

IPv4 Address Ranges

Loopback Addresses

Range	Description
127.0.0.0/8	Localhost loopback
127.0.0.1	Primary localhost
127.1	Short form localhost
2130706433	Decimal form of 127.0.0.1
017700000001	Octal form of 127.0.0.1
0x7f000001	Hex form of 127.0.0.1

Private Network Ranges

Range	Description
10.0.0.0/8	Private Class A
172.16.0.0/12	Private Class B
192.168.0.0/16	Private Class C
169.254.0.0/16	Link-local APIPA

Special Use Ranges

Range	Description
0.0.0.0/8	"This network"
224.0.0.0/4	Multicast addresses
240.0.0.0/4	Reserved/Experimental

IPv6 Address Ranges

Loopback & Local

Range	Description
::1	IPv6 loopback
[::1]	Bracketed IPv6 loopback
fe80::/10	Link-local addresses

Private & Special

Range	Description
fc00::/7	Unique local addresses
fd00::/8	Unique local addresses
::ffff:0:0/96	IPv4-mapped IPv6
ff00::/8	Multicast addresses

Blocked Ports for Integration Services

⚠️ Port Restrictions Apply to Integration Services Only

These ports are blocked only when configuring integration services (Kafka, Elasticsearch, Splunk, S3) to prevent SSRF attacks. Scan targets using -host can access any port for legitimate security scanning.

Common Service Ports

Port	Service
22	SSH
23	Telnet
25	SMTP
53	DNS
110	POP3
143	IMAP
993	IMAPS
995	POP3S

Database Ports

Port	Database
3306	MySQL
5432	PostgreSQL
6379	Redis
11211	Memcached
27017	MongoDB

Internal Web Ports

Port	Service
8080	HTTP Alt
8443	HTTPS Alt
9200	Elasticsearch HTTP
9300	Elasticsearch Transport

Note: Internal services like Elasticsearch on localhost:9200 or Kafka on localhost:9092 can use these ports without restriction because they use the ContextInternalService validation context. Scan targets using -host can always access these ports for legitimate security assessments.

Security Best Practices

Network Security

✅ Safe Practices

• Use HTTPS for all external communications
• Configure internal services with proper authentication
• Use network segmentation for sensitive systems
• Regularly update TLS certificates
• Monitor network access logs

❌ Avoid These

• Exposing internal services to the internet
• Using weak or default credentials
• Disabling SSL certificate verification
• Storing credentials in plain text
• Bypassing security validations

Configuration Security

Secure Configuration

# Use encrypted credential storage
certscanner -config

# Configure with secure endpoints
certscanner -config-elasticnode "https://elastic.internal:9200"
certscanner -config-kafkabrokers "kafka1.internal:9092"
certscanner -config-splunkurl "https://splunk.company.com:8088"

Environment Variables

# Set via environment variables
export ELASTIC_NODE="https://localhost:9200"
export KAFKA_BROKERS="localhost:9092"
export SPLUNK_URL="http://splunk.internal:8088"
export SPLUNK_TOKEN="your-secure-token-here"

Advanced Security Features

Secure Logging

The scanner includes intelligent credential detection and redaction in logs:

Redacted Patterns

• password=***REDACTED***
• apikey=***REDACTED***
• token=***REDACTED***
• Certificate data (PEM blocks)
• Environment variables with sensitive names

File Security

Enhanced file permission security for temporary files and outputs:

Secure Permissions

• Temporary files: 0600 (owner read/write only)
• Output files: 0600 (owner read/write only)
• Directories: 0700 (owner access only)
• Configuration files: 0600

Cross-Platform Security

Windows

• Native Windows API usage
• No PowerShell dependencies
• Registry-based detection
• NTFS permissions

Linux

• Filesystem permissions
• Process isolation
• SELinux compatibility
• Container support

macOS

• Keychain integration
• Application bundle detection
• System Integrity Protection
• Gatekeeper compatibility

Security Troubleshooting

Common Issues & Solutions

Cannot connect to internal Kafka broker

Problem: Getting connection errors when trying to configure Kafka on localhost or private IP.

Solution: Ensure you're using the correct flag for internal service configuration:

certscanner -posttokafka -kafkabrokers "localhost:9092"

This uses ContextInternalService validation which allows localhost and private IPs.

Elasticsearch validation errors

Problem: Cannot configure local Elasticsearch instance.

Solution: Use proper internal service configuration:

certscanner -posttoelastic -elasticnode "http://localhost:9200"

The ContextInternalService validation allows access to blocked ports for configured services.

IPv6 connectivity issues

Problem: Cannot connect to IPv6 internal services.

Solution: IPv6 localhost and private addresses are supported for internal services:

certscanner -kafkabrokers "[::1]:9092"
certscanner -elasticnode "http://[fd00::100]:9200"

Use bracket notation for IPv6 addresses in URLs.

Getting Help

If you encounter security-related issues or have questions about network configuration, check the main documentation or contact your system administrator for guidance on enterprise security policies.