NodeZero Host Network Requirements
For NodeZero to deploy and communicate with the SaaS environment from which it comes there needs to be a few lanes of communication opened. Below outlines those outbound and inbound points that are needed to run NodeZero successfully.
Using the OVA?
If using the OVA follow the steps here to Setup and Configure OVA
Need a Proxy?
If your environment connects to the internet via a proxy, this will affect NodeZero's ability to communicate out. Directions to configure NodeZero for use with a proxy can be found here.
Network access requirements are based on what portal instance generates the test, and not where the NodeZero host is being run. Uninterrupted network access is required during the entire operation to the following endpoints:
US Network (portal.horizon3ai.com)
-
HTTPS - 443/tcp
api.horizon3ai.com cognito-identity.us-east-2.amazonaws.com cognito-idp.us-east-2.amazonaws.com downloads.horizon3ai.com sqs.us-east-2.amazonaws.com *.docker.com *.docker.io *.ecr.us-east-2.amazonaws.com *.queue.amazonaws.com *.s3.amazonaws.com *.s3.us-east-2.amazonaws.com *.s3-w.us-east-2.amazonaws.com raw.githubusercontent.com github.com *.ubuntu.com *.canonical.com downloads.horizon3ai.com -
HTTP - 80/tcp
*.interacth3.io
EU Network (portal.horizon3ai.eu)
-
HTTPS - 443/tcp
api.horizon3ai.eu cognito-identity.eu-central-1.amazonaws.com cognito-idp.eu-central-1.amazonaws.com downloads.horizon3ai.com sqs.eu-central-1.amazonaws.com *.docker.com *.docker.io *.ecr.eu-central-1.amazonaws.com *.queue.amazonaws.com *.s3.amazonaws.com *.s3.eu-central-1.amazonaws.com *.s3-w.eu-central-1.amazonaws.com *.execute-api.eu-central-1.amazonaws.com *.elb.eu-central-1.amazonaws.com *.s3-r-w.eu-central-1.amazonaws.com raw.githubusercontent.com github.com *.ubuntu.com *.canonical.com downloads.horizon3ai.com -
HTTP - 80/tcp
*.interacth3.eu
For NodeZero Runner EU and US based
- HTTPS - 443/tcp
api.horizon3ai.com # For US Portal api.horizon3ai.eu # For EU Portal raw.githubusercontent.com github.com
OVA requirements
If using the OVA, it requires a opening additional connections to support the OS, h3-cli and n0 utility. Make sure the host is able to communicate to these endpoints.
- HTTPS - 443/tcp
*.ubuntu.com *.canonical.com downloads.horizon3ai.com github.com
Inbound Network Access
Not applicable to the OVA
The following ports should be opened on the NodeZero host/VM to allow traffic in:
- TCP 21, 23, 25, 53, 80, 88, 110, 135, 139, 143, 389, 443, 445, 587, 1433, 3306, 3389, 5900, 5985, 8080, 8443, 8888, 28069, 45000-49999
- UDP 69
The above network settings are required for the NodeZero Host and not nessicarily for the perimeter firewalls.
DO NOT Make Additional Network Changes
It is crucial to not make additional changes to the network environment beyond the day-to-day while running NodeZero. NodeZero represents an attacker and does not require additional paths opened for it to perform an assessment. For example, if your firewall is set to block the marketing VLAN from accessing the finance VLAN, leave it as is. NodeZero will verify that this configuration is in place.
Consolidated Endpoints
This feature is currently only available for paid customers. Please contact your Sales or Customer Success rep to enable it for you.
If you are operating the NodeZero host within a restricted network environment, the consolidated endpoint feature can simplify networking requirements. Instead of opening outbound network traffic to all the AWS services listed above, you will only need to allow traffic for the two static IP addresses associated with these domains:
US-Based
-
Domains
gateway.horizon3ai.com interact.gateway.horizon3ai.com -
IPs
15.197.206.82 3.33.191.122 -
Port
HTTPS - 443/TCP
EU-Based
-
Domains
gateway.horizon3ai.eu interact.gateway.horizon3ai.eu -
IPs
52.223.20.205 99.83.187.197 -
Ports
HTTPS - 443/TCP HTTP - 80/TCP DNS - 53/UDP