Tim,
In the past I've used high level diagrams to illustrate the overall network
topology with individual tabs (drill down) per data center or POP.
The first step to assessing risk is to identify your assets. I'd suggest
performing a discovery of your network. Keep in mind Pen tests are
typically inconclusive of availability based threats DOS/DDOS (a very high
risk today) and in fact specifically avoid tests which might cause
degradation of service. I'd suggest including volumetric network (tcp,
udp), application floods (http get, post, etc. /dns query floods, etc.) and
slow and low attacks.
Best of Luck,
Dennis
--------------------------------------------------
From: "Baklarz, Ron" <bakl...@amtrak.com>
Sent: Tuesday, June 05, 2012 12:41 PM
To: "Green, Timothy" <timothy.gr...@mantech.com>
Cc: <nanog@nanog.org>
Subject: RE: Penetration Test Assistance
Not discounting the need for network diagrams, there are also differing
approaches to pen testing. One alternative is a sort of black-box
approach where the pen testers are given little or no advanced knowledge
of the network. It is up to them to 'discover' what they can through open
source means and commence their attacks from what they glean from their
intelligence gathering. This way they are realistically mimicking the
hacker methodology.
Ron Baklarz C|CISO, CISSP, CISA, CISM, NSA-IAM/IEM
Chief Information Security Officer
Export Control Compliance Officer
National Passenger Railroad Corporation (AMTRAK)
10 G Street, NE Office 6E606
Washington, DC 20002
bakl...@amtrak.com
-----Original Message-----
From: Green, Timothy [mailto:timothy.gr...@mantech.com]
Sent: Tuesday, June 05, 2012 10:53 AM
To: nanog@nanog.org
Subject: Penetration Test Assistance
Howdy all,
I'm a Security Manager of a large network, we are conducting a Pentest
next month and the testers are demanding a complete network diagram of the
entire network. We don't have a "complete" network diagram that shows
everything and everywhere we are. At most we have a bunch of network
diagrams that show what we have in various areas throughout the country.
I've been asking the network engineers for over a month and they seem to
be too lazy to put it together or they have no idea where everything is.
I've never been in this situation before. Should I be honest to the
testers and tell them here is what we have, we aren't sure if it's
accurate; find everything else? How would they access those areas that
we haven't identified? How can I give them access to stuff that I didn't
know existed?
What do you all do with your large networks? One huge network diagram, a
bunch of network diagrams separated by region, or both? Any pentest
horror stories?
Thanks,
Tim
________________________________
This e-mail and any attachments are intended only for the use of the
addressee(s) named herein and may contain proprietary information. If you
are not the intended recipient of this e-mail or believe that you received
this email in error, please take immediate action to notify the sender of
the apparent error by reply e-mail; permanently delete the e-mail and any
attachments from your computer; and do not disseminate, distribute, use,
or copy this message and any attachments.