[153351] in North American Network Operators' Group
Re: Penetration Test Assistance
daemon@ATHENA.MIT.EDU (Andrew Latham)
Tue Jun 5 12:06:48 2012
In-Reply-To: <DD17DCA4DBB14A44870126211203BE9D02657B61F7C5@CHNMICMBX02.ManTech.com>
Date: Tue, 5 Jun 2012 11:32:20 -0400
From: Andrew Latham <lathama@gmail.com>
To: "Green, Timothy" <Timothy.Green@mantech.com>
Cc: "nanog@nanog.org" <nanog@nanog.org>
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
On Tue, Jun 5, 2012 at 10:52 AM, Green, Timothy
<Timothy.Green@mantech.com> wrote:
> Howdy all,
>
> I'm a Security Manager of a large network, we are conducting a Pentest ne=
xt month and the testers are demanding a complete network diagram of the en=
tire network. =C2=A0We don't have a "complete" network diagram that shows e=
verything and everywhere we are. =C2=A0At most we have a bunch of network d=
iagrams that show what we have in various areas throughout the country. I'v=
e been asking the network engineers for over a month and they seem to be to=
o lazy to put it together or they have no idea where everything is.
>
> I've never been in this situation before. =C2=A0Should I be honest to the=
testers and tell them here is what we have, we aren't sure if it's accurat=
e; =C2=A0find everything else? =C2=A0How would they access those areas that=
we haven't identified? =C2=A0 How can I give them access to stuff that I d=
idn't know existed?
>
> What do you all do with your large networks? =C2=A0One huge network diagr=
am, a bunch of network diagrams separated by region, or both? =C2=A0Any pen=
test horror stories?
>
> Thanks,
>
> Tim
Any penetration test should only require your networks and masks. As
far as a diagram it is of value to keep a staff member with the
singular task of documentation and auditing or an optional contract
basis. Small things like typographical errors can cause great
confusion in emergency situations. Take the time and do it right. I
personally prefer the flexibility and ease of use that Mediawiki
offers but other free and pay solutions exist.
--=20
~ Andrew "lathama" Latham lathama@gmail.com http://lathama.net ~
