[153371] in North American Network Operators' Group
Re: Penetration Test Assistance
daemon@ATHENA.MIT.EDU (Barry Greene)
Tue Jun 5 14:30:34 2012
From: Barry Greene <bgreene@senki.org>
In-Reply-To: <DD17DCA4DBB14A44870126211203BE9D02657B61F7C5@CHNMICMBX02.ManTech.com>
Date: Tue, 5 Jun 2012 11:06:46 -0700
To: "Green, Timothy" <Timothy.Green@ManTech.com>
Cc: "nanog@nanog.org" <nanog@nanog.org>
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
Hi Tim,
A _good_ pen test team would not need a network diagram. Their first =
round of penetration test would have them build their own network =
diagram from their analysis of your network.=20
Barry
On Jun 5, 2012, at 7:52 AM, Green, Timothy wrote:
> Howdy all,
>=20
> I'm a Security Manager of a large network, we are conducting a Pentest =
next month and the testers are demanding a complete network diagram of =
the entire network. We don't have a "complete" network diagram that =
shows everything and everywhere we are. At most we have a bunch of =
network diagrams that show what we have in various areas throughout the =
country. I've been asking the network engineers for over a month and =
they seem to be too lazy to put it together or they have no idea where =
everything is.
>=20
> I've never been in this situation before. Should I be honest to the =
testers and tell them here is what we have, we aren't sure if it's =
accurate; find everything else? How would they access those areas that =
we haven't identified? How can I give them access to stuff that I =
didn't know existed?
>=20
> What do you all do with your large networks? One huge network =
diagram, a bunch of network diagrams separated by region, or both? Any =
pentest horror stories?
>=20
> Thanks,
>=20
> Tim
>=20
> ________________________________
> This e-mail and any attachments are intended only for the use of the =
addressee(s) named herein and may contain proprietary information. If =
you are not the intended recipient of this e-mail or believe that you =
received this email in error, please take immediate action to notify the =
sender of the apparent error by reply e-mail; permanently delete the =
e-mail and any attachments from your computer; and do not disseminate, =
distribute, use, or copy this message and any attachments.
