Penetration Test Assistance
Justin M. Streiner
streiner at cluebyfour.org
Tue Jun 5 15:52:33 UTC 2012
On Tue, 5 Jun 2012, Green, Timothy wrote:
> I'm a Security Manager of a large network, we are conducting a Pentest
> next month and the testers are demanding a complete network diagram of
> the entire network. We don't have a "complete" network diagram that
> shows everything and everywhere we are. At most we have a bunch of
> network diagrams that show what we have in various areas throughout the
> country. I've been asking the network engineers for over a month and
> they seem to be too lazy to put it together or they have no idea where
> everything is.
As someone who is charged with both engineering and maintaining the
records and diagrams of a large network, I take exception to the word
'lazy' ;) Network engineers tend to be an over-worked lot, and their work
is often interrupt-driven, so large blocks of time to work on a single
task are often a rarity.
The issue is that if they haven't kept their diagrams up to date (many
people don't, unfortunately), then getting them up to date turns into a
much more labor-intensive job. If they have kept the diagrams up to date
and they're just not getting them to you, then take the issue up with
their manager.
There might also be the question of how much information they are allowed
to release to third parties, even if it is for a pentest. This could mean
that some information might need to be removed or redacted from the
diagrams. Again, the engineering manager/director/CIO/CTO might be able
to provide clarification on this.
> I've never been in this situation before. Should I be honest to the
> testers and tell them here is what we have, we aren't sure if it's
> accurate; find everything else? How would they access those areas that
> we haven't identified? How can I give them access to stuff that I
> didn't know existed?
>From what I've seen, in-depth pentests are often done in coordination with
other groups, such as engineering/ops. In a large network, that's often
done out of necessity, if for no other reason than dealing with issues
like the ones you've raised (logistics, communication, etc...).
> What do you all do with your large networks? One huge network diagram,
> a bunch of network diagrams separated by region, or both? Any pentest
> horror stories?
I don't have any pentest horror stories, but sometimes large network
diagrams have to be broken up into pieces, to maintain some degree of
readability. Large diagrams can get cluttered very quickly if you try to
put every minute piece of detail on them. I tend to treat the main
diagram as a high-level view of the network, and then either break out
sections that need more detail as a separate drawing, or as a link to our
internal knowledge base that can go into very high detail, including
pictures, access information, etc.
There is no right way to diagram every network. It depends on what best
suits your needs, and what established proceures are already in place.
jms
More information about the NANOG
mailing list