Assessing layers of security

["Bill Stout" <bill.stout () aristasoft com>]

What is the best way to audit a layered network?

    VPN---FW----F.E.----App----DB

The front-end system is vulnerable at the stack and port layer.  The shell of the front-end is vulnerable within the 
shell itself.  The application has it's own vulnerabilities, and it in turn accesses databases which have 
vulnerabilities.

Turning to traditional security houses tends to prompt the same response "Well, let's run a few scan tools against your 
network...".  This belies a complete lack of grasp on shell, application, and database security knowledge.  Turning to 
large consulting shops is a lengthy painful process which ends up with some 'kid' that dutifully steps through a 
checklist process that someone else documented, and typically not someone who has an understanding of the situation.

Turning to application vendor consulting does not generate a feeling of trust, since they tend to be close-to-the-vest 
about their own vulnerabilities.

Suggestions?

Bill Stout