Re: Penetration Test Assistance

["Justin M. Streiner" <streiner () cluebyfour org>]

On Tue, 5 Jun 2012, Green, Timothy wrote:

> I'm a Security Manager of a large network, we are conducting a Pentest 
> next month and the testers are demanding a complete network diagram of 
> the entire network.  We don't have a "complete" network diagram that 
> shows everything and everywhere we are.  At most we have a bunch of 
> network diagrams that show what we have in various areas throughout the 
> country. I've been asking the network engineers for over a month and 
> they seem to be too lazy to put it together or they have no idea where 
> everything is.

As someone who is charged with both engineering and maintaining the 
records and diagrams of a large network, I take exception to the word 
'lazy' ;)  Network engineers tend to be an over-worked lot, and their work 
is often interrupt-driven, so large blocks of time to work on a single 
task are often a rarity.

The issue is that if they haven't kept their diagrams up to date (many 
people don't, unfortunately), then getting them up to date turns into a 
much more labor-intensive job.  If they have kept the diagrams up to date 
and they're just not getting them to you, then take the issue up with 
their manager.

There might also be the question of how much information they are allowed 
to release to third parties, even if it is for a pentest.  This could mean 
that some information might need to be removed or redacted from the 
diagrams.  Again, the engineering manager/director/CIO/CTO might be able 
to provide clarification on this.

> I've never been in this situation before.  Should I be honest to the 
> testers and tell them here is what we have, we aren't sure if it's 
> accurate;  find everything else?  How would they access those areas that 
> we haven't identified?   How can I give them access to stuff that I 
> didn't know existed?

> From what I've seen, in-depth pentests are often done in coordination with 
other groups, such as engineering/ops.  In a large network, that's often 
done out of necessity,  if for no other reason than dealing with issues 
like the ones you've raised (logistics, communication, etc...).

> What do you all do with your large networks?  One huge network diagram, 
> a bunch of network diagrams separated by region, or both?  Any pentest 
> horror stories?

I don't have any pentest horror stories, but sometimes large network 
diagrams have to be broken up into pieces, to maintain some degree of 
readability.  Large diagrams can get cluttered very quickly if you try to 
put every minute piece of detail on them.  I tend to treat the main 
diagram as a high-level view of the network, and then either break out 
sections that need more detail as a separate drawing, or as a link to our 
internal knowledge base that can go into very high detail, including 
pictures, access information, etc.

There is no right way to diagram every network.  It depends on what best 
suits your needs, and what established proceures are already in place.

jms