network auditing

[cc <cc () belfordhk com>]

Hi,

I was just reading the thread on the "NASA security Audit"
and felt that perhaps I should think of a way to audit
two networks that I'm in charge of.

I'm relatively new at security issues(esp. audits,
penetration tests, etc..) so perhaps someone could
clarify some questions.

Does one really need a certification in order to
do all this auditing?   Right now, I'm learning
the whole security process on my own and as it
stands, it's quite overwhelming.

I have a firewall and an IDS set up(Just learnt not
too tell anyone what type..*grin*),  so all I'm
interested in knowing is whether or not I can
drill through the firewall and make it such that
the attack is undetected.

Sure I can go out and ask people to test the
networks; but as far as I know, that's a very
stupid thing to do. (Am I correct?)

I've read about the 'blackbox' and 'crystal' tests
(from the NASA Audit thread) and would like to know
how I can apply those tests, especially what type
of tools required.  (Or should I even bother?)

So far, (if someone can tell me if I've
gotten this concept of an audit right) I've
grasped that an external audit is as
follows:

1) Port scan the target network IP.
2) Get the list of open/closed ports are available
   (probably just Open ports, right?)

3) For each port use a specific tool to gain
   access (starting from a simple approach to
   a more technically involved approach).  ie.
   ftp port use ftp.

4) if simple access isn't available (ie cannot
   do any ftp password guessing either by
   brute force or dictionary approach to
   standard account names), then try using
   particular vulnerabilities in that protocol
   to attack/gain access to the system.

That's basically it, right?

Are there any particular books that I should take
a gander at?

Thank you for your help in understanding
this overwhelming topic.






---------------------------------------------------------------------------
----------------------------------------------------------------------------