Re: Pen testing / Vuln Assessment from Cable Modem - question on service provider selection

[tommymay () comcast net (Tommy May)]

Thanks James... certainly good ideas.  I'll keep your offer in mind...and who knows, maybe we can merge some efforts... 
 I am slowly in the process of developing relationships with small companies, doing ad-hoc security stuff, mostly 
network troubleshooting...etc.  But the need for assurance is on the rise...

Once again, thanks for taking the time and sharing perspective and experiences.

Tom


 -------------- Original message ----------------------
From: "James Ruffer" <admin () unixbox ws>
> Here is what we have been doing for the last couple of years.
>
> We collocated a couple of servers in a center that has no issue defending
> your pen-testing as long as you a legit and in contract with the
> company you are
> testing.  This collocation facility also hosts porn so you can only imagine the
> legal staff.
>
> In October we updated our servers to XEN and consolidated our physical servers.
>
> We now just boot a VM with whatever base OS we would like to test
> using.  We have
> 3 base OS's that we dub with our tools.
> We will also zip up the servers that we tested from and submit them to
> the client for later testing via DVD.  We do not keep the XEN's after
> 45 days.  Each XEN is encrypted.
>
> If you are not familiar with XEN is it just like VMWare ESX but free.
>
> If you would like we can set up some XEN servers for your testing.  If
> all goes well
> who knows maybe that will be our new side business pen-testing hosting...hmmm
>
> James
>
> On 6/19/07, Morgan Reed <morgan.s.reed () gmail com> wrote:
> > On 6/20/07, Tommy May <tommymay () comcast net> wrote:
> > > Issue - A standard nessus scan or nmap will choke my service from a standard 
> home based cable modem service.
> > You will not likely find anybody who will be willing to allow this.
> >
> > > I need to have a solid provider that is "used to dealing with pen-test like 
> customer businesses"... is there someone that you all may be able to recommend 
> that won't cost an arm and a leg and will meet the requirements? (i.e. one 
> that's home based, allows it to happen, has pen-testing customers. and doesn't 
> cost any more than 100.00 a month).
> > I highly doubt you will find one.
> >
> > > Any words of wisdom would be greatly appreciated.
> >
> > My best suggestion would be to find a permissive shell account or get
> > a co-lo server with it's own connection and use that (I have a root
> > shell on a tier 2 system that I use for these activities).
> >
> > You're unlikely to find any ISP who will do this for you so your best
> > bet is to go up a tier or two and get an unrestricted connection
> > attached to a remote server, you'll still have to read the contracts
> > carefully though.
> >
> > Morgan
> >
> > ------------------------------------------------------------------------
> > This List Sponsored by: Cenzic
> >
> > Are you using SPI, Watchfire or WhiteHat?
> > Consider getting clear vision with Cenzic
> > See HOW Now with our 20/20 program!
> >
> > http://www.cenzic.com/c/2020
> > ------------------------------------------------------------------------
>
>
> -- 
> Thank you for your time.
>
> James F. Ruffer III
> Ce|H MSCE, CNA, CCNA, & BSDI
> 1.518.271.1844  Mobile


------------------------------------------------------------------------
This List Sponsored by: Cenzic

Are you using SPI, Watchfire or WhiteHat?
Consider getting clear vision with Cenzic
See HOW Now with our 20/20 program!

http://www.cenzic.com/c/2020
------------------------------------------------------------------------