Network Perimeter Security: Building Defense In-Depth

12.2 Putting It All Together

Network penetration testing should be viewed as an essential part of network security. It should be performed when the implementation of the security policy is complete and at regular intervals thereafter.

Good penetration testing will have clearly stated goals of testing and improving the existing security policy of the network. It will also end with a detailed report of the findings and recommendations for resolving any issues uncovered as a result of the test.

The first step in penetration testing is to footprint the network with the purpose of determining likely targets. To do this:

• Obtain written permission from management to perform such research.

• Research electronic and print media for information about the company.

• Record all information about the company that you can find, including business structure, news of mergers or acquisitions, operating systems, preferred vendors, domain names, servers, services offered, individuals, phone numbers, and service provider information that can be found about the company.

• From the above information, determine available IP ranges from ARIN or another address registry, resolve all servers to IP addresses, and Traceroute to servers. Attempt to reconstruct the network as best you can with the clues provided from your earlier research.

• Scan the networks based on your findings from the previous steps. Use a variety of scanning tools and options in an attempt to force your way past any firewalls or other filtering devices.

• Connect to all available services and record what information you have learned about them, including operating systems, application names, release numbers, etc.

• Correlate this information with vendor releases regarding vulnerabilities in the given operating systems or applications by version number.

• Optionally, attempt to exploit these vulnerabilities. Do this with caution — or not at all — to avoid damaging important systems.

• Attempt to circumvent or otherwise test administrative and physical security countermeasures.

• Prioritize your results in terms of severity and possible business impact and present your findings along with a recommended course of action.