On Tue, 5 Jun 2012, Green, Timothy wrote:
I'm a Security Manager of a large network, we are conducting a Pentest
next month and the testers are demanding a complete network diagram of
the entire network. We don't have a "complete" network diagram that
shows everything and everywhere we are. At most we have a bunch of
network diagrams that show what we have in various areas throughout the
country. I've been asking the network engineers for over a month and
they seem to be too lazy to put it together or they have no idea where
everything is.
As someone who is charged with both engineering and maintaining the
records and diagrams of a large network, I take exception to the word
'lazy' ;) Network engineers tend to be an over-worked lot, and their work
is often interrupt-driven, so large blocks of time to work on a single
task are often a rarity.
The issue is that if they haven't kept their diagrams up to date (many
people don't, unfortunately), then getting them up to date turns into a
much more labor-intensive job. If they have kept the diagrams up to date
and they're just not getting them to you, then take the issue up with
their manager.
There might also be the question of how much information they are allowed
to release to third parties, even if it is for a pentest. This could mean
that some information might need to be removed or redacted from the
diagrams. Again, the engineering manager/director/CIO/CTO might be able
to provide clarification on this.
I've never been in this situation before. Should I be honest to the
testers and tell them here is what we have, we aren't sure if it's
accurate; find everything else? How would they access those areas that
we haven't identified? How can I give them access to stuff that I
didn't know existed?
From what I've seen, in-depth pentests are often done in coordination with
other groups, such as engineering/ops. In a large network, that's often
done out of necessity, if for no other reason than dealing with issues
like the ones you've raised (logistics, communication, etc...).
What do you all do with your large networks? One huge network diagram,
a bunch of network diagrams separated by region, or both? Any pentest
horror stories?
I don't have any pentest horror stories, but sometimes large network
diagrams have to be broken up into pieces, to maintain some degree of
readability. Large diagrams can get cluttered very quickly if you try to
put every minute piece of detail on them. I tend to treat the main
diagram as a high-level view of the network, and then either break out
sections that need more detail as a separate drawing, or as a link to our
internal knowledge base that can go into very high detail, including
pictures, access information, etc.
There is no right way to diagram every network. It depends on what best
suits your needs, and what established proceures are already in place.
jms
