On Tue, 5 Jun 2012, Green, Timothy wrote:
I'm a Security Manager of a large network, we are conducting a Pentest next month and the testers are demanding a complete network diagram of the entire network. We don't have a "complete" network diagram that shows everything and everywhere we are. At most we have a bunch of network diagrams that show what we have in various areas throughout the country. I've been asking the network engineers for over a month and they seem to be too lazy to put it together or they have no idea where everything is.
As someone who is charged with both engineering and maintaining the records and diagrams of a large network, I take exception to the word 'lazy' ;) Network engineers tend to be an over-worked lot, and their work is often interrupt-driven, so large blocks of time to work on a single task are often a rarity. The issue is that if they haven't kept their diagrams up to date (many people don't, unfortunately), then getting them up to date turns into a much more labor-intensive job. If they have kept the diagrams up to date and they're just not getting them to you, then take the issue up with their manager. There might also be the question of how much information they are allowed to release to third parties, even if it is for a pentest. This could mean that some information might need to be removed or redacted from the diagrams. Again, the engineering manager/director/CIO/CTO might be able to provide clarification on this.
I've never been in this situation before. Should I be honest to the testers and tell them here is what we have, we aren't sure if it's accurate; find everything else? How would they access those areas that we haven't identified? How can I give them access to stuff that I didn't know existed?
From what I've seen, in-depth pentests are often done in coordination with other groups, such as engineering/ops. In a large network, that's often done out of necessity, if for no other reason than dealing with issues like the ones you've raised (logistics, communication, etc...).
What do you all do with your large networks? One huge network diagram, a bunch of network diagrams separated by region, or both? Any pentest horror stories?
I don't have any pentest horror stories, but sometimes large network diagrams have to be broken up into pieces, to maintain some degree of readability. Large diagrams can get cluttered very quickly if you try to put every minute piece of detail on them. I tend to treat the main diagram as a high-level view of the network, and then either break out sections that need more detail as a separate drawing, or as a link to our internal knowledge base that can go into very high detail, including pictures, access information, etc. There is no right way to diagram every network. It depends on what best suits your needs, and what established proceures are already in place. jms