Not discounting the need for network diagrams, there are also differing approaches to pen testing. One alternative is a sort of black-box approach where the pen testers are given little or no advanced knowledge of the network. It is up to them to 'discover' what they can through open source means and commence their attacks from what they glean from their intelligence gathering. This way they are realistically mimicking the hacker methodology. Ron Baklarz C|CISO, CISSP, CISA, CISM, NSA-IAM/IEM Chief Information Security Officer Export Control Compliance Officer National Passenger Railroad Corporation (AMTRAK) 10 G Street, NE Office 6E606 Washington, DC 20002 BaklarR@Amtrak.com -----Original Message----- From: Green, Timothy [mailto:Timothy.Green@ManTech.com] Sent: Tuesday, June 05, 2012 10:53 AM To: nanog@nanog.org Subject: Penetration Test Assistance Howdy all, I'm a Security Manager of a large network, we are conducting a Pentest next month and the testers are demanding a complete network diagram of the entire network. We don't have a "complete" network diagram that shows everything and everywhere we are. At most we have a bunch of network diagrams that show what we have in various areas throughout the country. I've been asking the network engineers for over a month and they seem to be too lazy to put it together or they have no idea where everything is. I've never been in this situation before. Should I be honest to the testers and tell them here is what we have, we aren't sure if it's accurate; find everything else? How would they access those areas that we haven't identified? How can I give them access to stuff that I didn't know existed? What do you all do with your large networks? One huge network diagram, a bunch of network diagrams separated by region, or both? Any pentest horror stories? Thanks, Tim ________________________________ This e-mail and any attachments are intended only for the use of the addressee(s) named herein and may contain proprietary information. If you are not the intended recipient of this e-mail or believe that you received this email in error, please take immediate action to notify the sender of the apparent error by reply e-mail; permanently delete the e-mail and any attachments from your computer; and do not disseminate, distribute, use, or copy this message and any attachments.