o Perform penetration attempts against your
o Use industry-recognized best practices.
• The pen test team is a part of an overall security strategy.
• A virtual pen test lab:
o Can emulate multiple operating systems
o Does not reflect the real-world network
o Does not give you practice navigating
through a network
o Does not allow viruses and worms to work
• Internal pen test lab:
o Two systems connected by a router (router
provides network services like Domain Name
System [DNS] and Dynamic Host Configura-
tion Protocol [DHCP]).
o The objective with internal pen tests is to
see exactly what vulnerabilities exist on the
corporate network, not to see if someone can
break in to the network.
o Can add an intrusion detection system
(IDS)/intrusion protection system (IPS),
proxies, syslog servers, database servers, etc.
• External pen test lab:
o Follows the principle of defense in depth.
o Have your IPL components plus a firewall,
DMZ, proxies, Network Address Translation
(NAT), Network Interface Device (NID),
o Firewall admins often have to open up
unexpected holes in their network due to
• Project-specific pen test lab:
o An exact replica of the target network needs
to be created for some reason.
o Rarely built due to the expense, but they do
o Extreme attention to detail is required.
o Did the manufacturer change the chipset in
the middle of the production line?
o Even different network cables can alter the
speed of an attack and change the results.
• Ad hoc lab:
o Used to test one specific thing on a server.
o Discourage the use of ad hoc labs except in
o A formal process should exist to determine
exactly which type of lab is needed for each
pen test project.
• Selecting the right hardware:
o If money is no object, just get what you need.
o Dual-purpose equipment can stretch your
o Focus on the “most common.”
o If your work will be primarily Web-based at-
tacks, your focus should be on firewalls, proxy
servers, and Web servers.
o If your work will be mostly focused on net-
work architecture vulnerabilities, then the
important components you need are routers,
switches, IDS, and firewall.
o If your team focuses on a niche target, like
perhaps supervisory control and data acqui-
sition (SCADA) systems, then your pen test
team may have more work available than
they can handle.
o You can get diverted into hiring expensive
subject matter experts or end up with a team
that needs significant now and ongoing
o Pen test training is more expensive that
many other types of training.
o Using firewalls that are software based, along
with swapping out for IDS/IPS software, can
help you stretch your budget.
o It is often better to purchase the more
expensive external versions of tape backups,
external hard drives, and monitors.
o Have a KVM (keyboard, video and mouse)
o Planning is important in setting up your lab.
o If your goal is to train or test on as many dif-
ferent scenarios as possible, dual-use systems
are the way to go.
• Selecting the right software:
o Back Track live CD.
o Using commercial tools can give you faster
results, but open-source tools make you
understand what is happening and what you
• Running the lab:
o Need a project manager, training plan, and
o Need a “team champion” from the ranks of