A: An "external" penetration test will examine the various resources available from anyone outside the security perimeter (i.e., the firewall). This testing could include the web/email servers, dial-in, wireless and VPN access. The "internal" penetration test will examine resources available to anyone inside the security perimeter. This could include employees, contractors, temporary employees, partners and attackers who manage to break through the external security perimeter.
A: The average external test is about 16-24 man hours, while the average internal test is 24-40 man hours. Factors that influence the external testing includes number of Internet-facing devices, the number of IP domains owned by the client and whether there is wireless or dial-in testing to be performed. Factors influencing the internal testing includes the number of servers, network users and remote locations.
A: Absolutely! Like any regular health checkup, network security audits should be performed annually. Some clients choose to alternate internal and external testing each year. Others perform quarterly testing to ensure that any problems can be quickly discovered and fixed. On a related note, some clients choose to routinely swap among their vendors who perform security audits. This provides the client a fresh set of eyes, toolsets and methodologies every 2-3 years.
A: Yes, there are definite differences between the two. IDS/IPS systems are typically either signature-based or behavior-based. Sometimes the functionality is built into devices such as firewalls and routers, other times they are built into blades that fit into a larger chassis. They can act as network or host-based protection controls. Sometimes they are used as separate appliances with one or multiple network interfaces. While IDS/IPS systems are designed to provide a higher layer of security over a basic firewall, they do not typically understand or protect against application layer attacks such as SQL Injection, XSS, etc. This reason is why the PCI standard requires a WAF to protect Internet-facing web servers instead of just a firewall with IDS/IPS capabilities.