As part of a penetration testing exercise (external) what are the common security tools the test team would utilise when assessing the security of your organisations traditional on-prem network “boundary defences”, i.e. perimeter firewall/UTM? Is it still primarily the port scanning range of tools, or something new in 2022?
And for such external scans of a clients "boundary defence", what specific kind of vulnerabilities do such tools scan/test for? I appreciate each type of device or applications has its own common vulnerabilities, but I wasn't sure specifically when doing an external check if its looking for any particular weakness in the perimeter defence? I suppose the ultimate goal is to try and circumvent the perimeter controls to gain a degree of access to the clients private network environment.
Out of interest when configuring their external scans/tests against a clients network perimeter security controls, what information does the client under review typically provide to the test team, as I assume they need to configure their scanners to check against a specific IP address/range that represents the network boundary? I was always interested in the initial setup as to how the security testers configure their tools to scan against a client network boundary/perimeter defence, in such an exercise. e.g. do the test team specify something specific to the clients firewall in the scans target config that then covers everything that can be checked (accessible to the outside world)? Or something more detailed than this? I've seen the process for vulnerability scans of servers for example, you can enter hostnames, IP ranges, import devices from local AD etc etc. But I have never seen the initial config of a scan when testing a networks boundary defence from the outside.
And is it typically a single scan of the clients network “perimeter”, or does the exercise require execution of multiple scans?
Assuming in this context boundary equals perimeter Firewall/UTM device, are there 'common' vulnerabilities and exploits specific to those devices themselves that the external scan process will look for, as opposed to something they have found from an open port/protocol? Are these fairly uncommon, as I assume such issues would constitute a major oversight and misconfiguration - i.e. what is the root cause, what haven't the security/IT team done to create that risk - is it patching related or something else?
I'd also be interested in whether they would look for specific ports/protocols as priority as their as an increased likelihood those specific ports/protocols could be more likely exploited, above others which may be more challenging to exploit? I seem to recall cyber insurance companies do a similar scan of external facing infrastructure and things like basic RDP externally exposed would be a red flag for providing coverage, I know NMAP and the like will report of any open port and running services, but it would just be interesting to know what specific open ports/protocols on your boundary constitute more risky (in the pen-test community and the cyber insurance companies view) than others, or the services running behind them require extra security hardening, or just point blank should not be accessible to the outside world.
Out of interest is the number of external scans you do/purchase based on your internal risk-assessment policy, or a requirement of any security standards your organisation has to comply with, often quarterly external and internal scans (e.g. PCI DSS).