There's more to network security than just penetration testing. This chapter discusses software tools and techniques auditors can use to test network security controls. Security testing as a process is covered, but the focus is on gathering the evidence useful for an audit.
Assessing security controls involves more than simply scanning a firewall to see what ports are open and then running off to a quiet room to generate a report. It is natural for security engineers to gravitate toward technology and focus on technical security control testing (otherwise known as penetration testing), because it is likely the "fun" part of security for most engineers. Conducting a penetration test is like throwing down the gauntlet to security professionals, and it gives them an opportunity to flex their hacker skills. Testing security as a system, however, involves significantly more than launching carefully crafted evil packets at the network to see what happens. This chapter discusses software tools and techniques auditors can use to test network security controls.

The link for this article located at informIT is no longer available.