Due to SOX requirements, we are supposed to perform penetration testing on the firewall to ensure it is working as accordingly. There are tons of info on the web, I am almost complete novice at this, I would appreciate if you could advise me on how should I go about doing this? I need to write a procedure to do this yearly.
download Nessus ( http://www.nessus.org/ ) - the free version. It's one of the better scanners for it's price (free). The biggest difference between the free version and the licensed version is updates are delayed a week for the free version.
lots of good options and tests for TONS of vulnerabilities.
There is a GUI frontend which works well once it is configured. YOu can try that too.
It is called INPROTECT. Try that out.
A vulnerability scan is NOT penetration testing. It's sad that professionals would comment/recommend such an action without freaking knowing the difference between vulnerability scanning and penetration testing. Vulnerability scanners are automated tools looks for specific (often known) vulnerabilities in given technologies. Penetration testing is actually performing tests to evaluation vulnerabilities found by scanners, but much more importantly perform tests to compromise systems that are most often not enumerated or disclosed with the scanners.
@rcoleman67 this thread is 13 years old. The state of maturity in the pen testing world is a bit different now than it was in 2007.