In some mail from Paul D. Robertson, sie said:
> On-site gives you physical access, and if I'm not auditing physical
> access, then I may require that you do the penetration testing remotely.
> I have to balance letting you on-site with my trust of you and your company.
> It is getting harder to tell the bad guys from the good guys, and I might not
> like the idea of finding out the hard way who's who.
What I like to arrange is to do testing on the firewall "unplugged" from
the internal network so thath there is minimal risk of "bad things"
happening or getting through.
When testing FW-1 setups, I also like to have a box on the "other side"
which I control, so I can see what packets get through - not just what