I have this new project in which i am involved at moment. We have to develop a methodology for penetration testing of Internet, extranet and any remote connection modules.

The objective of External Penetration and Vulnerability Testing is to
measure the exposure of online services to attacks from the Internet and
other external access points, and evaluate the effectiveness of our network
controls, including firewalls, routers, IDS and servers, to guard against
such attacks.

I would like to identify vulnerable entry points into the network through various
Internet and Extranet links as well as dial-up access and other untrusted
connectivity. While doing all this i thought it would be good idea to test all web apps and
databases for any known problems.

Does anyone have any advice how would one go about doing this? What else am i missing?
When we get to actual testing should we use any commercially available products? Any
good links on Locking down RADIUS servers? Do you think its worth getting someone from
the oustide as the consultant to help out?

Or just any advice or suggestion on the topic would be helpful.