TL;DR — enough jibber jabber. Show me the hardware list, dude.
So before I get into the nitty gritty of building the virtual lab where I’m planning to spend most of my time learning, testing, etc, I thought I should start by going through the hardware I have and why I’ve grabbed what I did.
I started out with my trusty 2011 MacBook Pro which has been a great workhorse for me now for years. It is one of the last models that gives the consumer easy access to install/replace RAM as well as the HD. I eventually replaced the standard RAM and HD with more RAM and an SSD. Most of my testing, studying, etc was done from this machine using VirtualBox. I focused on Debian and it is still my preferred OS for standing up a server, but eventually I went from learning more about how an OS works to wanting to play with networking equipment.
Suddenly there was a resource crisis on my laptop. I could stand up something like pfSense and a small linux VM in VirtualBox, but that was about it before I started running out of RAM. I was already neck deep in SIEMs, switches, routers and firewalls at work, but I wanted to know more. I needed a firewall, and I needed a bigger box, or at least a way to play with a firewall but not kill the CPU and RAM on my only machine.
I debated buying a giant server, or a new laptop but I had a few constraints that needed to be met, mainly because of the very tiny apartment I live in. I needed MOAR, but it needed to be cheap and small. I also wanted to replicate a physical data centre or small business stack as much as possible given my budget and space constraints. Virtualising everything is great, but somebody somewhere is always going to have to plug something in. I wanted this experience.
Thus began my search for a tiny physical firewall. I wanted a small form factor headless PC with multiple NICs and the software to go with it. There are countless options for this, and I highly recommend getting one if you want to learn about how a firewall or router actually works. Also… it really puts the pressure on yourself by plugging it in to your own home network. If you set it up correctly, your network becomes way more secure than 99% of most home networks. As a bonus if you fuck up, you have real motivation to fix it because no internet = unhappy family!
In the end I went with a fanless pc that I bought from Ali Baba for very cheap and picked Sophos UTM home edition as my software of choice. I debated between Sophos and pfSense but went with Sophos due to my lack of knowledge in the network space. It was much easier to understand and more closely resembled the Palo Alto firewalls I was familiar with at work.
There are tons of instructions out there on how to download and mount the Sophos UTM ISO on a bootable USB and install from there.
The plans and gear then escalated quickly once I had a taste of the power of controlling a network. I was gifted a Cisco WAP371 from my friend @jimvajda who runs a great wireless networking site over at framebyframewifi.net.
Finally to put it all together, I grabbed a Cisco SG300 to put in front of the firewall. There were two reasons for this:
- I wanted gigabit ethernet with high performance for streaming high definition video from my media server (https://www.plex.tv/) to my Xbox and television, and
- I wanted a managed switch that had layer 3 capabilities. This was primarily so I could create a subnet managed from that switch that wouldn’t be routable to the firewall. In essence I wanted the same network segmentation you would get from a ‘core switch’ and a firewall in an enterprise environment. This was all in preparation for setting up my ‘malware lab’ which would provide a bit more network isolation and make me feel a little safer.**
The last piece in this puzzle was my virtualisation server. This would be the lab, the workhorse, the new media server, our family NAS — everything. Just like before, I needed something powerful, but quiet, and cheap…and most importantly small. My number one requirement for this server was size, followed by capacity planning capabilities and then cost. I also needed something that would run VMware ESXi as I planned to virtualise everything, including my ‘malware lab.’
I eventually stumbled across a site that ultimately gave me the support, guidance and step-by-step instructions for getting VMware ESXi operational on a server that fit all of my needs (except price….but you can’t win ’em all). Paul Barren’s TinkerTry.com won me over and I had to go with the Supermicro SuperServer 5028D-TN4T. The reviews were good, the footprint was insanely small for the power, and the IPMI interface, hot swap drive bays, easy RAM installation, 2 x 10GB & 2 x 1GB NICs were too good to pass up.I filled it with 64GB of RAM, a 4TB slow disc and 2 x 500GB Samsung Evo SSDs and was off to the races. Everything was then setup to be backed up onto two external hard drives powered by rsync via a Raspberry Pi 3.
In summary here is everything that I have setup at home for learning and researching and experimenting, etc. A small footprint on a mobile cart that fits under the kitchen bench (“kitchen counter” in the USA) with almost no sound meets all of the criteria for the wife acceptance factor! (The SuperServer is whisper-quiet and everything else is, too!)
- Belkin ADSL Router — “firewall” feature disabled & DMZ forwards all traffic to FW
- Sophos UTM Home Firewall on x86Fanless J1900 Mini PC 4 LAN 1GB
- Cisco SG300-10 10-Port Gigabit Layer 3 Managed Switch
- Cisco WAP371 Wireless Access Point
- Supermicro SuperServer 5028D-TN4T running VMware ESXi 6.5.0 (free edition)
- Raspberry Pi 3
- RÅSKOG Utility Cart from Ikea
**NB: This feature was something I didn’t really need — if you configure your network segmentation properly and trust your firewall and routing skills there are other ways to provide isolation. I still think it’s a good idea, because you can have a subnet that never gets to the firewall and so nothing can ever escape it, but it’s a bit of overkill and I don’t have the switch setup this way now. More on this in a later post.