After waffling on about decisions I made for purchasing hardware to set up my lab, I thought it only fair I continue the waffle with software choices. I went through a bunch of different ideas and scoured the internet for information on setting up a decent lab that would be isolated enough to be safe. To be honest when I started this, I couldn’t find much out there, but there were two sites that really helped me in the design phase:
- http://proactivedefender.blogspot.com.au/
- Specifically this post from 2012. Yes it is old, but the architecture helped me visualise what I needed to do in order to draw up a network diagram that would allow my wife to browse Etsy safely and also allow me to download and analyse malware. This is also where I got the idea to run ESXi on a big ol’ honkin’ server that would provide all of my study needs plus house my media library, our family NAS, etc.
- https://blindseeker.com/AVATAR/
- Tony V Robinson wrote a self-published book about building VM labs. At the time that I was researching how to set up my own lab Tony was releasing drafts of what would eventually become a book you can now buy at Amazon. This book has single-handedly given me much more confidence and knowledge on how to set up a properly isolated network and also was the blueprint for my own lab. I won’t bore you with details of my own lab design because I just copied Tony’s. You should support this man and buy this book. Keep in mind it is self-published and has a few errors here and there. Also the organisation isn’t ideal, but the content is what really matters and it has helped me a lot.
At any rate there are two levels to this lab. The family home network and where I’ll be doing my experimenting and learning in labs. Rather than go into detail about design, here is a picture of the basic network architecture.
Home Network
- Firewall: Sophos UTM 9 Home Edition, running squid proxy, snort
- Switch: Cisco small business switch software (fake IOS)
- WAP: Cisco WAP software
- Host Server: VMware ESXi 6.5.0
- Media VM: Debian 8 with Plex
- SIEM VM: Debian 8 with Splunk
- Utility VM: Debian 8 (nmap, metasploit, all the other tools)
Lab Networks
NB: These are all VMs runing inside the VMware ESXi host server.
- Firewall: pfSense running squid proxy
- SIEM VM: Debian 8 with Splunk
- IPS VM: Debian 8 with Snort
- Offensive Testing VM: Kali Linux 2 rolling build
- Lab Jumpbox: Windows 7
The “AFPACKET” network zone allows me to drop bad things into an isolated zone that has a fail-close system in place via the snort box. When the snort box is turned off, there is no network access to that network zone.
EDIT: I realised I’d left in the second interface on the ‘jump box’ when I didn’t need to. It was removed after the initial setup and replaced with a firewall rule.
Cotton On... 