This is the second part of my Virtual Home Lab for Blue Team Security tutorial. If you would like to review the pervious introduction section of this blog series, please click here.
Introduction
In the previous section of this blog series, I reviewed the hardware recommendations for the implementation of this virtual home lab environment. It is possible to recreate a portion of this environment with only the components that you are interested in. This is possible because most of the systems do not rely on each other to have the whole network function. There are a few hosts and services that are required to run the basic home lab environment, however. I will cover those requirements throughout this blog post.
Hosts and Services
The act of creating a network topology is critical for the foundation of this home lab environment. A well-structured network topology serves as the backbone for all the interconnected devices and systems, ensuring seamless communication and data transfer. This dictates how different systems in a network are connected and how data is transmitted between them.
In the context of a home lab, the topology is even more crucial as it’s often a scaled-down representation of larger, more complex systems found in enterprises. The design of a robust topology for a home lab allows enthusiasts and professionals alike to experiment, learn, and simulate scenarios that they might encounter in real-world situations. This is important to remember when deciding what virtual machines to run within your environment.
The Baseline Configuration
The baseline configuration of your security home lab has to utilize several systems to serve the most basic functions. These systems would be…
- A Firewall
- This system acts as a first line of defense against incoming network traffic according to the set security policies. It essentially establishes a barrier between a trusted internal network and untrusted external networks.
- The software-based firewall that I would recommend using within this virtual home lab environment would be pfSense.
- This system acts as a first line of defense against incoming network traffic according to the set security policies. It essentially establishes a barrier between a trusted internal network and untrusted external networks.
- An Attack System
- This system is designed to simulate malicious activities and generate traffic that mimics various threats. The use of this system will help evaluate the effectiveness of security measures and understand the vulnerabilities of the victim system.
- The attack system that I would recommend using within this virtual home lab environment would be Kali Linux.
- This system is designed to simulate malicious activities and generate traffic that mimics various threats. The use of this system will help evaluate the effectiveness of security measures and understand the vulnerabilities of the victim system.
- A Victim System
- The purpose of this system is to act as the target for the simulated attacks. This will allow for the exploitation of vulnerabilities and help configure a secure system.
- The victim system can be any OS, such as Windows, Linux, or MacOS. It could be beneficial to have several victim systems with different configurations to help understand a broad spectrum of vulnerabilities.
- The purpose of this system is to act as the target for the simulated attacks. This will allow for the exploitation of vulnerabilities and help configure a secure system.
This simple set of systems would allow you to simulate attacks from the attack system against the firewall and the victim system. However, this environment is limited in several ways. The first issue is that is provides a limited basis to simulate attacks. In the real world, there are intermediary systems, proxies, load balancers, and more, which can alter the dynamics of an attack. Another issue is due to the lack of complexity because modern networks consist of multiple layers and systems such as intrusion detection systems (IDS), intrusion prevention systems (IPS), web application firewalls (WAF), and more. The final problem is that there is a lack of realism. A real-world attack will often involve multiple stages and lateral movement within networks. A simple attack-victim setup might not capture the nuances of advanced threat actors or complex attack chains.
My Configuration
My configuration will consist of many different systems to help best simulate a corporate environment. This environment will help to simulate a variety of job functions in the field of cybersecurity. The systems that I will utilize are as follows:
- Firewall
- Security Information and Event Management (SIEM)
- Malware Analysis Systems
- Active Directory (AD)
- Windows 10 Host
- Linux Ubuntu Host
- Linux Server
- Kali Linux
I will also run several services within home lab to simulate a corporate environment. The services that I will utilize are as follows:
- Antivirus
- AD Services
- Intrusion Detection System (IDS)
- Monitoring
- Docker
- Proxy
- Database
- Wireshark
I’m confident that once this simulated environment is finalized, it will offer a valuable learning experience.
The Network
Now it is time to define the network that is going to be assessed by the various virtual machines within this home lab environment. As previously mentioned, this lab will utilize various virtual machines from a firewall to a Kali Linux host machine. After some planning I have decided that this environment will use 6 VLANs. These VLANs will be as follows:
- VLAN2
- This VLAN will be for malicious traffic coming from the outside and will use the Kali Linux machine for this function.
- VLAN3
- This VLAN is for the corporate LAN network and various hosts will be using it. The various servers and client end devices (Such as the Windows 10 Host and the Linux Ubuntu Host) will access the network via this VLAN.
- VLAN4
- This VLAN is for the security virtual machine of Secuity Onion 2. This will allow this machine to have access to the internet so that it is possible to use public tools for analysis, such as VirusTotal, and to install and upgrade various tools.
- VLAN5
- This VLAN is also for the security virtual machine of Secuity Onion 2 to direct traffic from the corporate LAN via a span port. This will simulate a security team network that will have network permission to reach the corporate network to receive logs, files, emails, and more.
- VLAN6
- This VLAN is for the Security Information and Event Management (SIEM) solution known as Splunk.
- VLAN99
- This VLAN is for the isolated LAN network which contains virtual machines for malware analysis. This isolation is needed to safely perform both static and dynamic malware analysis without the risk of getting other machines infected.
Here is a table that will outline each VLAN with its name, VLAN number, subnet, and gateway.
Name | VLAN | Subnet | Gateway |
Malicious Traffic | 2 | 192.168.1.0 | 192.168.1.1 |
Corporate LAN | 3 | 192.168.2.0 | 192.168.2.1 |
Security Onion 2 | 4 | 192.168.3.0 | 192.168.3.1 |
Security Onion 2 Span Port | 5 | Span Port | |
Splunk | 6 | 192.168.4.0 | 192.168.4.1 |
Isolated LAN | 99 | 192.168.99.0 | 192.168.99.1 |
VLAN Configuration
The next step is to create the networks within VMware so that the virtual machines can interact with each other.
In order to do this, within VMware go to Edit > Virtual Machine Editor. After clicking through that dialog box, a window should appear showing the default configured networks. The next thing that will need to be completed is the addition of the network VLANs previously mentioned. You’ll first need to click the setting that says Change Settings and it will prompt you to provide your systems credentials. After that click the Add Network… button and add the networks required for your home lab environment. It is important to set all of the network types to be host-only.
When you are finished with the configuration it should appear similar to the configuration posted below.
The Network Topology
This is the network topology of the security home lab. It displays all of the hosts and servers and how they interact with each other, along with the VLAN segmentation. This network topology design was created using Draw.io.
Summary
After this section we have created the VLANs for the network, assigned subnets, and created a network topology for the home lab environment. The next section of this tutorial will start building the actual home lab environment, which will start with the setup and configuration of the pfSense firewall.
If you encounter any challenges or have questions about setting up your home lab, don’t hesitate to comment. I’m here to assist you!