Infrastructure

Hosts and services

The hosts and services you want in a lab can vary depending on what you want to use the lab for. For me, I want to do almost the whole suite - monitoring traffic with SIEM, investigating incidents (DFIR, malware analysis, ...) and more.

Below shows some of the things I want:

Firewall
Router (pfsense/opnsense)
Malware analysis machines (flare/remnux)
Host machines (Win 7/10)
Windows AD services
Web servers (linux/windows)
Attacker machine (kali linux)
DFIR capabilities (SIFT workstations)
SIEM (splunk/ELK stack/security onion)
Vulnerability scanner capabilities (nessus?)
IDS/IPS
Docker
EDR/XDR solutions
Reverse proxy

Network

After some consideration, I decided to have 5 VLANs to segregate the network.

VLAN 10 - Enterprise LAN. This VLAN will hold all the normal user machines.
VLAN 20 - DMZ. This VLAN will hold machines accessible by both the public and internal employees, such as the web server.
VLAN 30 - Security LAN. This VLAN will hold all the machines used for investigating incidents and monitoring the network. It emulates the security team in the network.
VLAN 40 - Simulated WAN. This VLAN will simulate as an external network to the lab environment.
VLAN 99 - Isolated LAN. This VLAN is where the malware analysis will take place. This subnet will not internet accessible.

Name

Domain

VLAN

Subnet

Gateway

Enterprise LAN

caby.bara

10.10.10.0/24

10.10.10.1

DMZ

10.10.20.0/24

10.10.20.1

Security LAN

caby.bara

10.10.30.0/24

10.10.30.1

Simulated WAN

10.10.40.0/24

10.10.40.1

Isolated LAN

10.10.99.0/24

10.10.99.1

WAN

192.168.0.0/24

192.168.0.1

VLAN creation

The next step is to create those VLANs in VMware (or our desired virtual machines hypervisors) so that we can use them during the configuration of the environment.

To add the VLANs in VMware Workstation, go to Edit > Virtual Network Editor... > Change Settings > Add Network...

Do remember to disable the automatic DHCP allocation for VLANs 10 - 40 as we will be using pfSense to do the allocation! This can be done by unchecking the Use local DHCP service to distribute IP address to VMs option.

Network topology

pfSense

We will be using pfSense as our firewall/router. The reason I chose this is because it is well documented and fully open-source. It can also incorporate common IDS/IPS such as suricata and snort, which I will be adding in afterwards.

Downloading pfSense from their official download page gives u the Plus version (requires paid subscription). To access the Community Edition (free version), go to this link!

Good materials to reference while setting up pfSense:
pfSense tutorial by Lawrence Systems
pfSense official documentation

Installation

After creating the pfSense virtual machine, setup the machine by going through all the default options. There will be a prompt to reboot the VM. After the reboot, you should be able to see something similar to the picture below.

Access the web interface by typing http://<WAN_IP> in your browser of choice. For me, it would be http://192.168.253.148. The default credentials to access the web UI is as follows:

username: admin
password: pfsense

Configuration

Basic configuration

Under System > General Setup, there are a few settings that we can change.

Hostname: I left it as default pfSense
Domain: caby.bara (I followed the domain I indicated here, feel free to put any domain you like)
DNS server: 9.9.9.9 (or Google servers 8.8.8.8 and 8.8.4.4)
Timezone: Etc/GMT-8 (8 hours AHEAD of GMT) (I stay in GMT+8 timezone so yea)

PreviousIntroduction NextDFIR

Last updated 1 year ago

hashtagHosts and services

hashtagNetwork

hashtagVLAN creation

hashtagNetwork topology

hashtagpfSense

hashtagInstallation

hashtagConfiguration

hashtagBasic configuration