Security -- Test Lab

MidnightWizard · Nov 28, 2017

I do have an idea there are a number of Security specialists that read these forums.

I have been doing a bit of reading in connection with "secure-phones" and security in general.

SO
I have a number of devices ( mostly all CISCO ) that could be used for investigating security -- but -- lack the ideas of how to look at putting this all together.

I would like to set up a VPN to which I could connect my mobile phone also look at getting one or two public IP's to look at setting up security for my LAN's / WAN's ( local and wide area as well as distributed )
Things like pay-for public International VPN's for Internet access.

Things like DMZ's / multi-homed servers and secure DC & AD's etc etc ( the whole security picture )
Just really investigating all the different things one can do / setup seeing as I have the equipment ( or can look at getting more if needed )
I am more oriented to the practical hands on - setting stuff up physically
But background and methodologies also interesting

ANY ideas / Links / Suggestions / Case studies / Study notes very welcome and appreciated

PPLdude · Nov 28, 2017

This seems more suited to a Sysadmin and not a Security Specialist (Setting these things up)

Static IP - OpenVPN Server - DMZ - Samba (Note: It's not a full DC) -> All of this can be ran on a single Linux Box
Then launch VMs to your hearts content

*EDIT*

Nevermind, after re-reading the post it seems you most likely already know this

PPLdude · Nov 28, 2017

For offsec this may be worth reading:

https://systemoverlord.com/2017/10/24/building-a-home-lab-for-offensive-security-basics.html

MidnightWizard · Nov 28, 2017

Physical Equipment = Tick

static_sa said:
For offsec this may be worth reading:

https://systemoverlord.com/2017/10/24/building-a-home-lab-for-offensive-security-basics.html

Thanks
Looks interesting
I have all the actual physical hardware -- lots of stuff -- enough to set up a large office
Years of collecting

As I said mostly all Cisco so I guess I need to follow those -- "best-practises"
Open to all suggestions though ....

syntax · Nov 28, 2017

MidnightWizard said:
I do have an idea there are a number of Security specialists that read these forums.

I have been doing a bit of reading in connection with "secure-phones" and security in general.

SO
I have a number of devices ( mostly all CISCO ) that could be used for investigating security -- but -- lack the ideas of how to look at putting this all together.

I would like to set up a VPN to which I could connect my mobile phone also look at getting one or two public IP's to look at setting up security for my LAN's / WAN's ( local and wide area as well as distributed )
Things like pay-for public International VPN's for Internet access.

I dont follow this, what do public IP's have to do with security for your LAN / WAN?
What are you actually looking to achieve, just saying "security" is simply too broad.

For example, on the LAN, you might want to secure the physical access ports and authenticate the wireless, so you introduce 802.1x
You might want to go deeper and set specific policies based on device posture and compliance, then you would introduce NAC, (for cisco that would be ISE)

Perhaps you would like to do away with access-lists or move towards a more flexible way to secure the LAN and pass user information, so you implement TrustSec and use SGT's to tag traffic.

Securing the WAN again is too broad a statement, what are you trying to secure.
The best way to deal with security is to have a security policy, what does the business require from security, that should drive the technology.

Things like DMZ's / multi-homed servers and secure DC & AD's etc etc ( the whole security picture )
Just really investigating all the different things one can do / setup seeing as I have the equipment ( or can look at getting more if needed )

I loathe multi-homed servers, this implies bridging networks and almost never is required. If the server is compromised, then access to 2 networks and possibly more is automatic because of the bridging.

I am more oriented to the practical hands on - setting stuff up physically
But background and methodologies also interesting

ANY ideas / Links / Suggestions / Case studies / Study notes very welcome and appreciated

You should decide what you want to secure, and then discuss that. I guess you could go up the OSI layer and use that to guide you, so how do you secure physical items, then layer 2 (MacSec etc)

MidnightWizard · Nov 28, 2017

Ideas

syntax said:
I dont follow this, what do public IP's have to do with security for your LAN / WAN?

Well to have access to the wide wide World one needs public IP's
In order to look at Wide area networks and setting up routing and VPN's

syntax said:
What are you actually looking to achieve, just saying "security" is simply too broad
You might want to go deeper and set specific policies based on device posture and compliance, then you would introduce NAC, (for cisco that would be ISE)
You should decide what you want to secure, and then discuss that. I guess you could go up the OSI layer and use that to guide you, so how do you secure physical items, then layer 2 (MacSec etc)

As I mentioned I do not yet know what I need to do -- reason for this post.
I understand that there are a number of different areas --

Individual machines and Operating Systems

Networks

LAN's & WAN's

All having particular aspects of their own

As far as the side of setting stuff up physically not a problem
It is looking at the bigger aspects and ideas of securing the complete system where I need ideas ...

Note about multi-homed system noted -- thought about this in terms of DMZ ...?

syntax · Nov 28, 2017

MidnightWizard said:
Well to have access to the wide wide World one needs public IP's
In order to look at Wide area networks and setting up routing and VPN's

its fairly obvious you need a public to access the internet. That however, doesnt really have much to do with security. Wide area networks dont necessarily need public IP's either and neither do VPN's.

As I mentioned I do not yet know what I need to do -- reason for this post.
I understand that there are a number of different areas --

Individual machines and Operating Systems

Networks

LAN's & WAN's

All having particular aspects of their own

As far as the side of setting stuff up physically not a problem
It is looking at the bigger aspects and ideas of securing the complete system where I need ideas ...

It is almost never possible to protect everything due to budgets, which makes securing the "complete system" very challenging. You would normally protect the most common attack vectors and then utilize your time and money protecting the most valuable assets.

Note about multi-homed system noted -- thought about this in terms of DMZ ...?

Not 100% sure I'm following, the idea of a DMZ is to isolate the traffic from other area's of the network and ensure they are going through a firewall or some kind of security inspection. Dual homing normally negates this, if you have an interface in the DMZ and another on a LAN or another network, it means you can either bypass inspection totally if the server is compromised or access another part of the network. Either way, its not secure and not ideal. The fact the server is in a DMZ means its likely accessible from the internet and has a certain risk attached to it, the dual homing puts the network at a greater risk

Security -- Test Lab

MidnightWizard

Executive Member

PPLdude

Expert Member

PPLdude

Expert Member

MidnightWizard

Executive Member

syntax

Executive Member

MidnightWizard

Executive Member

syntax

Executive Member