Home Lab - Software (Part 2)

 Virtualization Software

 

Proxmox VE

When I started using virtualization in my home lab, I went down the path most people do and installed VMware ESXi free version on my servers. It worked well for quite some time, but I started to realize that it was a bit limited for some of my projects. Desiring to learn about Software Defined Networking (SDN), I had to install a hypervisor that would allow these types of virtual networking devices to be the main switch type, so Proxmox VE (Virtual Environment) was it.

Once I installed Proxmox VE, I found it very stable, configurable and fairly easy to use with its intuitive web interface. What I like most is that it sports Debian Linux as the underlying operating system under the hood. Everything I knew about Linux could be applied to Proxmox VE. So any customization or functions the web interface didn't support, the command prompt was sitting there waiting for me to do Linux-fu magic. 

What I like about Proxmox VE:

  • Uses Kernel Virtual Machine (KVM) - virtualization is built into the Linux kernel which makes it efficient, stable and seamless
  • Supports two witch types - simple Linux bridges and Open vSwitch, a production quality, multi-layer virtual switch
  • Snapshots and VM backups are easy as apple pie on the Fourth of July.
  • Smooth conversion of VMware VMs for use in a KVM environment using built-in qemu commands (think Vulhub!)
  • Efficient with CPU and memory usage, can run more VMs simultaneously than VMware (from my experience)
  • Virtual console (simulated video, keyboard, mouse) is much more stable than VMware's default console or even VMRC app (VMware Remote Console)
  • Option to use Linux-based LXC containers instead of or along side of virtual machines
  • Linked clones - can run several VMs from the same virtual base hard disk, changes are saved in a delta file, therefore the base stays read-only
  • Copying VMs from one server to another involves just copying a config file and a virtual hard disk file or even easier, just restore from backup!
  • If you want to, you can cluster Proxmox servers to manage all of the from one web interface and do easy live VM migrations
  • Open Source and free, although subscription license is available to get support and fund the project (encouraged)
I could go on and on, but you get the idea.
 
One interesting note... I once needed a system to access a Cisco switch in a pinch, so I connected the serial console cable to the Proxmox VE server, connected to the hardware switch with minicom, a Linux terminal program for serial communications, then configured the switch for SSH access. Like I said, Proxmox VE is just Linux underneath, so whatever you can do with a normal Linux server, you most likely can do with Proxmox VE.
 

Networking

The most important item to get correct when building a virtualization server for information security is networking. You'll want to keep the right network traffic contained in the right place. It's critical that you keep your vulnerable VMs on an isolated virtual switch with no access to the outside networks, especially the Internet. Let's avoid giving bad guys more opportunities!
 

Linux Bridges

Linux bridges are just fine to use for security testing and learning. They are simple, run by the kernel and efficient. Your VMs can attach to a linux bridge and can communicate easily.
 
You can setup Linux bridges like a dumb hub (all devices see all traffic) for SEIM/IDS monitoring (Security Onion), but I'll write up another post about how to do it since its beyond the scope of this what we're discussing here. 
 

Open vSwitch

Open vSwitch is a project to bring Software Defined Networking (SDN) to Linux. It provides:
  • Standard 802.1Q VLAN model with trunking
  • Per VM interface traffic policing
  • Visibility into inter-VM communication via NetFlow, sFlow, IPFIX, SPAN, RSPAN, and GRE-tunneled mirrors
  • OpenFlow protocol support (including many extensions for virtualization)
  • And many other advanced features...
As you increase your knowledge in your networking and information security journey, you may want to take advantage of some of these features, especially VLAN segregation. 

In my opinion, when starting out, use Linux bridges so you can focus on security topics. Keep SDN as a topic to learn when you need to test the security of these features. In Proxmox VE version 6.x and above, the web configuration interface supports both types of networking, so either are available when you need them. 
 

Offensive Systems

The well-known Linux distributions for information security is Kali Linux. There are others such as Parrot Linux (security edition), but it seems like Kali Linux is the go-to for learning and justifiably so.  

 

Kali Linux

Offensive Security has been providing Kali Linux for free for many years to make it the de facto standard for security testing. Before it was called Kali Linux, it was called Backtrack, which was also awesome for its time. It contains hundreds of tools for the security professional, both offensive and defensive.
 
In my home lab, I have two Kali Linux VMs installed, mostly so I can run one heavy task (like full network vulnerability scan) on one VM and another task on the second one simultaneously. I also have a third Kali Linux VM that is running the latest version to see what the new features include. Occasionally, I will deprecate the working versions and replace with the new version to get the latest tools and scripts. 
 
 
What's cool about using Proxmox VE and Kali Linux is the access to wireless adapters. Using a USB hub, you can attach multiple WiFi adapters to Proxmox VE and connect them to individual VMs. When you use WiFi adapters that support monitor mode, you can attack wireless networks with virtualized Kali Linux. How cool is that? 

The installation of Kali Linux into a VM is covered all over the Internet and YouTube, so I won't go into that here. Although, there are some general tweaks that I do after the initial install to customize for me needs, mentioned about here. You may want to create your own checklist to make things easier for you.

Defensive Systems

There are lots of defensive security solutions out there, but for the budding security professional, Free Open-Source Software (FOSS) is where it's at. One of the FOSS projects that rises to the top for aspiring blue teamers is Security Onion
 


Security Onion

In 2008, Doug Burks started working on Security Onion, a Linux distribution for intrusion detection, network security monitoring, and log management. Since then, it has evolved from a distribution of defensive tools to a full-fledged Security Incident and Event Management system (SIEM). 

With the latest version 2.3.x, the following applications are included:
  • Network Intrusion Detection System (NIDS) - collect network events from Zeek, Suricata, and other tools
  • Host Intrusion and Detection System (HIDS) - receive input from host-based event collection agents including Wazuh, Beats, and osquery
  • Static Analysis - import PCAP files (network packet trace files) for quick defensive static investigation and case studies
  • SOC (Security Operations Center) Workstation - SOC analysts can use local Linux tools to perform analysis of network and host events
 

The installation is also covered on the Internet, but it can be bit more complicated that most Linux distributions. Some choices need to be made before starting, so you won't have to reinstall multiple timed to get it right. I'll refer you to the Security Onion documentation for the multiple deployment architectures that it supports. My recommendation is to use the Standalone architecture since all components run on one box. This type of deployment is typically used for testing and labs. 

Later versions of Security Onion require some hefty resources, so plan accordingly. A minimum of 12GB of memory and 100GB of had drive space assigned to the VM. Keep in mind that all the available memory will be used regardless of the amount allocated due to the number of processes that are running, so don;t be alarmed. 

What's cool is that you can run Security Onion while attacking vulnerable VMs and see what the attacks look like to a blue team defender. Then you can dig out the packet trace files and look to see what anomalies that the scans and attacks show to become aware of what is happening on the network. This provides information which can be used to adjust firewalls, proxies and other devices to increase brick wall resilience around your infrastructure.
 
This has been post 2 of 4 part series relating to building a home lab. See the other parts for additional information. 

Part 1 - Hardware

Part 3 - Networking    COMING SOON!
 
Part 4 - InfoSec    COMING SOON!
Posted on