Always wanted to build an infosec lab and not sure how? Well let me show you how to build an infosec lab the right way! In this article I will be focusing on a live system lab rather than an offline lab which an offline lab is not as realistic compared to a live system.
I will explain various firewalls, SIEMS, IDS/IPS, Web Proxies, Virtual Machines, Domain Controllers, Pentesting systems and vulnerability scanners and all that good stuff. The size and the complexity of the lab are down to you, we can go from building a lab from scraps to building a complex lab depending on your budget.
Planning The Lab
The first and most important step into building an Infosec lab is planning!
“If I had eight hours to chop down a tree, I’d spend 6 of those hours sharpening my axe” - Abraham Lincoln
Ask yourself some questions like:
- What will you use it for?
- What type of lab do you want?
- What type of resources do you have at hand?
- What testing do you want to do?
- Would you want a single powerful system or several power-efficient systems?
- What's your budget?
When answering these questions you have to be realistic and honest with your self, you may want a superlab but don't have the budget.
What resources do you have that you can put together or what old systems can you recycle, or change a powerful machine into a single Virtualization server?
Do you want to replicate a production environment or test different tools with various OSs with an offline system?
- Can help familiarize with the interface but not really realistic
- Fast and easy to deploy
- Does not impact the network performance
- The closest experience to a real scenario
- Real-time data
- Requires hardware and more complex set up
In the lab, you want to have the following:
- Type 1/Type 2 Virtualisation
- SIEM & Web Proxy
- Domain Controllers
I will give my recommendations on which programs to use based on setting up a live system and based on the programs you select will need to plan the hardware side of what you would need in order to build that lab you have always wanted.
We can’t run every program/software shown on the list as the list outlines to common applications that are used in production environments. To narrow down the list I have chosen a selection of programs to start with as its much easier to configure and will give you a deeper understanding of building a lab.
Proxmox is an opensource Linux based virtual environment which can be installed on bare metal and controlled/configured from a web browser. There are various online tutorials of how to set this up and step by step guides on youtube.
pfSense firewall is an opensource firewall/router based on FreeBSD, which would be the first thing to install on the lab. pfSense has plugins/extensions that can be used which saves us time and can centralise most things like an IPS system by downloading the snort extension/plugin, Web proxy by downloading the squid extension/plugin and A VPN using the OpenVPN add-on.
Splunk has a free community edition which is a great SIEM system and quite easy to set up, they have a free course on how to use Splunk on their website, again there are various step by step tutorials and youtube videos of how to set up and configure Splunk.
Hardware would be the next selection on our list, looking at the programs/software, I had a look at each minimum requirements that are needed for each program/software, and come to a conclusion for a total minimum requirement:
- CPU - 4 cores
- RAM - 16GB
- Storage - 250GB SSD
I have thought about the bare minimum to run the lab, of course, I would double up to sit more comfortably, or have 1 machine for your SIEMS, Proxy's and firewalls and another machine for your attack, scanners, and forensics..etc. The beauty about building a lab is that you can customise it the way you want it, what programs you want to run and hardware you want to put it.
There are great builds out there which you can buy off the shelf just add a hard drive and/or more RAM, you could buy brand new or some recondition builds, even old servers that amazon or google has finished with and can purchase at the fraction of the price. I have picked my self up some great builds really cheap of eBay, stripped out what I needed and kept the other components as spare.
- Dell Optiplex
- Intel nuc
- Gigabyte BRIX
Or if you want to build your own from scratch and have a nice budget there are websites like PC part picker where you can build a system to your liking and will break down each component price.
Next up you will need a smart/managed network switch to manage the VLANs to open and close ports, control bandwidth..etc You can buy smart network switches from Amazon, eBay and your local PC store if you are supporting local businesses. The number of ports needed is down to your customisation and what you intend to plug in the switch, I would keep the lab network separate from the rest of your network, especially if your running vulnerable programs or opening malware.
Raspberry Pi’s or any SoC boards would be a great addition to the lab as many modern software/programs are now ARM-compatible, using a Raspberry Pi loaded with Kali Linux as your attack machine, firewalls, IDS and a universal forwarder for Splunk. There can be many uses like building a web server that is vulnerable to practise your pen testing too building a cluster of Raspberry Pi’s for your lab.
Now everything is all downloaded, the hardest part of building the lab will be to connect each program/software, hardware to the network but keeping hardware separate using VLANs, I have created a rough diagram to visually show you. As seen in the diagram, I have the internet going into the modem, then from the modem into port 1 of the smart switch, the lab into port 2, wireless router into port 7, work computers port 8. Each portion of the network can be labelled using the smart switch, example VLAN 10, VLAN 20, VLAN 30 and VLAN 40...etc
Things to look out for is double NAT, default passwords on devices and misconfigurations, Once getting all this done that’s most of the battle over but it’s getting to this point which will test you unless you a network genius
Building an infosec lab is a great way to gain experience in red or blue teaming tasks, testing projects, testing and gaining experience in new tools, malware, payloads, patches...and so on. Starting from the basics to building a full real-time data lab it can be as cheap or expensive as you make it to what you are testing all the way too fully customise to your liking depending on your budget and resources. Every professional or newbies in red/blue team roles should have at least a basic infosec lab and testing out new ways to better themselves or finding new ways in securing the company you work for or building a payload for a specific company you are testing on. There are numerous ways to build a lab and would encourage you to go out and look at the variety of ways in which would be suited to your needs.