Network Topology
I am planning to add a penetration testing lab and web server to my existing home network. Here is the design I have been working on and considering implementing. I am looking for suggestions and constructive criticism. Keep in mind that I am only exploring possibilities and that I have a lot more thought to put into this before thinking about getting started.
The idea is to allow the lab to have internet connectivity, while keeping it separate from my private network and the DMZ where the web server will be located.
I would like to be able to experiment with penetration testing on multiple target machines as well as wireless penetration testing which is why I want to do it like this as opposed to a virtualized network on a single system.
Start with just one thing at a time. It looks fine to me, but putting the web server in the DMZ zone leaves it wide open. Maybe that's your intentions though.
The Kali Linux setup look real nice too; however, what hypervisor will you use to host more than one OS on a server that'll allow possible remote connections from thin-clients for privilege escalation testing?
I know you own a Vizio Smart TV now, ha-ha I am not laughing at the TV I am laughing that I know now.
I was thinking of using Virtual Box with bridged network options. That should allow me to use multiple VMs with their own IP addresses. The TV is actually segregated from my private network at the moment. I am not sure why I set it up that way… but I did.Its not really a security measure, due to the fact that if the hard-wire network connection goes down on the TV it automatically joins the WIFI connection of my private network. I would definitely want my web server behind the first firewall, but in front of the second. As it could be an easy system to compromise. Should someone manage to do so, they would still have to navigate out of the DMZ into my private network before doing any real damage. It is my understanding that a DMZ is the proper home for a web server to live.
@Rex What are you referring to with the word 'Bump?
I would want something in front of mine, not sure as of what, so I would ask Rex
My thought was that the firewalls on either side of the web server would only allow traffic inbound to or outbound from the web server on ports 80 & 443 (http/https traffic). The penetration testing environment will be able to communicate with the outside world only, but traffic to or from it would be blocked from the private network. As an added measure of security, the penetration testing lab would be shut down when not in use.
I bumped it because it dropped out the latest threads for no good reason, and I wanted to keep it in the list.
The DMZ will only be wide open if you use the inbuilt router option, and that's like the exact opposite of what you actually want.
The 2 router way is the option you want to go with
Internet ––> firewall––> 192.168.1.DMZ Router––>firewall—–> 192.168.2.Home Network Router
The wireless router that connects you to the Internet becomes your DMZ router, so first configure your existing router to use the 192.168.1.x network.
Next, plug a computer into one of the Ethernet ports of your second wireless router and configure it to use a different private network address like 192.168.2.x
Plug the WAN port of the second wireless router into one of the Ethernet ports on the DMZ router, then connect all of your computers and devices to the second router.
Anything you want to have live in the DMZ, such as your web server, configure its IP address and plug it into the first router.
And that's about it.
As an added measure of security, the penetration testing lab would be shut down when not in use. You should probably prevent the Googlebot from indexing your pages, or Googles cache can be accessed to look at the various links, pages, and overall structure of your site while you have it offline, so that a targeted attack can be ready for when you do turn it back on.
very informative. Thanks, Lets hear some suggestions on firewalls/routers. Is it worth while to invest in actual hardware fire walls to provide security for a DMZ or do people believe proper configuration on routers is sufficient. I realize that the amount of security implemented is best decided through risk analysis and that the amount of security cost should be at an appropriate level to that of the assets being protected. Another thing I have thought about is the complexity of the option I choose. After all if it becomes to difficult to manage correctly, the security as already at a loss. I do however want to over step the needs as a learning tool to advance my experience in networking as a whole.
I like the eset nod 32 firewall, but recent advisories have highlighted major vulnerabilities in most of the widely used anti virus platforms, so I'd expect a determined hacker could also find exploits in most of the popular software firewalls too, and the same would be expected for hardware firewalls. In your case, I'd just go for the easy software option, and I wouldn't be too concerned about your firewalls being bypassed if you keep them up to date, and configure them right. Also, just to be safe I'd use 2 different firewalls, so that a single working exploit can't be used to bypass both layers of protection.
There good software out there and the best is usually the one people use the least or at least are unaware of at the current time. Although if its good it usually gets a lot of public attention anyway, so its hard to say.
If I were to host a virtual challenge for people to access from my site and this site. I would rather physically separate the two networks rather than segmenting them with hardware or virtually through networking hardware, but that's just me.