├── Network_Diagram.png ├── README.md ├── SOC Change Request.pdf └── VLAN_ACL_ EXAMPLES.txt /Network_Diagram.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/SanchezSecOps/Cybersecurity-HomeLab/560f78ae7f701a6873583eae3e4cfb127455322d/Network_Diagram.png -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # **CYBERSECURITY-HOME-LAB** 2 | Describing and documenting the process of deploying a HomeLab for security research and training. 3 | This is for anyone looking to get into the world of InfoSec/Cybersecurity 4 | 5 | ## **OVERVIEW** 6 | 7 | This project outlines the entirety of building and deploying a lab environment within my home network while keeping it isolated and without being overly dependent on 3rd party virtualization. I am prioritizing the use of physical hardware to better understand the behavior, maintenance, and problems with on-premise equipment in a simulated enterprise network. Furthermore, the prioritization of physical hardware helps me become more aware of hardware considerations and limitations when deploying new services, applications, hardware compenents, etc... Virtualization will be a big part of this lab but it will be locally hosted on specially procured hardware making me responsible for updating and securing the machines and services on them. 8 | 9 | ## **NETWORK ARCHITECTURE & INFRASTRUCTURE** 10 | *Detailed change request documents and network diagrams can be found in* [Change Request DOC](SOC%20Change%20Request.pdf) 11 | 12 | **Before launching my home lab I had to consider how this lab's traffic would flow and can my existing infrastructure support it** 13 | - Considering the nature of the lab I'd like to have it be in as little contact with my existing home network. To achieve that isolation I'll need more advanced features from my networking devices in the internal (Home) network. These devices must support VLANS, 802.1q tagging, Port Forwarding, Firewall ACL Rules, stronger security protocols like WPA3, and Multiple broadcast domains. 14 | - My existing infrastructure was an ISP-provided modem and Soho router with basic features. The ISP keeps the admin interface for the router pretty locked down and significantly limits control over the network. A new router will need to be purchased along with a layer 2 switch for further isolation and ACL configuration. 15 | - Consumer hardware will allow for more control than the locked down ISP router/modem but still lack advanced networking features. Enterprise hardware will solve all our networking needs but is not a cost-effective solution. Business-class solutions in this case will give us the advanced networking features we need while being more cost-effective 16 | - TP-Link has business-class networking solutions and will provide the necessary upgrades in my current network infrastructure and allow centralized control of the network 17 | 18 | ### Hardware & Software Allocation 19 | 20 | **Infrastructure allocation** 21 | 22 | - TP-Link Router 802.11AX WAP, 1x10Gb/s SFP, 5x1Gb/s RJ-45 LAN/WAN 23 | - TP-Link Switch(managed/L2) 8x1Gb/s RJ-45 ports supporting advanced security features: ACLs, 802.1q, STP, LAG 24 | - CAT6 550MHz FTP shielded cabling 25 | 26 | **Lab Devices** 27 | 28 | - 802.11AC WAP Router, 3x1Gb/s RJ-45 ports, VPN server, WPA2/WPA3, 2.4Ghz & 5Ghz 29 | - L2 Managed switch with VLAN and Port Mirroring/SPAN support 30 | - Sacrificial Clients 31 | *Vulnerable Windows client (physical device)* 32 | *Vulnerable Linux DesktopVMs* 33 | *Vulnerable server VMs* 34 | - Administration interfaces 35 | *Fedora VMs across different computers for Remote/LAN access via VPN or ethernet* 36 | - Virtualization Servers (Repurposed and Upgraded Mini PCs) 37 | *Server 1: 14th Gen U9-185H CPU, 64GB DDR5 RAM, 3TB NVME, 2x RJ-45 NICs* 38 | *Server 2: i7-1195G7 CPU, 64GB DDR4 RAM, 2TB NVME, 1x RJ-45 NIC* 39 | - Kali Linux laptop for penetration testing exercises & vulnerability scanning 40 | 41 | **Lab software**: 42 | 43 | - Security Onion SIEM 44 | - Elastic Fleet/Agents 45 | - Kibana 46 | - Proxmox VE type 1 47 | - Linux, Windows, Mac OSs 48 | - T-pot 49 | - Zeek 50 | - Suricata 51 | 52 | ### Infrastructure Upgrades 53 | Since my home network is "technically" a production environment where other household members are WFH Employees & Business Contractors. 54 | I cannot spontaneously push untested upgrades into our internal network since there is potential for monetary loss. 55 | - Scheduled network downtime when no business operations are being conducted 56 | - Used network diagrams to plan, configure, and deploy newly designed network architecture 57 | - New architecture calls for a segmented internal network to improve security with separate broadcast domains and enforce them with other security features 58 | - Untrusted networks will have the below security measures 59 | - *Security Configuration: WPA2, Captive Portals, 802.1x, ACLs, Complex passwords, UTM Suite, IPS/IDS, VPN w/RADIUS authentication, and SIEM Monitoring* 60 | - Trusted networks will have the below security measures 61 | - *Security Configuration: WPA3, Complex passwords, ACLs, etc..* (not great practice to publish all my security measures) 62 | 63 | ### Architecture planning 64 | Following my new network design this is a brief overview of the planned architecture 65 | *once again more detailed and technical documents can be found in* [Network Diagram](Network_Diagram.png) 66 | 67 | ### Network Segments 68 | 802.1q VLANs may be commonplace in enterprise environments but, having them work properly with other security features on non-enterprise hardware 69 | can be tedious considering (in my case) the entire network needed to be redesigned with brand-new hardware 70 | 71 | |**VLAN ID**| **PURPOSE** | **DEVICES**| 72 | |----------|-------------|------------| 73 | | **1** | *INTERNAL* | Main Router/Switches, PCs, Phones, etc... | 74 | | **2** | *IoT* | IP Cams, Appliances, etc... | 75 | | **3** | *GUEST* | Any device guest device | 76 | | **4** | *LAB* | Virtualization Servers, Router, L2 Switch | 77 | | **5** | *HONEY NET* | T-pot VMs | 78 | | **6** | *SAN* | Family File Servers, Media Servers, Archive Storage | 79 | 80 | ## **DEPLOYMENT** 81 | Deployment of this new network wasn't without its challenges but, it was mostly due to the fact that I was transitioning, what was a generic star soho network into a secure, and highly specialized environment. 82 | 83 | ### **First Phase: Infrastructure Upgrade** 84 | 1. There is no ethernet wiring throughout my home and the wiring that supports the current network was in another room so, in a somewhat crude manner I simply cut a hole through the wall, and added low-voltage mounting plates to run an ethernet cable where the lab will be located. 85 | 2. After the wiring was in place and the maintenance window was open I began powering up my new networking devices Main Router and Switch while leaving the current set up active. 86 | 3. Following the plan I previously designed, I began segmenting the network and establishing IP ranges for each segmentation 87 | 4. Once the new router had the proper network configurations I powered down my old router, reset my modem, and connected the new networking devices 88 | 5. From there I went around my home connecting all devices to their designated segment and ensuring they were within their proper IP range. 89 | 90 | ### **Second Phase: Security Testing** 91 | 1. Once WAN connectivity was established my next step was to implement and test ACLs to ensure isolation *see [VLAN ACLs](VLAN_ACL_%20EXAMPLES.txt) for more details* 92 | 2. Testing the network's isolation from other segments began with pinging devices to ensure those devices/networks were unreachable even with ICMP. 93 | 4. Finally I attempted to crack and brute force network segments utilizing the WPA2 protocol to verify the PSK complexity was sufficient. 94 | 95 | ### **Third Phase: Lab Deployment** 96 | *To support the lab I envisioned with a wide variety of tools and services, in my attempt to replicate an enterprise network. I was going to require powerful and versatile computing resources.* 97 | 1. Two PCs needed an upgrade since their stock components weren't sufficient for my purposes. Each was upgraded to 64GB RAM totaling 128GB of memory between my two virtualization servers. 98 | 2. I wiped the internal storage devices on both PCs using AOMEI Partition assistant as a security measure since they were acquired on the 2nd hand market. 99 | 3. Internal 802.11 devices were removed to limit my attack surface from external threats since configurations on this network segment at times will be purposefully vulnerable for experimentation 100 | 4. Using a spare NVMe SSD & M.2 enclosure I flashed a Proxmox VE ISO onto it to create the installation media for my type 1 hypervisor servers. 101 | 5. Proper installation of Proxmox VE requires simple hardware configuration in the UEFI settings 102 | 6. Next I needed to deploy the lab's dedicated networking infrastructure: 1xRouter, 1xSwitch, 7xCAT6 Patch cables. 103 | 7. Wiring goes as follows: INTERNAL NETWORK> LAB WAP/ROUTER> LAB SWITCH> VIRTUALIZATION SERVERS & WIRED/WIRELESS CLIENTS 104 | 8. Now that the lab is running with properly configured infrastructure and security measures Tools, Services, Apps, and workstations can be deployed from PVE servers 105 | 106 | ### **Fourth Phase: End-point and Security tools** 107 | *content in this section is in regards to the network segment dedicated to the cybersecurity lab environment* 108 | 1. First I read the documentation for the tools I had decided on to get more insight into how they work and to better troubleshoot any issues that may come 109 | 2. One of the main tools I wanted in this lab was a SIEM and Security Onion (Standalone) seemed like the most complete and scalable solution. Their documentation was very clear so deployment was pretty smooth. 110 | 3. Security Onion VM: 2xNICs 1(Management)/2(Monitoring) in promiscuous mode, 24GB RAM, 8 CORE CPU, 250GB STORAGE W/ SSD EMULATION. *(NOTE)S.O requires 2xNICs one of which needs to physically connect to a SPAN* 111 | 4. Workstation VMs: UBUNTU, MINT, FEDORA 112 | 5. Physical Clients: MacBook Air(ADMIN), Fedora 41(ANALYST), WINDOWS10 MACHINE(VICTIM CLIENT), KALI(ATTACKER). 113 | 6. OPNsense VM: 2xNICs Management/Monitoring, 16GB RAM, 8 CORE CPU, 250GB STORAGE 114 | 7. This OPNsense VM will be configured as a UTM (unified threat management) suite consisting of: VPN, FIREWALL, WEB PROXY, IDS/IPS, VLAN SUPPORT 115 | 8. Lastly T-Pot, A honeypot hosting platform for exposing vulnerable machines to the WAN in order to analyze attacker telemetry. 116 | 9. T-POT VM: 16GB RAM, 8 CORE CPU, 500GB STORAGE 117 | 118 | # **CONCLUSION** 119 | 120 | While this project was resource-intensive, There are many ways to deploy your own home lab and gain technical knowledge about security tools. 121 | You can do all this and more with cloud service providers or repurpose and upgrade old/inexpensive hardware to suit your needs. My approach 122 | was meant to prioritize versatility and integrity while remaining cost-effective. I am satisfied with the result of my lab and have had a lot of fun 123 | putting it to use since its completion. If you're just starting out in cybersecurity, I believe building your own lab environment can be an indispensable 124 | learning tool for practical knowledge outside of a textbook! 125 | 126 | # ABOUT ME 127 | i like computer 128 | 129 | Linkedin: https://www.linkedin.com/in/h-julian-sanchez-92a10a24a/ 130 | 131 | Contact me: julian@darkhorizonit.tech 132 | 133 | 134 | -------------------------------------------------------------------------------- /SOC Change Request.pdf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/SanchezSecOps/Cybersecurity-HomeLab/560f78ae7f701a6873583eae3e4cfb127455322d/SOC Change Request.pdf -------------------------------------------------------------------------------- /VLAN_ACL_ EXAMPLES.txt: -------------------------------------------------------------------------------- 1 | 2 | ACL EXAMPLES 3 | 4 | #VLAN 4 IS FORBBIDEN FROM MAKING CONTACT WITH VLAN 1(INTERNAL NETWORK) & VLAN 5(HONEYNET) 5 | 6 | ACL NUMBER 4000 7 | rule 10 permit ip source 192.168.4.0 0.0.0.255 destination 192.168.1.1 0.0.0.0 8 | #RULE PERMITS VLAN 4 GATEWAY ACCESS 9 | ----------------------------------------------------------------------------------------- 10 | rule 20 deny ip source 192.168.4.0 0.0.0.255 destination 192.168.1.0 0.0.0.255 11 | #RULE DENIES VLAN 4 CONTACT WITH VLAN 1 DEVICES 12 | ----------------------------------------------------------------------------------------- 13 | rule 30 deny ip source 192.168.4.0 0.0.0.255 destination 192.168.5.0 0.0.0.255 14 | #RULE DENIES VLAN 4 CONTACT WITH VLAN 5 DEVICES 15 | ----------------------------------------------------------------------------------------- 16 | rule 40 permit ip source 192.168.4.0 0.0.0.255 destination any 17 | #RULE ALLOWS INTERNET ACCESS 18 | ----------------------------------------------------------------------------------------- 19 | #APPLYING RULE TO VLAN 4 20 | interface vlan 4 21 | ip access-group 4000 in 22 | 23 | ----------------------------------------------------------------------------------------- 24 | 25 | #VLAN 5 IS FORBBIDEN FROM MAKING CONTACT WITH VLAN 1(INTERNAL NETWORK) & VLAN 4(SOC LAB) 26 | 27 | ACL NUMBER 5000 28 | rule 10 permit ip source 192.168.5.0 0.0.0.255 destination 192.168.1.1 0.0.0.0 29 | #RULE PERMITS VLAN 4 GATEWAY ACCESS 30 | ----------------------------------------------------------------------------------------- 31 | rule 20 deny ip source 192.168.5.0 0.0.0.255 destination 192.168.1.0 0.0.0.255 32 | #RULE DENIES VLAN 5 CONTACT WITH VLAN 1 DEVICES 33 | ----------------------------------------------------------------------------------------- 34 | rule 30 deny ip source 192.168.5.0 0.0.0.255 destination 192.168.4.0 0.0.0.255 35 | #RULE DENIES VLAN 5 CONTACT WITH VLAN 4 DEVICES 36 | ----------------------------------------------------------------------------------------- 37 | rule 40 permit ip source 192.168.5.0 0.0.0.255 destination any 38 | #RULE ALLOWS INTERNET ACCESS 39 | ----------------------------------------------------------------------------------------- 40 | # APPLYING RULE TO VLAN 5 41 | interface vlan 5 42 | ip access-group 5000 in 43 | 44 | --------------------------------------------------------------------------------