Enterprise Security Lab

Juniper launched a riff on March Madness in 2013 they call “Lab Madness” asking for contributions on lab setups.  I don’t really have an extensive or expensive setup, but I have found that working in my personal lab increased my confidence and knowledge about how systems interact.  My small setup was eliminated in the first round, but this still inspired me to start thinking more formally about my lab work and how working in a lab helps me learn.

Equipment

First my eclectic collection of gear.  These are all about learning the boxes I had to support over the years.  And the lab is especially useful for interoperation or potentially service affecting configuration testing.

Juniper Devices

  • 2 – SSG5 Wireless & Standard
  • 2 – SRX100 – standard and high memory
  • EX2200 48 port
  • J2300 Router
  • Netscreen NS5XP
  • DTE SA
  • DTE UAC

Other Vendors

  • Sonicwall Pro2040
  • Cisco 1720 with K9 vpn bundle
  • 2 Cisco 2950 24 port switches
  • Netgear FSM7352 Layer 3 switch

Supporting Infrastructure

  • Xyplex terminal server for console access
  • 2 Dell VMware host servers
  • 2 Netgear ReadyNAS Duo

The setup allows management access by two methods: Console and Out-of-band LAN.

The console server is attached to every console capable device and allows telnet access to the device console ports.

Every device that is capable, has the management interface configured on the management vlan.  This allows direct ssh, telnet and web access to all of the devices.

Setup Concepts: Dedicated Layer 3 Ports

In connecting all these devices, I decided to have a dedicated layer 3 switch port for every firewall and router interface in the lab environment.  This allows me to have every port on all the attached devices available for use without the need to find and move cables.  I can effectively connect any two ports on any pair of devices by making a vlan assignment change on the switch port dedicated to that device port.

For the Juniper firewalls, I also use virutal routers to get more devices into the lab.  the SRX100 and SSG5 all have three VR that give an effect 12 firewalls for interconnection.

Setup Concepts: Pseudo Internet

Since most of my enterprise work is with internet connected IPSEC vpn, the layer 3 switches also allow me to create a Pseudo internet by using layer 3 routed interfaces and an interrouting protocol.  I can put all these routed layer three interfaces into a group that can see each other and they each can represent the internet connection for the firewall instance connected here.  The firewalls can then create normal IPSEC tunnels between them in the lab environment.

I also setup routing and an outbound nat setup that can allow live internet access to any of the firewalls in the lab connected to the Pseudo internet cloud.  So updates or web browsing from the lab device lan will work normally.

Setup Concepts: Client & Server Traffic

The two VMware servers are setup with dual physical nic cards and V-sphere 4.1 host software.  On one card I connect to the management lan to manage and configure devices.  The second card is connected as a trunk port to the “lan” side vlans for all the firewall instances.

Any lan side of any firewall or router can be connected to either a server or client computer.  This setup allows the client and server devices to be migrated around the lab as needed by a simple nic assignment in the virtual machine configuration.

The Netgear ReadyNAS provide a simple nfs storage share for the virtual machine files in the two servers.

Flexibility

These general connection parameters provide me with a lot of flexibility, without having to may physical changes to the equipment connections.  The flexibility can all be accomplished by configuration changes to the equipment itself.  The management LAN and console server for the devices also provide a flexible backdoor to make these configuration changes.

Originally Posted March 30, 2013
Last Revised on March 30, 2013