{"id":286,"date":"2017-08-13T17:49:08","date_gmt":"2017-08-13T21:49:08","guid":{"rendered":"http:\/\/puluka.com\/home\/?p=286"},"modified":"2017-08-13T18:36:18","modified_gmt":"2017-08-13T22:36:18","slug":"enterprise-security-lab","status":"publish","type":"post","link":"http:\/\/puluka.com\/home\/networking\/enterprise-security-lab\/","title":{"rendered":"Enterprise Security Lab"},"content":{"rendered":"<p><a href=\"http:\/\/puluka.com\/home\/wp-content\/uploads\/2017\/08\/ParticipantLabMadness.jpg\"><img loading=\"lazy\" decoding=\"async\" class=\"size-medium wp-image-310 alignright\" src=\"http:\/\/puluka.com\/home\/wp-content\/uploads\/2017\/08\/ParticipantLabMadness-300x300.jpg\" alt=\"\" width=\"300\" height=\"300\" srcset=\"http:\/\/puluka.com\/home\/wp-content\/uploads\/2017\/08\/ParticipantLabMadness-300x300.jpg 300w, http:\/\/puluka.com\/home\/wp-content\/uploads\/2017\/08\/ParticipantLabMadness-150x150.jpg 150w, http:\/\/puluka.com\/home\/wp-content\/uploads\/2017\/08\/ParticipantLabMadness.jpg 720w\" sizes=\"auto, (max-width: 300px) 100vw, 300px\" \/><\/a><\/p>\n<p>Juniper launched a riff on March Madness in 2013 they call &#8220;Lab Madness&#8221; asking for contributions on lab setups.\u00a0 I don&#8217;t really have an extensive or expensive setup, but I have found that working in my personal lab increased my confidence and knowledge about how systems interact.\u00a0 My small setup was eliminated in the first round, but this still inspired me to start thinking more formally about my lab work and how working in a lab helps me learn.<\/p>\n<h2>Equipment<\/h2>\n<p><a href=\"http:\/\/puluka.com\/home\/wp-content\/uploads\/2017\/08\/Racksm.jpg\"><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-medium wp-image-287\" src=\"http:\/\/puluka.com\/home\/wp-content\/uploads\/2017\/08\/Racksm-274x300.jpg\" alt=\"\" width=\"274\" height=\"300\" srcset=\"http:\/\/puluka.com\/home\/wp-content\/uploads\/2017\/08\/Racksm-274x300.jpg 274w, http:\/\/puluka.com\/home\/wp-content\/uploads\/2017\/08\/Racksm.jpg 657w\" sizes=\"auto, (max-width: 274px) 100vw, 274px\" \/><\/a><\/p>\n<p>First my eclectic collection of gear.\u00a0 These are all about learning the boxes I had to support over the years.\u00a0 And the lab is especially useful for interoperation or potentially service affecting configuration testing.<\/p>\n<p>Juniper Devices<\/p>\n<ul>\n<li>2 &#8211; SSG5 Wireless &amp; Standard<\/li>\n<li>2 &#8211; SRX100 &#8211; standard and high memory<\/li>\n<li>EX2200 48 port<\/li>\n<li>J2300 Router<\/li>\n<li>Netscreen NS5XP<\/li>\n<li>DTE SA<\/li>\n<li>DTE UAC<\/li>\n<\/ul>\n<p>Other Vendors<\/p>\n<ul>\n<li>Sonicwall Pro2040<\/li>\n<li>Cisco 1720 with K9 vpn bundle<\/li>\n<li>2 Cisco 2950 24 port switches<\/li>\n<li>Netgear FSM7352 Layer 3 switch<\/li>\n<\/ul>\n<p>Supporting Infrastructure<\/p>\n<p><a href=\"http:\/\/puluka.com\/home\/wp-content\/uploads\/2017\/08\/Serverssm.jpg\"><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-medium wp-image-288\" src=\"http:\/\/puluka.com\/home\/wp-content\/uploads\/2017\/08\/Serverssm-300x83.jpg\" alt=\"\" width=\"300\" height=\"83\" srcset=\"http:\/\/puluka.com\/home\/wp-content\/uploads\/2017\/08\/Serverssm-300x83.jpg 300w, http:\/\/puluka.com\/home\/wp-content\/uploads\/2017\/08\/Serverssm-768x213.jpg 768w, http:\/\/puluka.com\/home\/wp-content\/uploads\/2017\/08\/Serverssm-1024x285.jpg 1024w, http:\/\/puluka.com\/home\/wp-content\/uploads\/2017\/08\/Serverssm.jpg 1724w\" sizes=\"auto, (max-width: 300px) 100vw, 300px\" \/><\/a><\/p>\n<ul>\n<li>Xyplex terminal server for console access<\/li>\n<li>2 Dell VMware host servers<\/li>\n<li>2 Netgear ReadyNAS Duo<\/li>\n<\/ul>\n<p>The setup allows management access by two methods: Console and Out-of-band LAN.<\/p>\n<p>The console server is attached to every console capable device and allows telnet access to the device console ports.<\/p>\n<p>Every device that is capable, has the management interface configured on the management vlan.\u00a0 This allows direct ssh, telnet and web access to all of the devices.<\/p>\n<h2>Setup Concepts: Dedicated Layer 3 Ports<\/h2>\n<p>In connecting all these devices, I decided to have a dedicated layer 3 switch port for every firewall and router interface in the lab environment.\u00a0 This allows me to have every port on all the attached devices available for use without the need to find and move cables.\u00a0 I can effectively connect any two ports on any pair of devices by making a vlan assignment change on the switch port dedicated to that device port.<\/p>\n<p>For the Juniper firewalls, I also use virutal routers to get more devices into the lab.\u00a0 the SRX100 and SSG5 all have three VR that give an effect 12 firewalls for interconnection.<\/p>\n<h2>Setup Concepts: Pseudo Internet<\/h2>\n<p><a href=\"http:\/\/puluka.com\/home\/wp-content\/uploads\/2017\/08\/NASsm.jpg\"><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-medium wp-image-289\" src=\"http:\/\/puluka.com\/home\/wp-content\/uploads\/2017\/08\/NASsm-118x300.jpg\" alt=\"\" width=\"118\" height=\"300\" srcset=\"http:\/\/puluka.com\/home\/wp-content\/uploads\/2017\/08\/NASsm-118x300.jpg 118w, http:\/\/puluka.com\/home\/wp-content\/uploads\/2017\/08\/NASsm-404x1024.jpg 404w, http:\/\/puluka.com\/home\/wp-content\/uploads\/2017\/08\/NASsm.jpg 586w\" sizes=\"auto, (max-width: 118px) 100vw, 118px\" \/><\/a><\/p>\n<p>Since most of my enterprise work is with internet connected IPSEC vpn, the layer 3 switches also allow me to create a Pseudo internet by using layer 3 routed interfaces and an interrouting protocol.\u00a0 I can put all these routed layer three interfaces into a group that can see each other and they each can represent the internet connection for the firewall instance connected here.\u00a0 The firewalls can then create normal IPSEC tunnels between them in the lab environment.<\/p>\n<p>I also setup routing and an outbound nat setup that can allow live internet access to any of the firewalls in the lab connected to the Pseudo internet cloud.\u00a0 So updates or web browsing from the lab device lan will work normally.<\/p>\n<h2>Setup Concepts: Client &amp; Server Traffic<\/h2>\n<p>The two VMware servers are setup with dual physical nic cards and V-sphere 4.1 host software.\u00a0 On one card I connect to the management lan to manage and configure devices.\u00a0 The second card is connected as a trunk port to the &#8220;lan&#8221; side vlans for all the firewall instances.<\/p>\n<p>Any lan side of any firewall or router can be connected to either a server or client computer.\u00a0 This setup allows the client and server devices to be migrated around the lab as needed by a simple nic assignment in the virtual machine configuration.<\/p>\n<p>The Netgear ReadyNAS provide a simple nfs storage share for the virtual machine files in the two servers.<\/p>\n<h2>Flexibility<\/h2>\n<p>These general connection parameters provide me with a lot of flexibility, without having to may physical changes to the equipment connections.\u00a0 The flexibility can all be accomplished by configuration changes to the equipment itself.\u00a0 The management LAN and console server for the devices also provide a flexible backdoor to make these configuration changes.<\/p>\n<p>Originally Posted March 30, 2013<br \/>\nLast Revised on March 30, 2013<\/p>\n","protected":false},"excerpt":{"rendered":"<p>Juniper launched a riff on March Madness in 2013 they call &#8220;Lab Madness&#8221; asking for contributions on lab setups.\u00a0 I don&#8217;t really have an extensive or expensive setup, but I have found that working in [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[8],"tags":[],"class_list":["post-286","post","type-post","status-publish","format-standard","hentry","category-networking"],"_links":{"self":[{"href":"http:\/\/puluka.com\/home\/wp-json\/wp\/v2\/posts\/286","targetHints":{"allow":["GET"]}}],"collection":[{"href":"http:\/\/puluka.com\/home\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"http:\/\/puluka.com\/home\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"http:\/\/puluka.com\/home\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"http:\/\/puluka.com\/home\/wp-json\/wp\/v2\/comments?post=286"}],"version-history":[{"count":3,"href":"http:\/\/puluka.com\/home\/wp-json\/wp\/v2\/posts\/286\/revisions"}],"predecessor-version":[{"id":311,"href":"http:\/\/puluka.com\/home\/wp-json\/wp\/v2\/posts\/286\/revisions\/311"}],"wp:attachment":[{"href":"http:\/\/puluka.com\/home\/wp-json\/wp\/v2\/media?parent=286"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"http:\/\/puluka.com\/home\/wp-json\/wp\/v2\/categories?post=286"},{"taxonomy":"post_tag","embeddable":true,"href":"http:\/\/puluka.com\/home\/wp-json\/wp\/v2\/tags?post=286"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}