Jon@Sprig.gs / @JonTheNiceGuy / @g7vri
- Introduction
- What is a Lab?
- A basic lab
- A note on networking
- A little bit of config
- Complicated labs
- My lab!
- I am Jon Spriggs (@JonTheNiceGuy / @G7VRI)
- Network Security Professional for > 10 years
- Interest in Linux and Open Source
"A lab is an environment in which you can perform the same test twice and get the same results"
- Virtual Devices
- VM Snapshots
- Clone VMs
- OVA Files
- Vagrant
- Physical Devices
- Appliances
- Servers
- Laptops
Note: VM Snapshot: Very fast, adds files to system per snapshot, can be cumulative Clone VMs: May be difficult to do depending on Hypervisor OVA files: Not platform independant, but can be massaged to work between VMWare, VirtualBox, ESXi, Hyper-V. Vagrant: My go-to system. Simple text files, pre-packaged "Box" files. Basically clones VMs from a known working state, and runs post-install customization.
- Home Made
- Shell Scripts
- Powershell
- Batch Files
- Tools
- Puppet
- Chef
- Ansible
- Salt
- You should learn some basic networking before creating labs.
- Routing
- Port Forwarding
- Understand interface types
- Bridged interfaces are like physically plugging in to your network.
- NAT interfaces "Hide" behind your host IP address
- Private networks are (typically!) inside your host machine
- Vagrant
- -> Linux
- -> Windows
- -> Several Machines at once
- Ansible
- -> Create users
mkdir Lab-A
cd Lab-A
vagrant init ubuntu/trusty64
vagrant up
Note: Remember that you need to create your vagrantfile in a new directory. The vagrantfile path is exposed to the VM in /vagrant or c:\vagrant
Vagrant.configure(2) do |config|
config.vm.box = "ubuntu/trusty64"
config.vm.synced_folder "/mnt", "/mnt/host"
config.vm.provider "virtualbox" do |vb|
vb.memory = "1024"
end
config.vm.provision "shell", inline: <<-SHELL
sudo apt-get update && sudo apt-get install -y sendemail
SHELL
config.vm.provision "shell", run: "always", inline: <<-SHELL
/vagrant/RunProcess | /vagrant/sendemail
sudo shutdown -h now
SHELL
end
Note: Here we define a standard box - This has been created on a public server, it should not be trusted. For confidential builds, build your own and host internally, replace config.vm.box with config.vm.url.
Attention to: synced_folder, vb.memory and provisioning - "run: always" versus "run: once"
Vagrant.configure(2) do |config|
config.vm.box = "opentable/win-2012r2-standard-amd64-nocm"
config.vm.hostname = "server"
config.vm.provision :shell, path: "shell/InstallChocolatey.cmd"
config.vm.provision :shell, path: "shell/InstallBoxStarter.bat"
config.vm.provision :shell, path: "shell/RunBoxstarter.ps1"
config.vm.network "public_network", bridge: "eth1.200",
ip: "192.0.2.10"
config.vm.provision :shell, run: "always",
inline: "route delete 0.0.0.0"
config.vm.provision :shell, run: "always",
inline: "route add 0.0.0.0 mask 0.0.0.0 192.0.2.1"
end
Note: Really untrustworthy build - not from a vendor.
Attention to: Define hostname, public_network, note that this is a windows box and is running cmd and bat files (also PS1 files). Routing on public network interfaces is problematic at best!!
Vagrant.configure(2) do |config|
config.vm.box = "opentable/win-2012r2-standard-amd64-nocm"
config.vm.define :v401a do |v401a|
v401a.vm.hostname = "v401a"
v401a.vm.network "public_network", bridge: "em2.401",
ip: "10.40.1.11"
end
config.vm.define :v401b do |v401b|
v401b.vm.hostname = "v401b"
v401b.vm.box = "ubuntu/trusty64"
v401b.vm.network "public_network", bridge: "em2.401",
ip: "10.40.1.12"
end
end
Note: Attention to: Config creates two machines, defines hostnames and separates out box files to use. Note no post config is here. Contrived example drawn from complex personal scripts.
ssh-copy-id root@linux1
# Windows Machines need https://raw.githubusercontent.com/ansible/
# ansible/devel/examples/scripts/ConfigureRemotingForAnsible.ps1
ansible -m setup
ansible-playbook site.yml
- hosts
[Core_AD]
192.0.2.1
[Core_Linux]
192.0.2.1[1-5]
- group_vars/all/vault
default_password: DreadfullyInsecure
admin_users:
spriggsj:
name: Jon Spriggs
users:
bloggsf:
name: Fred Bloggs
Note: Use ansible-vault encrypt to convert the plaintext vault file to an encrypted one.
- ad.yml
- hosts: Core_AD
roles:
- ad
- roles/ad/tasks/main.yml
- name: Create User in AD
raw: if (dsquery user -samid "{{item.key}}") {"Not Required"} else
{New-ADUser -SamAccountName "{{item.key}}" -UserPrincipalName
"{{item.key}}@labby.mclabface" -Name "{{item.value.name}}"
-DisplayName "{{item.value.name}}"
-GivenName "{{item.value.name.split(" ")[1]}}"
-Surname "{{item.value.name.split(" ")[-1]}}"
-ChangePasswordAtLogon $true -Enabled $true
-AccountPassword (ConvertTo-SecureString "{{default_password}}"
-AsPlainText -Force)}
with_dict: "{{users}}"
tags: users
- linux.yml
- hosts: Core_Linux
roles: common_linux
- roles/common_linux/tasks/main.yml
- include: user.yml
tags: users
- roles/common_linux/tasks/user.yml
- name: Create role for Sudo Group
lineinfile: "dest=/etc/sudoers state=present regexp='^%sudo'
line='%sudo ALL=(ALL) NOPASSWD: ALL' validate='visudo -cf %s'"
- name: Creating Admin Users
user: name="{{item.key}}" uid="{{item.value.uid}}"
comment="{{item.value.name}}" groups=sudo shell=/bin/bash
password="{{default_password | password_hash('sha512') }}"
update_password=on_create
with_dict: "{{admin_users}}"
- VLAN Tag your switches
- Route (or better - Firewall) between VLANs
- Create disposable network segments (or "Pods")
- Unified authentication using Radius, Kerberos and Active Directory
- Ansible for Infrastructure (Linux, Windows, ESXi, but not switches!)
Note: For all Windows' failings, it's very easy to set up MS Active Directory, and even easier to add Radius Authentication to that model. Linux will do Kerberos authentication against Active Directory, as will ESXi.
The network segments should be isolated from each other by a firewall. This means an impacting change on one pod will not impact any other. The firewall will also perform routing and hide NATs where required.
Ansible is not able to reconfigure older Cisco or Juniper switches. It can be coerced into making changes to Checkpoint firewalls, but will not work out-of-the-box.
- Back-to-back firewalls from "Live" areas, into "Core" terminal servers
- Terminal servers have full access to all pods
- Terminal servers are MS Windows virtualized on Linux systems - which means SSH can be used to bring them back online.
- Using ser2net to provide telnet access to serial ports over USB
- NAS for shared storage of Vagrant Boxes, mounted on all VM servers
- Physical Topology
{CORP_NET} -> {CORP_FW} -> {LAB_FW} -> {LAB_DSL}
|
{VLAN_SWITCHES}
|
/ | \
POD_NET1 <------/ | \----> POD_NET2
|
{CORE_NET}
- Firewall Rules
Permit: CORP_NET -> Core_Net : RDP
Deny : CORP_NET -> Core_Net : Any
Deny : Any -> CORP_NET : Any
Permit: Core_Net -> Any : Any
Deny : Any -> Core_Net : Any
Permit: POD_Nets -> Internet : Any
Deny : Any -> Any : Any