The planning phase

Written By Stephen Dick

First as always with any ideas you may have, you must do proper planning of what you want in your environment and do proper network segmentation based on your requirements and security standards of your organization or in my case, it’s for my home lab.

In my home lab, I am doing Standardization Technical Implementation Guidance from the DOD
Link to STIG - https://public.cyber.mil/stigs/

Why in a home lab you may ask?
One big reason is, if I want to do information security properly, it starts with myself and would I be an information security enthusiast without doing the proper best practices/DOD standards without actually doing it on a practical experience.
Another big thing is I will need to take note into legacy hardware I have and will secure it as much as possible and these pieces of hardware will be on the perimeter of my firewall and be in my internal firewall subnets noting the CIA Triad.

Subnets and Segmentation

First, this is my subnet planning below with multiple VLANs and NICs at /27 subnet masks noting I am building this home lab as much of a replica as a fully implemented business as I can.

Virtualization software of choice

Secondly, I choose the software I choose to virtualize my envrionment which is XCP-NG and manage it with Xen Orchestra.

Please see my blog for an overview and how to install it here - https://www.stephendick.tech/xcpng/how-to-install-xcp-ng

Installing Xen Orchestra from Source - https://www.stephendick.tech/xcpng/installing-xen-orchestra-xoa-from-source

Asset management

Physical asset management
This will be done using a libreoffice spreadsheet, Draw IO and using Zabbix for all of my asset management needs noting where each cable is plugged into every physical asset with a top down map and excel document.

Logical asset management
This will be done using nmap to see what ports, services and service versions are running in my environment that are on each virtual machine and I will also be utilizing FleetDM for application management and writing policies that alert me for outdated or non-compliant software being used within the virtual machine and or by another user.

The physical/logical asset management will be printed, stored on a flash drive, HDD/SSD and stored in a fireproof safe and online within my TrueNAS core machine.

User account, DNS and Domain management

I will be using Active Directory and Group policies for user account management.

DNS for resolving internal hostnames, file servers and other services.

Domain Controller is where the Domain will reside.

All of these are Windows Server 2022 and will be virtualized on separate Virtual Machines on a per role basis.

Network Security Monitor

The Network Security Monitor of choice I will be using is Security onion for my environment on a Dell Poweredge R610 with 6 TB of Hard Drive space at 16 GB RAM

Description and how to install security onion - https://www.stephendick.tech/security-onion-1/how-to-install-security-onion

Firewalls of choice

With the requirements of my environment in need of an internal and perimeter firewall, my choices are a PfSense firewall on a watchguard XTM 5 series internally of my network and a Unifi Dream Machine Pro will be on the perimeter of my network.

You can see a brief description of a simple allow all installation of pfsense on a Dell Poweredge R610 (Do not do allow all, use deny/block all from the bottom and open ports and services your environment requires) - https://www.stephendick.tech/pfsense/pfsense-install

With the choices of the UniFi Dream Machine Pro, I will be configuring it for BGP, OSPF (FRR) and hopefully configure a static DNS within the UnifiOS DNS manager as some of my friends suggested with the links below:

BGP on UDM Pro - https://blog.v12n.io/how-to-get-bgp-working-on-a-unifi-dream-machine-pro/

UniFi OS DNS Manager - https://github.com/loredous/unifios-dns-manager

Open Shortest Path First (OSPF)/Free Range Routing (FRR) configuration - https://github.com/unifi-utilities/unifios-utilities

Accessing the network externally

The choice of mine to access my environment externally will be using OpenVPN hosted on the perimeter of my firewall and may decide later down the road to host it on the perimeter on a separate virtual machine for more resources if needed.
The authentication will be within LDAP or user accounts on an OpenVPN virtual machine itself.

Network Switches

Network switches I’m running are very legacy, old and are going to be vulnerable. Most companies are most likely and unfortunately running similar hardware, but none of this will be on the internet at all and can only be managed internally.

Physical hardware asset list

  • Firewalls

    • Watchguard XTM 5 series - pfSense - Internal - Asset label - F1

    • UniFi Dream Machine Pro - Perimeter - Asset label - F2

  • Layer 2 switches

    • Cisco catalyst 2960G Series (2007)

  • Layer 3 switches

    • TP Link TL-SG2216 Version 1 (from 2015) - 2 Devices

    • TP Link TL-SG2424 Version 1 (from 2015) - 2 Devices

    • Unifi 16 Port POE+

  • Security Hardware

    • Dell Poweredge T310 - Hosts Security Onion

  • Physical Servers

    • Dell Poweredge R610 - 2 Devices

    • Intel Super micro with 5x HDDs - 1 Device

    • Dell A2425 Direct Attached Storage - 1 Device

    • 6U Enclosure - 1 Device

  • Wireless

    • Unifi Wireless Access Point Long Range - 1 Device

    • Unifi Wireless Access Point Lite - 1 Device

Email server and email security

Email server - iredmail and be hosted on the internal network of my environment

Email security gateway - Currently doing research, may go with the Proxmox Mail Gateway

  • https://www.proxmox.com/en/proxmox-mail-gateway/overview

Network Security with a prevention system

I will be using Crowdsec Cyber Threat Intelligence (CTI) which acts as a prevention system on the edge.
The Alerts will be pushed to my Network Security monitor for simplicity and everything will as simplified as much as possible within one web user interface for managing; Security Onion

Crowdsec CTI - https://docs.crowdsec.net/u/cti_api/getting_started/

Sandbox for Dynamic/Static malware analysis

Unfortunately since I had issues installing Cuckoo sandbox, I will be finding alternatives of possible self hosted sandbox environments for dynamic analysis.
This will be on a separate subnet.

Ideas I have seen on Github - https://github.com/0xc1r3ng/Malware-Sandboxes-Malware-Source
Static analysis for malware using a remnux VM - https://remnux.org/

Implementation

Finally, the planning is finished, I can now implement all of the technology by doing the Firewall and switch configurations initially, then move outbound to the virtualization software (it’s already installed on my servers), then finally configure all of my Virtual Machines (VMs) with STIG/DOD practices and documentation with every step and finally implement a segmented environment with a sandbox and Remnux virtual machine for local static and dynamic analysis of potentially malicious traffic/files alerted from Security Onion. Alerts will be notified depending on the level of the alert found within the network and sent to my IRedmail email server and if possible to my Signal or Discord server application.

There is always more, but I can always look into alternatives for implementing the other software to work together.

Stephen Dick