Listen to this Post
Introduction:
In the ever-evolving landscape of cybersecurity, theoretical knowledge alone is insufficient to defend modern networks. By constructing a virtualized enterprise environment, professionals can simulate the high-stakes dynamic between offensive (Red Team) and defensive (Blue Team) operations. This hands-on project utilizes Oracle VM VirtualBox to replicate a segmented corporate infrastructure, integrating firewalls, intrusion detection systems, vulnerable web applications, and centralized log management to provide an immersive experience in Security Operations Center (SOC) workflows.
Learning Objectives:
- Architect a segmented enterprise network using pfSense to isolate WAN, LAN, and DMZ zones.
- Simulate real-world attack vectors using Kali Linux against a deliberately vulnerable target.
- Configure and tune intrusion detection systems (Snort) and aggregate logs using the Elastic Stack (ELK) for comprehensive threat monitoring and incident response.
You Should Know:
1. Laying the Foundation: Network Segmentation with pfSense
The cornerstone of enterprise security is network segmentation. In this lab, pfSense acts as the perimeter firewall and router, creating three distinct zones: WAN (untrusted internet), LAN (trusted internal user network), and DMZ (semi-trusted public-facing servers).
Step‑by‑step guide explaining what this does and how to use it:
– Installation: Create a new VM in VirtualBox, attach the pfSense ISO, and install it with default settings. Assign two network adapters: one in NAT mode (simulating WAN) and one in Internal Network mode (for LAN/DMZ).
– Interface Assignment: After installation, assign the WAN interface to the NAT adapter (e.g., em0) and the LAN interface to the internal adapter (em1).
– VLANs and DMZ: Access the pfSense web GUI (via LAN IP, default 192.168.1.1). Navigate to Interfaces > Assignments > VLANs to create a VLAN for the DMZ (e.g., VLAN 10). Assign this VLAN to a virtual interface and enable it.
– Firewall Rules: Configure rules under Firewall > Rules. Create a rule on the LAN interface to allow traffic to the DMZ on specific ports (e.g., HTTP/HTTPS). Create a rule on the DMZ interface to block all inbound traffic from the WAN but allow outbound traffic to the LAN for updates.
- Deploying the Bait: Damn Vulnerable Web Application (DVWA) in the DMZ
A realistic enterprise environment must have a public-facing asset. DVWA serves as the target, intentionally riddled with vulnerabilities like SQL injection and Cross-Site Scripting (XSS) for the Red Team to exploit.
Step‑by‑step guide explaining what this does and how to use it:
– Operating System: Set up a Linux VM (e.g., Ubuntu Server) connected to the internal DMZ network.
– Installation: Update the system (sudo apt update && sudo apt upgrade -y). Install a LAMP stack: sudo apt install apache2 mysql-server php libapache2-mod-php php-mysql php-gd php-xml -y.
– Download DVWA: Navigate to the web root: cd /var/www/html. Download DVWA: `sudo git clone https://github.com/digininja/DVWA.git`. Set permissions: `sudo chown -R www-data:www-data /var/www/html/DVWA/.sudo cp config.inc.php.dist config.inc.php
- Configuration: Copy the config file: `cd DVWA/config` and run. Edit the file to set the database password (sudo nano config.inc.php). Access the DVWA setup page via browser (http://[bash]/DVWA/setup.php`) and click “Create/Reset Database”.
- The Offensive Playbook: Simulating Attacks with Kali Linux
The Red Team uses Kali Linux to scan, enumerate, and exploit the DVWA target, mimicking a real-world adversary. This validates that the defensive tools are correctly configured to detect malicious activity.
Step‑by‑step guide explaining what this does and how to use it:
– Setup: Create a Kali Linux VM attached to the same internal DMZ network as DVWA.
– Reconnaissance: Perform an Nmap scan to identify open ports and services. Use the command: nmap -sV -O [bash]. This reveals port 80 open and the Apache/PHP versions, providing attack surface.
– Exploitation: Navigate to the DVWA login page. Using a tool like `sqlmap` to automate SQL injection against the login form or a parameter: sqlmap -u "http://[bash]/DVWA/vulnerabilities/sqli/?id=1&Submit=Submit" --cookie="security=low; PHPSESSID=your_session_id" --dbs. This command attempts to dump the database names, simulating a credential theft attempt.
- The Defensive Shield: Deploying Snort for Intrusion Detection
Snort acts as the IDS/IPS, analyzing network traffic in real-time against a set of rules to detect and alert on the attacks originating from Kali.
Step‑by‑step guide explaining what this does and how to use it:
– Installation: Install Snort on a dedicated Linux VM (or on the pfSense box via package manager). For Ubuntu: sudo apt install snort -y. During installation, specify the network you are monitoring (e.g., 192.168.1.0/24).
– Configuration: The main config file is /etc/snort/snort.conf. Edit it to include local rules: sudo nano /etc/snort/snort.conf. Uncomment or add the line: include $RULE_PATH/local.rules.
– Writing a Custom Rule: Create a rule to detect the Nmap scan. Edit the local rules file: sudo nano /etc/snort/rules/local.rules. Add: alert tcp any any -> $HOME_NET any (msg:"NMAP TCP Scan detected"; flags:S; threshold:type both, track by_src, count 5, seconds 10; sid:1000001; rev:1;). This rule alerts when it sees multiple SYN packets.
– Testing: Run Snort in IDS mode: sudo snort -A console -q -u snort -g snort -c /etc/snort/snort.conf -i eth0. Re-run the Nmap scan from Kali; you should see alerts appear in the Snort console, confirming detection.
- The SOC’s Nerve Center: Centralized Logging with the Elastic Stack (ELK)
Consolidating logs from pfSense, Snort, and DVWA into a single pane of glass (Kibana) is essential for effective incident response and threat hunting.
Step‑by‑step guide explaining what this does and how to use it:
– Architecture: Set up an Ubuntu VM with sufficient RAM (min 4GB) for Elasticsearch, Logstash, and Kibana.
– Installation: Install Elasticsearch and Kibana by adding the Elastic GPG key and repository. For Elasticsearch: sudo apt install elasticsearch. Edit `/etc/elasticsearch/elasticsearch.yml` to set network.host: localhost. Start and enable it: sudo systemctl enable elasticsearch && sudo systemctl start elasticsearch. Install Kibana similarly and configure it to connect to Elasticsearch.
– Shipping Logs with Filebeat: Install Filebeat on the Snort and DVWA VMs. On the Snort VM, install Filebeat: sudo apt install filebeat. Configure `/etc/filebeat/filebeat.yml` to point to the Logstash/Elasticsearch host. Enable the Snort module: sudo filebeat modules enable snort. Load the index template and start Filebeat.
– Visualization: In Kibana, create an index pattern for filebeat-. Navigate to the “Discover” tab to view Snort alerts in real-time. You can create dashboards to visualize attack frequency, source IPs, and targeted ports, providing full situational awareness.
6. Secure Tunneling: Implementing OpenVPN for Remote Access
A secure enterprise allows authorized remote access. Configuring OpenVPN on pfSense ensures that administrative access to the lab network is encrypted and authenticated.
Step‑by‑step guide explaining what this does and how to use it:
– Enable OpenVPN: In the pfSense web GUI, go to VPN > OpenVPN > Wizards. Choose “Local User Access” as the type. Fill in the tunnel settings (e.g., Tunnel Network: 10.0.8.0/24). Create a Certificate Authority if one doesn’t exist.
– User Creation: Navigate to System > User Manager. Add a user and set a password. Under “User Certificates”, click “+ Add” to create a user certificate for VPN authentication.
– Client Export: Go to VPN > OpenVPN > Client Export. Here, you can download a pre-configured OpenVPN client package for various operating systems.
– Client Connection: Install OpenVPN client software on your host machine. Import the downloaded configuration file and connect. Once connected, you should be able to ping internal lab resources, allowing for secure remote administration.
What Undercode Say:
- Bridging the Theory-Practice Gap: This project demonstrates that cybersecurity mastery is achieved not just by reading textbooks, but by building, breaking, and fixing systems. It transforms abstract concepts like “defense in depth” into tangible, operational knowledge.
- The Analyst Mindset: By alternating between Red and Blue Team activities, learners develop a dual perspective crucial for effective security—understanding how attacks work to build better defenses, and analyzing logs to piece together an attacker’s narrative from raw data.
Prediction:
As enterprise infrastructures become increasingly hybrid and complex, the ability to build and validate security controls in a contained lab environment will become a non-negotiable skill for SOC analysts. We will see a rise in “Infrastructure as Code” applied to security labs, where environments like this are scripted using tools like Terraform and Ansible, allowing for rapid, repeatable, and complex attack/defense simulations that directly mirror production cloud-native architectures.
▶️ Related Video (78% Match):
🎯Let’s Practice For Free:
IT/Security Reporter URL:
Reported By: Vaishnavi Patil – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅
