All rights, trademarks, and intellectual property belong to their respective rights holders. Architecting Virtual Machine Labs Written by: Tony Robinson Dedication: This is dedicated to IT and computer security people, newbie and veteran alike. I wrote this guide for two reasons: 1) “Published Author” sounds like a great title to have (plus I can cross it off my bucket list) 2) Knowledge sharing. One day, you’re going to inherit the mess of infrastructure and terrible security practices we leave behind. This guide may not have all the answers, but hopefully it will give you a nice head start. I just hope that if this guide helped you in some way, that maybe you’ll repay the kindness to the generation that follows you, offering to guide them as well. I would like to thank my wife for her patience and unending love, my family for inspiring me to do better, my employer for saying ‘GO WRITE YOU A BOOK’, and finally, several friends who offered to step in and provide feedback and editing when I asked for help. I threw walls of text into a Google doc, but you made it awesome. Table of Contents All rights, trademarks, and intellectual property belong to their respective rights holders. Architecting Virtual Machine Labs Table of Contents Purpose of this guide A Note About Software Versions Prerequisite Knowledge Hypervisor and Hardware Considerations Introduction to Virtualization Introduction to Hypervisors What is a Hypervisor? Bare-metalBaremetal Hypervisors Hosted Hypervisors Hardware Considerations RAM as a Performance Factor Disk I/O as a Performance Factor 1 What is seek time? CPU Cores and Features as a performance Factor Performance is a Vicious Cycle Understanding Virtual Networks - Hosted vs. Bare-metalBaremetal Hypervisor Networking Hosted Hypervisor Networking - Host-Only, Bridged, and NAT Network Segments Bridged Networking NAT Networking Host-Only Networking Virtual Network Adapters and You Bare-metalBaremetal Hypervisor Networking - Virtual Switches Lab Overview Design Lab Network Description Bridged Network Management Network IPS 1 and IPS 2 Networks AFPACKET Bridging between IPS 1 and IPS 2 Why All The Trouble? VMs, Resource Allocations, and Minimum Hardware Requirements Hypervisor Guides Setup - Microsoft Client Hyper-V Installation Hypervisor Preferences Server Settings User Settings Virtual Switches Virtual Switch Types Creating Virtual Switches Using the Virtual Switch Manager Creating the First VM, pfSense Adding a New VM Initial VM Settings Installing pfSense Final VM Settings Network Configuration webConfigurator - Initial Setup Making Checkpoints pfSense Summary What’s Next? Your Turn Kali Linux VM 2 SIEM VM IPS VM Metasploitable 2 Port Mirroring and MAC spoofing Configuring the IPS VM as a Port Mirroring Destination Configuring the pfSense VM as a Port Mirroring Source Port Mirroring for the Remaining VMs Next Steps Setup - VirtualBox Installation Hypervisor Preferences Creating the first VM, pfSense Adding a New VM Initial VM Settings Installing pfSense Final VM Settings Network Configuration webConfigurator - Initial Setup Take a Snapshot pfSense Summary What’s Next? Your turn Kali Linux VM SIEM VM IPS VM Promiscuous Mode Metasploitable 2 Next Steps Setup - VMware Fusion Pro Installation Hypervisor Preferences Creating the First VM, pfSense Adding a New VM Installing pfSense Final VM Settings Network Configuration Web Configurator - Initial Setup Take a Snapshot pfSense Summary What’s Next? 3 Your turn Kali Linux VM SIEM VM IPS VM Metasploitable 2 Next Steps Setup - VMware Workstation Pro Installation Hypervisor Preferences Virtual Networks Creating the First VM, pfSense Adding a New VM Installing pfSense Final VM Settings Network Configuration webConfigurator - Initial Setup Take a Snapshot pfSense Summary What’s Next? Your Turn Kali Linux VM SIEM VM IPS VM Metasploitable 2 Next Steps Setup - VMware vSphere Hypervisor (ESXi) Installation Accessing ESXi Hypervisor Setup Licensing Resolving Some Interface Bugs Networking and Virtual Switches Creating Virtual Switches Port Groups Adding Port Groups via the ESX Web Interface Using the Windows vSphere Client to work around ESXi Web Interface Bugs Creating the First VM, pfSense Adding a New VM Installing pfSense Final VM Settings 4 Network Configuration Web Configurator - Initial Setup Take a Snapshot pfSense Summary What’s Next? Your Turn Kali Linux VM Siem VM IPS VM Metasploitable 2 Next Steps pfSense Firewall Rules and Network Services Guide Network Configuration - Segmentation and Firewall Config Firewall Rules for the WAN Network Firewall Rules for the Management Network Firewall Rules for the IPS Network Network Configuration - Core Network Services NTP DHCP DNS Resolver Squid Proxy Defense in Depth for Windows Hosted Hypervisors Unbinding Network Protocols on Windows Virtual Adapters Using Windows Firewall to Limit Exposure of Windows Hypervisor Hosts Automated Patching for Linux Lab VMs updater.sh Remote Lab Management Windows Remote Access Persistent Static Routes Windows SSH and SCP Software Generating an SSH key in Windows using PuTTYgen Using MRemoteNG - Connection Files Using MRemoteNG - PuTTY Saved Sessions Enabling Key-Based Authentication in Linux/Unix systems Key Copy Method 1: echo append to authorized_keys Key Copy Method 2: using vi Key Copy Method 3: SCP Making sure it worked How to use Key-Based Authentication with WinSCP 5 Linux, BSD, and OS X Remote Access Static Routes in Linux and OS X Adding Routes to Linux with the ip Command Adding Routes to OS X/BSD with the route command Making Static Routes Persistent Linux and BSD Route Persistence via /etc/rc.local OS X Route Persistence on Hosted Hypervisors flightcheck.sh OS X route persistence for Bare-metalBaremetal Hypervisors flightcheckBM.sh The ssh and scp terminal Applications iTerm2 and Terminator Generating ssh keys using ssh-keygen The alias Command Enabling Key-Based Authentication in Unix/Linux Systems Key Copy Method 1: echo append to authorized_keys Key Copy Method 2: using vi Key Copy Method 3: SCP Making Sure it worked Using key-based authentication with the SCP command How to Enable SSH on Kali Linux Enabling, and securing root SSH Adding your SSH public key to root’s authorized_keys file Disabling password authentication entirely via sshd_config Network Design Factors When Working with Bare-metalBaremetal Hypervisors Prereqs Creating static routes Creating Firewall Rules Dealing with DHCP Jump Boxing Using a Raspberry Pi as a Jump Box Installing the Raspian Image to your Raspberry Pi Configuring Raspian Creating a Jump Box VM Other Physical Jump Boxes Preparing Your Jump Box for Service Configuring Static DHCP Allocations Enabling Key-Based Authentication for your Jump Box Windows Linux/OS X/BSD Adding Static Routes to your Jump Box 6 Adding Firewall Rules and SSH tunnels to allow access to the VM lab networks I Can Still Access the pfSense WebConfigurator with my Management Workstation I Have Lost Access to the pfSense WebConfigurator UI TCP Forwarding and You Windows SSH Tunnels Linux/BSD/OS X SSH Tunnels Testing your Dynamic Tunnels with FoxyProxy Testing Your Forward Tunnels Windows Linux/OS X/BSD What? How? Closing Note on Jump Boxing Key-Based Authentication IPS Installation Guide Installing and configuring Snort (via Autosnort) Installing and configuring Suricata (via Autosuricata) Testing your IPS Bridge Splunk Installation Guide Initial setup (server installation) (Optional) Requesting and Implementing a Splunk Dev License Universal Forwarder Setup Splunk TA for Suricata Hurricane Labs Add-On for Unified2 Starting The Forwarder + Persistence Testing Splunk and the Universal Forwarder Generating The Test Battery Verifying Results with Snort Verifying Results with Suricata In Your Own Image Visions of What Might Be Malware Analysis Lab Penetration Testing Lab IT/OPs Lab Summary What Have We Learned Today? Epilogue: We Need You (Now More than Ever) 7 8 Purpose of this guide This guide is designed to teach you about virtualization and how to build out the virtual machine lab environment that is easy to maintain, portable, relatively well secured, and flexible enough to accommodate IT and security students that need an environment to practice their trade. The goal is to teach you how to build the baseline network and get familiar with using a hypervisor of your choice. The initial network and VM (Virtual Machine) design we will be working on together can easily be expanded upon, or swapped out to support various roles, such as: ● Testing and/or developing new systems administration tools ● Learning the ropes for offensive security tools for red team ● Practicing with detection and response tools for blue team ● Providing a safe, secure environment to perform reverse engineering, malware analysis and/or exploit development with reasonably good security protections in place This guide is not meant to be read from front to back. If you do this, you are going to get really bored, and notice a lot of repetition. Think of this book as a “Choose your own adventure” novel; this book covers how to produce a robust virtual machine lab environment across five different hypervisors. Unless you’re crazy, a VM enthusiast, or a researcher (or some combination), the likelihood that you will want or need to read all five hypervisor setup guides is going to be pretty low. Keeping that in mind, here are my recommendations: Read all the chapters up to, and including the “Hypervisor Guides” chapter in order to develop a better understanding of the skills you’ll want and need to create your own lab, better understand how virtualization works in general, hardware recommendations, and finally, understand what you are building, before you pick a hypervisor and actually start building your lab environment. There are then five chapters detailing how to perform initial setup and configuration of five unique hypervisors: ● Oracle VirtualBox ● Microsoft Client Hyper-V ● VMware Workstation Pro ● VMware Fusion Pro ● VMware ESXi These chapters instruct you on how to acquire and install the hypervisor of your choosing, configure the hypervisor and VMs to support the virtual machine lab environment I will teach you how to build, and perform initial installation and setup of those virtual machines. Choose a hypervisor that suits your budget and your goals, and follow the setup instructions. 9 After performing the setup and configuration tasks for the hypervisor of your choice, you are then meant to finish configuring the virtual machines in the lab environment, as well as the hypervisor host or management workstation you will be using to access your virtual machines. Each of the hypervisor setup guides has a section entitled “Next Steps” that will guide you on recommendations on what tasks need to be done to finish making the lab functional (e.g. the IDS and Splunk installation chapters), as well as what supplemental chapters to consider reading (e.g. enabling remote access for the lab VMs, hardening hosted hypervisors on Windows, network design factors for bare-metal hypervisors, etc.) for a much better experience when utilizing your VM lab. A Note About Software Versions Writing books for security and/or most IT disciplines is a daunting task. The moment you put ink to paper, the information contained in the book deprecates. You see this a lot with textbooks where there are multiple revisions that need to be written to discuss updates in the material. I’ll make mention of what software version for both hypervisors and operating installation ISOs I used throughout the guides, but don’t obsess over using the exact same version I used when I made these guides. These are merely the software versions I had available to me while writing this book. As a security practitioner, I always recommend updating your software when updates are available, and using the most current software version available. This includes hypervisors and OS distributions. If you’re from the future and using future versions of hypervisors, and future versions of operating systems, you may notice that some configuration settings may or may not be in the exact place a screen capture I made said it was going to be in. Button colors and styles may have changed, radio buttons may now be checkboxes, etc. This is because UI (User Interface) developers may or may not have changed exactly where a given configuration setting is. This is just a fact of life when it comes to new software releases. Sometimes they do it because they can’t leave well enough alone, or sometimes they just want to make the user experience (UX) better. So if you’re panicking because a given configuration setting has moved, or a checkbox isn’t in the location indicated by my screen captures or instructions, don’t panic. This is the first rule of any IT related discipline. The second rule is that software changes. Sometimes arbitrarily, sometimes for the better. The third rule is to consult the documentation. Maybe the configuration option has migrated to a new menu location, or maybe it was integrated as part of another, related setting. Consult the product patch notes, documentation included with the software, and/or online knowledgebase/forums for the product to find out where the configuration setting lives now. The goal of this book isn’t to mindlessly instruct you to click here, open this menu, and check these boxes, it is also for you to understand WHAT the configuration settings that you are modifying do, and WHY I am telling you to modify them so that if and when you want to experiment, make changes, and add or remove features to your 10