Saturday, April 20, 2013

My Home Security Lab (Part I)

Like many folks interested in information security, I have a home lab environment.  I thought I'd share my setup just to provide another option for anyone who might be looking for examples of how to create their own lab.  In this first post, I'll go over my requirements and hardware choices.  In subsequent posts, I'll talk about my physical and virtual network topology and configuration.

Many different configurations and combinations of virtual and physical infrastructure could be used depending on what your ultimate goal (and budget) is.  I primarily wanted a network security monitoring (NSM) lab, so I had the following requirements:
  • Capability to run several (3-4 or more) machines (physical and/or virtual) at the same time
  • Capability to monitor all of those machines via a physical tap, a switch mirror/SPAN port, or a virtual configuration
  • Expandable storage for saving full-content packet captures, creating a large number of VMs and snapshots, and whatever other needs arise over time
  • Ability to segregate the lab traffic from the rest of my home network
  • CPU support for virtualization extensions (VT-x and VT-d)
  • Flexibility for additional future uses, such as password cracking, malware analysis, or other uses I may not have considered
  • Spend as little money and reuse as much existing hardware as possible
With those requirements, I decided a virtualization server was the only way to go in terms of flexibility.  That meant the first decision was to select a virtualization platform.  I settled pretty quickly on VMware's vSphere Hypervisor since it's free, has a very small footprint (144MB), and is packed with features.  There are other options such as Proxmox VE, Xen Hypervisor, or running VirtualBox or VMware Workstation in a host operating system, but I never seriously considered those.  That doesn't mean, however, that these options aren't viable - Richard Bejtlich runs a such a setup running VMware Workstation as a "server" that seems to work great for his requirements, and there are many examples out there if you look.  It boils down to your personal preferences and what meets your needs.

I looked at several new and refurbished machines, but never found quite the specifications I was looking for within an acceptable price range, so I decided to build my own "white box" VMware ESXi server.  It can be tricky finding consumer grade hardware that is compatible with VMware's enterprise hypervisor, and one of the most difficult items to find is a compatible motherboard that still has the features you want.  I narrowed my choices down to ASRock boards primarily based on information I found at Paul Braren's TinkerTry blog and specifically his vZilla build.

 Ultimately I settled on the following build:

Component Make/Model Price Vendor
CPU Intel Core i7 3770 3.4GHz LGA 1155 (Ivy Bridge) $279.99
Motherboard ASRock Z77 Fatal1ty Professional $238.49
Case Cooler Master CM 690 II Advanced $79.99
Power Supply Cooler Master Silent Pro M 600W $45.07
Memory 32GB G.Skill Ripjaws X Series $174.24
Graphics Card Nvidia Quatro $0.00 On-hand
Hard Drive 250GB 3.5" SATA III $0.00 On-hand
Optical Drive No-name SATA DVD-ROM $0.00 On-hand
Network Adapters x2 Realtek 10/100/1000MB $0.00 On-board motherboard
Total: $817.78

A few notes about these choices:

  • All prices are from about six months ago, and some reflect sale prices or promo codes available at the time, so your mileage may vary.  More recently I added two Seagate Barracuda 2TB 6GBs drives for more storage and to reduce the higher disk I/O I would have running everything off one hard drive - these ran about $70.00 and $80.00 on sale.
  • The motherboard was chosen for its VMware compatibility; considerable number of PCI slots that will allow me to add additional network adapters as needed for various configurations; more than enough SATA ports; and VT-d passthrough support, which allows you to directly connect hardware to a VM without it running through the virtualization platform.  My board has on-board Realtek NICs, but I think the latest version of this same board has Broadcom NICs, so you need to make sure VMware drivers are available.
  • I went with an Intel CPU simply for the quality and performance.  I briefly considered AMD's six and eight core FX CPUs since they were comparably cheaper and I thought the extra cores might be useful for virtualization.  However, I couldn't find any definitive information regarding their performance over Intel's hyper-threaded quad-core i7 and did find some anecdotal evidence that they would not perform as well, so I just stuck to the known quantity.
  • I could probably get by with a lower powered power supply, but I wanted room for expansion.
  • At some point I would like to fill up my drive bays with four more 2TB drives and add a hardware RAID controller, but right now those features are more "wants" than "needs", so I'll save my money for other things.
So, that's my hardware.  In coming posts I'll discuss my vSphere configuration, as well as a little about my physical infrastructure.

Monday, April 15, 2013

From paid to free...

So, this is my first post on a blog I'm not sure how often I will even use.  For a while I was paying for a web hosting account and a domain name, mostly to share family photos and do a little blogging specifically for friends and family.  It wasn't too long before I realized that no one would take the time to log into my web site to view my photos and blog posts since everyone is already on Facebook and other social media sites, which I still haven't fully embraced (I don't even have a Facebook account although I've gotten addicted to Twitter in the past few months!).

I also intended to setup a sub-domain to start yet another information security blog, but never got around too it.  In the end I kept the domain name and hosting account just to use it as an SSH proxy for browsing the web on untrusted networks.  Finally I got around to setting up a VPN server at home and no longer had any use for the web site, so I closed it down and saved some money.  Recently I got another inkling to start an infosec blog, so I thought I'd setup this one and see where it goes.

Rather than trying write content to attempt to draw readers (although that would be nice), I'll probably use it as more of a personal note-taking device, a place holder for things I don't want to search for, or random topics that interest me.  After all, if I'm not interested in what I'm writing about, I don't expect anyone else will be either!