Vnx-labo-fw

From VNX
Jump to: navigation, search

VNX Security laboratory


Introduction

This scenario has been designed to allow 16 student groups to work together configuring firewalls and using security related tools and Linux security oriented distributions like Kali Linux and Metasploitable. This scenario has been succesfully used in DIT-UPM for years in graduate, master and professional training courses.

The full scenario is divided on 8 basic scenarios (Fig. 1) that include the virtual machines used by two student groups. Each student pod is made of a simple corporate network with a DMZ network running a vulnerable server and an internal network with some hosts, as well as an attacker host on Internet with Kali Linux. Additionaly, a server on Internet is included to allow testing connectivity from inside the corporate network to Internet.

Figure 1: basic scenario for two student groups

Installation

  • Download the escenario bundle and unpack it:
  • wget http://idefix.dit.upm.es/vnx/examples/fw/fw-v01.tgz
    vnx --unpack fw-v01.tgz
    
  • Download and create the root filesystems needed:
  • cd fw/filesystems
    # Create LXC rootfs for firewalls and clients
    ./create-rootfs
    # Download Kali rootfs for attackers
    vnx_download_rootfs -l -r vnx_rootfs_kvm_kali-1.1.0-v025.qcow2 -y
    # Download metasploitable for DMZ server
    vnx_download_rootfs -l -r vnx_rootfs_kvm_ubuntu-8.04-metasploitable-v023.qcow2 -y
    

Starting the scenario

The whole scenario is made of 8 basic scenarios (fw-A.xml, fw-B.xml ... fw-H.xml). Depending on the number of student pods required, start as much scenarios as you need. All the basic scenarios share the "Internet" subnet, so if you start several of them you will get automatic connectivity among all systems (routers run quagga OSPF daemon to provide it).

There is also an scenario named "fw.xml" designed to be used individually that includes only the first pod of fw-A.xml scenario.

To start a basic scenario:

vnx -f fw-A.xml -v --create
Figure 2: fw-A scenario topology

Accessing virtual machines

You have several possibilities to access the virtual machines in the scenario:

Using VM consoles

If you have access to the console of the system where the scenario has been started, you can access the VM consoles directly. All VM offer a textual console but the attackers running Linux that also offer a graphical console.

Using ssh

All the scenarios are configured with VM management interfaces enabled, so you can access all VM from the system where the scenario was started using ssh. Specially useful is to access using "X forwarding option" to be able to start graphical applications.

For example, to access a firewall and start fwbuilder application:

slogin fw -X
fwbuilder

Connecting from external machines

Specially useful is the posibility to integrate external equipment into the scenario, mainly the laboratory PCs, for example, to allow the students to work from a lab PC which is directly connected to the internal net of their scenario.

To do that, you can use the configuration we use in our DIT-UPM laboratories (Fig. 3):

  • A VLAN based switch (VLABswitch) to support the external connections.
  • Laboratory PCs with two Ethernet interfaces, one connected to the production network and another used to connect to VLABswitch.
  • Server running virtual scenarios connected to VLABswitch using a tagged interface.
Figure 3: fw scenario external connections

To connect the virtual scenario to the external equipment you have:

  • Modify the scenario network definitions. For example, to connect the internal network of pod1 to the PC in VLAN 10, you have to edit fw-A.xml scenario and change line:
  • <net name="IntNet1"  mode="virtual_bridge"/>
    

    to:

    <net name="IntNet1" mode="virtual_bridge" external="eth1" vlan="10"/>
    

    Change "eth1" by the name of your server external interface.

  • Configure the corresponding PC port in VLAN10.
  • Configure a route in the PC to send all traffic for the virtual scenario to the router. For example, for PC in VLAN10, the route would be:
  • 10.1.0.0/16 -> 10.1.1.1
    

VNX will automatically manage the creation of the server subinterface in VLAN10 and its connection to the virtual bridge supporting IntNet1.

Connecting the host to the scenario

You can also connect the server running the scenario directly to the virtual Internet network in order to have direct connection from the server to any system in the scenario.

To do that, just start the auxiliar scenario "fw-server.xml" that simply creates the server interface with address 10.1.100.100.

vnx -f fw-server.xml --create

WARNING: this possibility allows the students to directly attack the server from the scenario. Be careful, students can learn too much :-)

fw-A scenario

<?xml version="1.0" encoding="UTF-8"?>

<!--
DESC=PODS 1-2
-->

<vnx xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:noNamespaceSchemaLocation="/usr/share/xml/vnx/vnx-2.00.xsd">
  <global>
    <version>2.0</version>
    <scenario_name>fw-A</scenario_name>
    <!--ssh_version>1</ssh_version-->
    <ssh_key>~/.ssh/id_dsa.pub</ssh_key>
    <automac offset="1"/>
    <!--vm_mgmt type="none"/!-->
    <vm_mgmt type="private" network="10.20.0.0" mask="16" offset="64">
      <host_mapping />
    </vm_mgmt>
    <vm_defaults>
      <console id="0" display="no"/>
      <console id="1" display="yes"/>
    </vm_defaults>
  </global>

  <!-- Networks -->
  <!--net name="Internet"  mode="virtual_bridge" external="eth1" vlan="71"/!-->
  <net name="Internet"  mode="virtual_bridge"/>
  <!--net name="IntNet1"  mode="virtual_bridge" external="eth1" vlan="701"/!-->
  <!--net name="IntNet2"  mode="virtual_bridge" external="eth1" vlan="702"/!-->
  <!-- Internal nets -->
  <net name="IntNet1"  mode="virtual_bridge"/>
  <net name="IntNet2"  mode="virtual_bridge"/>
  <!-- P2P lines -->
  <net name="FW1-RA" mode="virtual_bridge" />
  <net name="FW2-RA" mode="virtual_bridge" />
  <!-- DMZs -->
  <net name="dmz1"  mode="virtual_bridge" />
  <net name="dmz2"  mode="virtual_bridge" />


  <!-- POD 1 -->

  <!-- FW1 -->
  <vm name="fw1" type="lxc">
    <filesystem type="cow">filesystems/rootfs_lxc-fw</filesystem>
    <console id="1" display="yes"/>
    <if id="1" net="IntNet1">
      <ipv4 mask="255.255.255.128">10.1.1.1</ipv4>
    </if>
    <if id="2" net="FW1-RA">
      <ipv4 mask="255.255.255.252">10.1.110.2</ipv4>
    </if>
    <if id="3" net="dmz1">
      <ipv4 mask="255.255.255.128">10.1.1.129</ipv4>
    </if>
    <route type="ipv4" gw="10.1.110.1">default</route>
    <forwarding type="ip" />

    <!-- Copy /etc/hosts -->
    <filetree seq="on_boot, start" root="/tmp/">conf/hosts/</filetree>
    <!-- Copy /etc/resolv.conf -->
    <filetree seq="on_boot, start" root="/etc/">conf/pc1/resolv.conf</filetree>
    
    <!-- Install /etc/hosts -->
    <exec seq="on_boot, start" type="verbatim">cat /tmp/hosts >> /etc/hosts</exec>
    <exec seq="on_boot, start" type="verbatim">chmod 644 /etc/resolv.conf</exec>
  </vm>

  <!-- S1 -->
  <vm name="s1" type="libvirt" subtype="kvm" os="linux" exec_mode="sdisk">
    <filesystem type="cow">filesystems/rootfs_metasploitable</filesystem>
    <mem>192M</mem>
    <if id="1" net="dmz1">
      <ipv4 mask="255.255.255.128">10.1.1.130</ipv4>
    </if>
    <route type="ipv4" gw="10.1.1.129">default</route>

    <!-- Copy /etc/hosts -->
    <filetree seq="on_boot, start" root="/tmp/">conf/hosts/</filetree>
    <!-- Copy /etc/resolv.conf -->
    <filetree seq="on_boot, start" root="/etc/">conf/pc1/resolv.conf</filetree>

    <!-- Copy apache config-->
    <filetree root="/var/www/"  seq="on_boot, start" perms="644">conf/s1/html</filetree>
    <filetree root="/usr/lib/cgi-bin/" seq="on_boot, start" perms="755">conf/s1/lg</filetree>
    <!-- Install /etc/hosts -->
    <exec seq="on_boot, start" type="verbatim">cat /tmp/hosts >> /etc/hosts</exec>
    <exec seq="on_boot, start" type="verbatim">chmod 644 /etc/resolv.conf</exec>
    <!-- Restart bind -->
    <exec seq="on_boot, start" type="verbatim">/etc/init.d/bind9 restart</exec>
    <!-- Start apache -->
    <!--exec seq="on_boot, start" type="verbatim">chmod 644 /var/www/*</exec-->
    <!--exec seq="on_boot, start" type="verbatim">chmod 755 /usr/lib/cgi-bin/*</exec-->
    <exec seq="on_boot, start" type="verbatim">/etc/init.d/apache2 start</exec>
    <exec seq="on_boot, start" type="verbatim">chmod 755 /var/run/apache2</exec>
  
    <exec seq="on_boot, start" type="verbatim">cp /root/index.html /tmp/</exec>
    <exec seq="on_boot, start" type="verbatim">chown daemon:daemon /tmp/index.html</exec>
    <!-- Stop apache -->
    <exec seq="stop"  type="verbatim">/etc/init.d/apache2 stop</exec>
  </vm>

  <!-- PC1 -->
  <vm name="pc1" type="lxc">
    <filesystem type="cow">filesystems/rootfs_lxc-fw</filesystem>
    <if id="1" net="IntNet1">
      <ipv4 mask="255.255.255.128">10.1.1.10</ipv4>
    </if>
    <route type="ipv4" gw="10.1.1.1">default</route>
    <!-- Copy /etc/hosts -->
    <filetree seq="on_boot, start" root="/tmp/">conf/hosts/</filetree>
    <!-- Copy /etc/resolv.conf -->
    <filetree seq="on_boot, start" root="/etc/">conf/pc1/resolv.conf</filetree>
    <!-- Install /etc/hosts -->
    <exec seq="on_boot, start" type="verbatim">cat /tmp/hosts >> /etc/hosts</exec>
    <exec seq="on_boot, start" type="verbatim">chmod 644 /etc/resolv.conf</exec>
  </vm>


  <!-- POD 2 -->

  <!-- FW2 -->
  <vm name="fw2" type="lxc">
    <filesystem type="cow">filesystems/rootfs_lxc-fw</filesystem>
    <console id="1" display="yes"/>
    <if id="1" net="IntNet2">
      <ipv4 mask="255.255.255.128">10.1.2.1</ipv4>
    </if>
    <if id="2" net="FW2-RA">
      <ipv4 mask="255.255.255.252">10.1.110.6</ipv4>
    </if>
    <if id="3" net="dmz2">
      <ipv4 mask="255.255.255.128">10.1.2.129</ipv4>
    </if>
    <route type="ipv4" gw="10.1.110.5">default</route>
    <forwarding type="ip" />

    <!-- Copy /etc/hosts -->
    <filetree seq="on_boot, start" root="/tmp/">conf/hosts/</filetree>
    <!-- Copy /etc/resolv.conf -->
    <filetree seq="on_boot, start" root="/etc/">conf/pc2/resolv.conf</filetree>

    <!-- Install /etc/hosts -->
    <exec seq="on_boot, start" type="verbatim">cat /tmp/hosts >> /etc/hosts</exec>
    <exec seq="on_boot, start" type="verbatim">chmod 644 /etc/resolv.conf</exec>
  </vm>

  <!-- S2 -->
  <vm name="s2" type="libvirt" subtype="kvm" os="linux" exec_mode="sdisk">
    <filesystem type="cow">filesystems/rootfs_metasploitable</filesystem>
    <mem>192M</mem>
    <if id="1" net="dmz2">
      <ipv4 mask="255.255.255.128">10.1.2.130</ipv4>
    </if>
    <route type="ipv4" gw="10.1.2.129">default</route>

    <!-- Copy /etc/hosts -->
    <filetree seq="on_boot, start" root="/tmp/">conf/hosts/</filetree>
    <!-- Copy /etc/resolv.conf -->
    <filetree seq="on_boot, start" root="/etc/">conf/pc2/resolv.conf</filetree>
    <!-- Copy apache config-->
    <filetree root="/var/www/"  seq="on_boot, start" perms="644">conf/s2/html</filetree>
    <filetree root="/usr/lib/cgi-bin/" seq="on_boot, start" perms="755">conf/s2/lg</filetree>

    <!-- Install /etc/hosts -->
    <exec seq="on_boot, start" type="verbatim">cat /tmp/hosts >> /etc/hosts</exec>
    <exec seq="on_boot, start" type="verbatim">chmod 644 /etc/resolv.conf</exec>
    <!-- Restart bind -->
    <exec seq="on_boot, start" type="verbatim">/etc/init.d/bind9 restart</exec>
    <!-- Start apache -->
    <!--exec seq="on_boot, start" type="verbatim">chmod 644 /var/www/*</exec-->
    <!--exec seq="on_boot, start" type="verbatim">chmod 755 /usr/lib/cgi-bin/*</exec-->
    <exec seq="on_boot, start" type="verbatim">/etc/init.d/apache2 start</exec>
    <exec seq="on_boot, start" type="verbatim">chmod 755 /var/run/apache2</exec>
   
    <exec seq="on_boot, start" type="verbatim">cp /root/index.html /tmp/</exec>
    <exec seq="on_boot, start" type="verbatim">chown daemon:daemon /tmp/index.html</exec>
    <!-- Stop apache -->
    <exec seq="stop"  type="verbatim">/etc/init.d/apache2 stop</exec>
  </vm>

  <!-- PC2 -->
  <vm name="pc2" type="lxc">
    <filesystem type="cow">filesystems/rootfs_lxc-fw</filesystem>
    <if id="1" net="IntNet2">
      <ipv4 mask="255.255.255.128">10.1.2.10</ipv4>
    </if>
    <route type="ipv4" gw="10.1.2.1">default</route>
    <!-- Copy /etc/hosts -->
    <filetree seq="on_boot, start" root="/tmp/">conf/hosts/</filetree>
    <!-- Copy /etc/resolv.conf -->
    <filetree seq="on_boot, start" root="/etc/">conf/pc2/resolv.conf</filetree>
    <!-- Install /etc/hosts -->
    <exec seq="on_boot, start" type="verbatim">cat /tmp/hosts >> /etc/hosts</exec>
  <exec seq="on_boot, start" type="verbatim">chmod 644 /etc/resolv.conf</exec>
  </vm>

  <!-- Internet router -->
  <!-- RA -->
  <vm name="ra" type="lxc">
    <filesystem type="cow">filesystems/rootfs_lxc-fw</filesystem>
    <if id="1" net="Internet">
      <ipv4 mask="255.255.255.0">10.1.100.1</ipv4>
    </if>
    <if id="2" net="FW1-RA">
      <ipv4 mask="255.255.255.252">10.1.110.1</ipv4>
    </if>
    <if id="3" net="FW2-RA">
      <ipv4 mask="255.255.255.252">10.1.110.5</ipv4>
    </if>
    <route type="ipv4" gw="10.1.110.2">10.1.1.0/24</route>
    <route type="ipv4" gw="10.1.110.6">10.1.2.0/24</route>
    <forwarding type="ip" />

    <!-- Copy /etc/hosts -->
    <filetree seq="on_boot, start" root="/tmp/">conf/hosts/</filetree>
    <!-- Copy quagga config -->
    <filetree seq="on_boot, start" root="/etc/quagga/">conf/ra/</filetree>
  
    <!-- Install /etc/hosts -->
    <exec seq="on_boot" type="verbatim">cat /tmp/hosts >> /etc/hosts</exec>

    <!-- Config quagga -->
    <exec seq="on_boot,start" type="verbatim" ostype="system">
        mkdir -v /var/log/zebra;
        chown quagga.quagga /var/log/zebra;
        sleep 4;
        mkdir -v /var/run/quagga;
        chown quagga.quagga /var/run/quagga;
        chmod 755 /var/run/quagga;
        chown quagga.quagga /etc/quagga;
        chown quagga.quagga /etc/quagga/*;
        /usr/lib/quagga/zebra  -d;
        /usr/lib/quagga/ospfd -d;
    </exec>

    <!-- Stop Quagga -->
    <exec seq="stop" type="verbatim" ostype="system">killall zebra</exec>
    <exec seq="stop" type="verbatim" ostype="system">killall ospfd</exec>
  </vm>

  <!--Virtual machines in Internet: servers and attackers -->

  <!-- SC -->
  <vm name="sca" type="lxc">
    <filesystem type="cow">filesystems/rootfs_lxc-fw</filesystem>
    <console id="1" display="yes"/>
    <if id="1" net="Internet">
      <ipv4 mask="255.255.255.0">10.1.100.31</ipv4>
    </if>
    <route type="ipv4" gw="10.1.100.1">default</route>

    <!-- Copy /etc/hosts -->
    <filetree seq="on_boot" root="/tmp">conf/hosts/</filetree>
    <!-- Copy apache config -->
    <filetree root="/var/www"  seq="on_boot, start" perms="644">conf/sca/html</filetree>
    <filetree root="/usr/lib/cgi-bin" seq="on_boot, start" perms="755">conf/sca/lg</filetree>

    <!-- Install /etc/hosts -->
    <exec seq="on_boot" type="verbatim">cat /tmp/hosts >> /etc/hosts</exec>
    <!-- Start apache -->
    <exec seq="on_boot, start" type="verbatim">/etc/init.d/apache2 start</exec>
    <!-- Create user/user account-->
    <exec seq="on_boot, start" type="verbatim">mkdir /home/user</exec>
    <exec seq="on_boot, start" type="verbatim">useradd -d /home/user -p x user</exec>
    <exec seq="on_boot, start" type="verbatim">echo "user:user" | chpasswd</exec>
    <!-- Stop apache -->
    <exec seq="stop"  type="verbatim">/etc/init.d/apache2 stop</exec>
  </vm>

  <!-- ATTACKER1 -->
  <vm name="att1" type="libvirt" subtype="kvm" os="linux" exec_mode="sdisk">
    <filesystem type="cow">filesystems/rootfs_kali</filesystem>
    <mem>512M</mem>
    <console id="0" display="yes"/>
    <if id="1" net="Internet">
      <ipv4 mask="255.255.255.0">10.1.100.21</ipv4>
    </if>
    <route type="ipv4" gw="10.1.100.1">default</route>
    <!-- Copy /etc/hosts -->
    <filetree seq="on_boot, start" root="/tmp/">conf/hosts/</filetree>
    <!--Copiy /etc/resolv.conf-->
    <filetree seq="on_boot, start" root="/etc/">conf/attacker/resolv.conf</filetree>
    <!-- Start nessus-->
    <exec seq="on_boot, start" type="verbatim">/etc/init.d/nessusd start</exec> 
    <!-- Start apache2-->
    <exec seq="on_boot, start" type="verbatim">/etc/init.d/apache2 start</exec> 
    <!-- Install /etc/hosts -->
    <exec seq="on_boot, start" type="verbatim">cat /tmp/hosts/ >> /etc/hosts</exec>
  </vm>

  <!-- ATTACKER2 -->
  <vm name="att2" type="libvirt" subtype="kvm" os="linux" exec_mode="sdisk">
    <filesystem type="cow">filesystems/rootfs_kali</filesystem>
    <mem>512M</mem>
    <console id="0" display="yes"/>
    <if id="1" net="Internet">
      <ipv4 mask="255.255.255.0">10.1.100.22</ipv4>
    </if>
    <route type="ipv4" gw="10.1.100.1">default</route>
    <!-- Copy /etc/hosts -->
    <filetree seq="on_boot, start" root="/tmp/">conf/hosts/</filetree>
    <!-- Copy /etc/resolv.conf-->
    <filetree seq="on_boot, start" root="/etc/">conf/attacker/resolv.conf</filetree>
    <!-- Start nessus-->
    <exec seq="on_boot, start" type="verbatim">/etc/init.d/nessusd start</exec> 
    <!-- Start apache2-->
    <exec seq="on_boot, start" type="verbatim">/etc/init.d/apache2 start</exec> 
    <!-- Install /etc/hosts -->
    <exec seq="on_boot, start" type="verbatim">cat /tmp/hosts >> /etc/hosts</exec>
  </vm>

</vnx>