Sunday, May 9, 2010

Mobile Security Training Lab 1.0

During my tenure at ITT providing classroom labs and a bi-weekly security workshop I found the distinct need to be able to easily provide a security-training environment that could provide the following elements:

  1. Separation: The school lab computers are connected to the corporate network. This is less than ideal for working with information security topics.
  2. Monitoring: I wanted monitoring platforms for two reasons, first to be able to monitor the network activity of students, secondly to teach them how to monitoring using open source monitoring tools and platforms.
  3. Portability: I’m there 4 times a week so I need to be able to pick up my environment and take it home with me every evening so I can make needed adjustments, perform upgrades, etc.
  4. Resiliency: I require an environment that can take a licking and be restarted to keep ticking. Virtualization really fits the bill here.
Lets address the solutions in the same order so that we can keep them straight.

  • Separation: We needed to be able to have our own network to work on, four times a week. Clearwire really does the job for this scenario. It’s inexpensive ($55/month for a standard modem and a USB modem), it has a decent connection speed and is quick to setup/teardown. This is been teamed with a Linksys WRT150N running DD-WRT. This runs WPA (I have students with older laptops so I had to back off of WPA2) with a key that I rotate every so often.
  • Monitoring: Since I own the network I am free to utilize whatever monitoring tools and techniques that are at my disposal. I attempted to use HeX Live in as a Virtualbox appliance but had trouble with the virtualized interfaces being able to sniff traffic all the time. Over the last week I have opted to use Securix-NSM. It works right out of the box and supports sguil servers, which make me very happy (I prefer sguil over BASE). In addition to these live CDs converted into Virtualbox appliances I will occasionally utilize tcpdump or tshark for a quick and dirty pcap grab and analyze the output in Wireshark.
  • Portability: This one is huge. I need to be able to work on labs while I am away from the college and then run them (or disseminate them) while I’m there. Laptops running Virtualbox to the rescue! I must admit, before recent training tenure I was a VMWare fanboy. I have definitely flip flopped in that regard, I have only retained VMWare Fusion on my MacBook Pro because I like the Windows VM integration tools. So three laptops get the job done (yes, I could carry less but I use three for work anyway).
  • Resiliency: Another big one for me, it’s not so much when we are working on Wireshark or tcpdump labs or writing snort signatures. But when we are using Metasploit, or exploits from other sources its nice to just roll back to a snapshot of a virtual machine and spin it back up again. This wouldn’t be complete without a peek into the actual environment. I am using the following Virtualbox appliances that I created for various purposes:
Network Penetration Testing

BackTrack 4
Final Pentoo 2009.0

Web Application Penetration Testing

OWASP Live CD
Samurai-WTF

VOIP Security Assessments

Viper-VAST

Digital Forensics

Helix 1.9
SANS SIFT 2.0

Network Security Monitoring

While in bridged networking mode I have been unable to get any virtual adapters to sniff properly except PCnet-FAST III. You could also put your environment in Virtualbox’s “Internal Networking” which behaves as a hub as opposed to a switch.

HeX Live 2.0
Securix-NSM OSSIM 2.2.1
OpenIDS 2

Firewalls

You will need to configure multiple virtual adapters for these to function as created. See the point above considering the sniffing interfaces.

Honeywall Roo 1.4

pfSense 1.2.3

Hacking Challenges

The first three images are bootable, so you don’t need to create a big hard disk for them. I created a “small” 1GB disk for each of them, and have the VMs configured to mount their respective ISOs on boot. pWnOS is a VMware appliance and will require importing and tweaking to work correctly in Virtualbox.

De-ice.net 100
De-ice.net 110
Damn Vulnerable Linux 1.5
pWnOS 1.0

Vulnerable Hosts

Windows 2000 SP1 (Professional, Server, Advanced Server)
Windows 2003 SP0
Windows XP SP2
Ubuntu Server 7.04
AsteriskNOW
Elastix

Generic Hosts

Opensolaris 2009.06
Windows 7 Ultimate

Rootwars

Custom Redhat 9 appliance

All of the appliances are on all 3 laptops affording me maximum flexibility in developing configurations and scenarios for the students to learn from. The remaining issues that didn’t make the master list as distinct topics; time and cost. It took awhile to put together these appliances in Virtualbox but it was time well spent. Now, regardless of where I deliver training I can focus on that rather than what unpredictable elements another environment might bring.

That leaves us with cost. Most of these were developed with Open Source software so the only licenses that came into play were the Windows ones. I have all of the W2K OSes from the MS Select Program a long, long, long time ago. I used one of the licenses from IRON::Guard for Windows XP SP2 and Windows 7 respectively. So, for very little cost I have a kick ass portable training environment I can take anywhere. I hope that this write up helps someone cut some corners off of their development time to put together a mobile lab or give them inspiration to improve upon my humble offerings. Till next time.

May Your Skill Prevail.

1 comment:

m said...

Thanks for including VIPER VAST!