Planning lab security

After defining the lab topology and choosing the lab components, it is time to have a closer look at the security. Obviously, we do not want to become somebody's victim due to the fact that we intentionally leave a lot of vulnerabilities in a lab environment.

At the same time, practicing security evasion techniques is definitely important for penetration testers and security specialists, especially for developing their skills to the advanced level.

According to our general security requirements and the purpose of building a lab, we are going to configure maximal security at the entry points to our lab network: at the gateway and at the trusted WLAN.

Further, we want to define the lab security requirements in detail and group them by areas.

Access control

Access control is a powerful measure that allows us to enforce security if it is designed and configured properly. At the same time, it increases network complexity making attacks more sophisticated and providing the ability to make hacking exercises more interesting and more useful in the meaning of acquired skills.

For the purposes of our lab, access control can be represented at two main levels: network-based, implemented on network devices, and host-based, implemented on network hosts.

Keeping that in mind, let's define network-based access control requirements:

• If we are going to let our lab components access the Internet, but leave them directly inaccessible in the other direction (from the Internet), we should use network address translation (NAT) technology at the both of our routers.
• Workstations should be accessible from the server segment without any limitations.
• To protect our internal lab from unauthorized intrusion through a guest WLAN, the internal network should not be accessible from the guest subnet at all, as well as the guest WLAN should not be accessible from the internal network. Untrusted guest devices should be able to only access Internet.
• To allow all attacks, the whole network should be accessible for authenticated WLAN users without any limitations.

If correctly implemented, these access control rules combined with the chosen network topology will significantly rise our lab's security and bring practicing network attacks to a higher level.

Integrated security mechanisms

The security of any infrastructure can be measured by its weakest component. Therefore, protection of the infrastructure should consist of several levels and only the complex protection can provide a high level of security. It is important to understand that information security systems consist not only of information security imposed solutions, but also of integrated security mechanisms built-in to components of an infrastructure.

To review and choose built-in security mechanisms, we will use an approach going up from low to high and from hardware to software levels.

Often, cheap wired network devices have a limited set of basic security mechanisms, such as access control mechanisms and basic traffic filtering (simple rule-based firewalling capabilities), for example, access filtering based on MAC-address values. But in most cases, these measures will be sufficient to significantly reduce security violation risks and to protect from self-distributing malicious software and potential attackers with an average skill level.

It is important to mention that network devices have management interfaces which should be protected very properly because they possess great risks for the whole network infrastructure. Usually, there are several such interfaces available by various network ports (Telnet, SSH, and Web) and access to these interfaces is granted by a combination of login and password. Also, if a potential attacker gains access to these interfaces, the consequences could be painful for the infrastructure up to intercepting business critical information and interrupting all network services of the entire company.

According to our security requirements, we are going to use integrated security mechanisms in different ways on the network entry points (gateway and wireless access points) which have to be protected and on the internal network devices that have to be vulnerable for training purposes.

We will list all built-in security features configured by default on internal network devices and will configure the following ones on the network entry points:

• Strong network-based access control
• Strong password policies for authentication
• Event logging
• Encrypted management communications where possible (HTTPS and SSH)

The next level of a network abstraction is hosts (servers and workstations). When we consider all the hosts from the information security point of view, we consider their operating systems. In the context of security issues, an operating system is a system software with a set of local and network services that provide interaction between a user and an infrastructure. Needless to say, modern operating systems come with a set of built-in security features, which are primarily aimed at protection against unauthorized access. Here are some of the typical security features:

• Identification and authentication (account management, password policies, and so on)
• Authorization
  • Access differentiation to data stores
  • Access control to software installation and software execution
  • Access control to OS services management
  • Access control to change OS and system applications settings
• Network activity filtration (built-in firewalls)
• Integrity control of OS system data
• Event logging

In our lab, we will have to distinguish host configurations based on two roles, the server and workstation, since there are functional differences.

To allow analysis and investigation of security incidents and attacks, event logging subsystem should be also activated on all hosts. In the case of the server, event logging should be more detailed than on the workstation, for example, it is important to log successful or failed attempts to login. A more interesting event for logging on workstations is periodical stopping and starting of services, because it is very likely a malware activity.

Information systems that will be used in our testing infrastructure generally have a minimum set of security mechanisms. Usually, these are authentication, access control and event logging. The set of security mechanisms and possible settings in each information system is inpidual.

Built-in security mechanisms configured by default on modern Windows and Linux workstations provide a sufficient level of security for our needs. Therefore, we are going to let them stay as is in most cases, but we will enforce workstation security with additional third-party security solutions that we will discuss in the next topic.

As we are going to have all servers and workstations as virtual machines, it is wise to use such a convenient virtualization feature as a snapshot. A snapshot is basically a saved system state which can be quickly restored. We recommend that you have at least two security states saved in snapshots. The first one is less secure for practicing simple and medium complicated attacks on it, and the second one will be used for practicing advanced attack techniques or in cases when you do not need to attack this host at the moment, but it should be turned on to provide some services to other hosts being attacked.

Security solutions

Though network access control and integrated security mechanisms provide a good level of security, having additional security solutions is a good idea. The intention to practice security evasion and breaking techniques along with the idea to imitate a real enterprise network with our lab are other fundamental requirements for implementing additional security solutions.

First of all, we need to secure the access to the WLAN which will be used to connect authorized users to the lab environment. We will configure WPA-Enterprise with mutual digital certificate-based authentication as the most secure solution and use a RADIUS server with FreeRADIUS software for that purpose. This is a free and open source software providing us a lot of authentication options and it is relatively easy to configure.

An additional security for some workstations will be provided by host-based IDPS (HIDPS) and antivirus solutions installed on them. It will also let you practice existing or developing new security evasion attack techniques. We will use free HIDPS with antivirus features developed by COMODO because it has all the necessary capabilities and is not complicated in configuration.