Laboratory Infrastructure Design and Configuration

Project Objectives

In this group project, you will design and configure the common laboratory infrastructure used by all cybersecurity courses. In doing so, you will gain experience in:

  • Network design and operation
  • Router and switch configuration

Note: This is intended to be a permanent configuration for the lifetime of the lab, and not a temporary student project. As such, written design documents and testing are of high importance.

Requirements - Multiple Networks

You should design a laboratory infrastructure that contains multiple networks that are either completely isolated or have limited access between them. The desired networks are:

  1. INSTRUCTOR network
  2. PUBLIC network
  3. STUDENT network
  4. RED network
  5. WIRELESS network

Instructor Network

Purpose: This network contains administrative/instructional hosts

Devices:

  • Management interface of VMWare ESXi host
  • Default interface of VMs running on ESXi host
  • FOG imaging server (ESXi host)
  • Instructor desktop PC
  • RIPE Atlas probe
  • GPS NTP network time server
  • Additional hosts as necessary

Access Requirements:

  • Hosts in the instructor network should be able to access hosts in other networks (if they establish the connection)
  • Hosts in other networks should not be able to access hosts in the instructor network

Configuration Requirements:

  • IPv4 DHCP
  • IPv4 NAT to public Internet

Public Network

Purpose: This network contains hosts that are directly accessible off-campus

Devices:

  • Cyberlab Web server (ESXi host)
  • VPN endpoint
  • Additional devices as necessary (honeypot/Internet monitoring device?)

Access Requirements:

  • These devices should be in the static IP subnet assigned by Comcast to the lab
  • Access to these devices should be allowed only to specified services (default deny, allow only specific ports)
  • Devices in this network should not be able to access other networks, only the public Internet

Configuration Requirements

  • NO IPv4 DHCP
  • NO IPv4 NAT
  • Static IPv4 assignment to hosts using public addresses
  • Static IPv6 assignment to hosts using public addresses

Student Network

Purpose: This network contains the student desktop PCs

Devices:

  • 26 student desktop computers
  • Additional temporary student hosts as needed

Access Requirements:

  • Devices in this network should only be able to access the public Internet

Configuration Requirements

  • IPv4 DHCP
  • IPv4 NAT to public Internet

Red Network

Purpose: This network contains hosts running known malicious software

Access Requirements:

  • To be determined

Design questions:

  • Should hosts on RED network be able to communicate with other hosts on same network?
  • Should hosts on RED network have access to the public Internet?
  • Key design consideration: How can student PCs connect to this network safely without being immediately infected?
    • Working idea: 802.1q VLAN trunking directly to student PCs, but do NOT enable this virtual link in the host PC. Instead, only expose this VLAN to specific virtual machines which can be created/destroyed as needed for lab exercises
    • Must minimize chances of students making a mistake in their configuration - this network should be safe (isolated) by default and require explicit actions to connect to.

Configuration Requirements

  • IPv4 DHCP
  • NO NAT to public Internet
    • Or NAT but disabled by default with firewall?

Wireless Network

WARNING: Do not bring any wireless access point online without coordinating with instructor first!

Design questions:

  • Should WIRELESS be an extension of the STUDENT network? (with a student username/password)
  • Should WIRELESS be an extension of the INSTRUCTOR network? (with an instructor username/password)
  • Do we want the ability to bridge WIRELESS with any lab network as the situation requires? (e.g. temporarily connect to RED)
  • Should WIRELESS always be active, or only for the duration of specific labs?

Configuration Requirements:

  • IPv4 DHCP
  • IPv4 NAT to public Internet
  • WPA2-PSK (AES)
  • Use an obvious SSID on the access point, e.g. "cyberlab-ctc214-2.4ghz" or "cyberlab-ctc214-5ghz"
  • Key configuration consideration: Minimize interference with other wireless networks
    • Must complete channel scan prior to installation - Is there a channel (5GHz?) that is less heavily used or empty? (Concern: Some IOT devices may only work at 2.4GHz)
    • Configure for lowest transmit power possible (suggest increasing antenna gain which will automatically decrease TX power). Would be ideal if network was only usable within classroom. 5GHz spectrum will help with limiting wall penetration.
    • Must complete channel scan after activation, and document penetration in neighboring classrooms.

Requirements - Additional Features

  • Update the OS and board firmware on the Mikrotik devices to latest releases
  • Firewalls between networks
    • The default security posture should be deny unless a justification for allowing access can be provided
  • DHCP
    • The DHCP server should specify the lab GPS NTP time server
    • The DHCP server should specify Google Public DNS for IPv4 and IPv6
    • We may want to operate and monitor our own DNS server in the future, but not today...
  • VPN endpoint
    • A VPN endpoint should be provided to enable remote access to laboratory systems
    • Standard: IKEv2
    • Instructor should be able to join network as a host in the INSTRUCTOR network
    • Students should be able to join network as a host in the STUDENTS network
    • (or if not possible, a VPN-specific network with similar access permissions)
  • IPv6 tunnel (from Hurricane Electric)
    • An IPv6 tunnel should be provided so that hosts in the PUBLIC network are also IPv6 addressable
    • Additional networks may receive IPv6 addresses at a later date
    • Note: Ask instructor to create HE tunnel under his existing account
  • Instructor should be able to create a virtual machine on ESXi host connected to any network
    • Example: Instructor creates a VM running a piece of malicious software in the RED network
    • Example: Instructor creates a set of VMs running known vulnerable software for students to practice on in the GREEN network
    • Example: Instructor starts the FOG VM to re-image student desktop computers in the STUDENT network
    • Proposed method: VLAN trunking (802.1q) into ESXi host since there are not enough Ethernet ports to run a wire for each network. Configure VMWare to map VMs to specific VLANs with human-friendly labels.
  • The NTP server should be accessible from the INSTRUCTOR, STUDENT, and WIRELESS networks. It should not be accessible from the public internet or from the RED network.
  • Considering using SFP+ port to connect between router and VMWare ESXi server (likely network point of contention)
    • Would need to purchase NIC with SFP+ port for server

Requirements - Documentation and Testing

Documentation

The following documentation is required for this project. Remember, this is intended to be a permanent network configuration for the lifetime of the lab, and not a temporary student project. Complete documentation will ensure that the network can be updated and maintained as needed.

  1. Public design document: Prepare a document, suitable for public display on this website, that communicates your overall network design to future students that will use the lab. This document should include an overall narrative description of the design, plus network diagram(s), table(s) of network subnet information, and other important details. (Design question: Would it be helpful for future students to have separate figures that show what the network looks like from the perspective of the RED network versus the STUDENT network or INSTRUCTOR network?)

  2. Private Configuration files: Provide configuration files for the router(s) and switch(es) such that the entire network could be re-created on a moments' notice by doing a factory reset and then pasting in this file at the CLI. Note: The Mikrotik and Cisco devices can provide this configuration file for you, but I don't particularly want it! (The machine dumps can be overly complex, lack any human-readable comments regarding the intent of a particular set of commands, and are ordered via some secret logic rather than the steps a human would take in implementing a design from scratch). Thus, I want you to maintain a "lab notebook" style document that you update with every CLI command during configuration, including block comments and per-instruction comments (your discretion, for particularly complex commands). When you're satisfied that the network is complete, your config file should be complete as well. (Note: If we were really serious, we'd track these config files in version control, or use something like Puppet to automate device configuration and ensure that the running configuration always matches the desired configuration...)

This documentation should be submitted in Markdown format, suitable for direct posting on this website. There are a number of Markdown editors available, either to install on your computer (MacDown or MarkdownPad), or use online.

There are some nice PowerPoint icons for network and computing devices available that could be used to improve the quality of your design document. See: VMWare and Cisco

Testing

As part of this project, you should develop a testing plan to ensure that all design requirements are satisfied.

Grading

This is a group project. The grading breakdown is:

  • Functioning lab network - 50%
  • Public document - 20%
  • Private configuration files - 20%
  • Wireless environment test results - 10%

Schedule

Your goal should be to have the basic subnets, DHCP, NAT, and firewalls working by the end of week 1. Spend the second week working with the VPN, wireless, IPv6 network, and other features.

Submission

Submit all files to the Canvas CMS site. Only one submission is needed for the group.

Make sure that your submission includes all of the following project deliverables:

  1. The functioning lab network in CTC 214
  2. The public design document in Markdown format plus original editable source files for any images so that I can keep the diagrams updated
  3. The private router and switch configuration files in Markdown format (OK if they are just a giant code block)
  4. Diagrams of the physical and virtual topology
  5. Documentation of the current wireless environment in Chambers Technology Center both before and after additional of WIRELESS network. (What access points are available? What channels are used on the 2.4GHz and 5GHz bands? How busy is the network?)

Resources

  • Information on the laboratory networking hardware
  • Additional networking gear can be purchased if justified, but the preference is to run as much on the two Mikrotik devices as possible. (They are quite flexible)