The New and Improved Lab
It's been some time since I last updated this, and my home lab has now grown to include an ASA 5505, a total of 15 routers, a few layer 3 switches, and 5 2950's. I also purchased an off-lease server: a poweredge C1100 with dual quad core Xenon cpus and 72GB of ram. I've also decided that I wish to pursue my VCP so I have begun increasing the equipment in my lab to support an ESXi environment. Needless to say, the available hardware for creating complex labs is finally available to me (along with the ability to exponentially increase my power bill). And with that, I bring the latest lab that I am currently working with and will be posting about. I am using this topology for prep for my CCNA Sec (yes I know its likely overkill) but also to experiment with various technologies such as Snort, open source SIEMs, centralized logging across an enterprise, backtrack fun, and experimenting with ESXi as I haphazardly learn about its operation in my little sandbox. I'm going to overview its configuration throughout the next series of posts, and touch on CCNA Security concepts along the way.
Lab Details
- OSPF will be used as the routing protocol between the ISP_Core and Corp operated border routers
- EIGRP will be used for any internal routing (those clouds will expand as I put more of my equipment to use)
- Switches will be locked down utilizing switch security outlined in the CCNA Security syllabus
- Zone Based Firewalls will be configured (both via CLI and CCP) on all corp operated edge routers
- ISP routers will utilize packet filters to filter out common undesirable protocols
- Site to site VPNs as described in topology
- ESXi server will host a VM of an opensource firewall/IPS snort based system
- Vswitches will be used to then route traffic to corp operated assets-RADIUS, TACACS, logging, fileserver to use as examples, and shared with the rest of the enterprise via VPN tunnels
- Corp ASA will be configured to utilize anyconnect client w/ IPSec and SSL for remote workers (later placed down off the public IP cloud)
- A web server will be statically natted off the corp ASA for following NAT configuration within ASDM, utilizing one of the public IPs between the corp ASA and corp border router
- A linux based IDS will use a port mirror off corp_sw1's interface leading to the ASA for watching all traffic entering/leaving the corp network
- All ASA and ZBF logs will be sent to the datacenter, utilizing site-site VPN for central aggregation within a log analyzer (not necessarily ccna sec related, but I want to test some of the different open source SIEMs out there)
- Backtrack will be employed around the mock enterprise to try and break things, both before and after placing security configurations, and to test the effectiveness of the different SIEMs
So obviously this is a rather complex lab, and at this point in time I have everything cabled, and will be configuring it in small chunks and posting about it along the way. Some of this is CCNA sec, some of this is different scenarios I've wanted to try in a lab, but ultimately I wish to tie it all in together into one nice lab so I don't have to continue re-cabling every time I want to try something new.