seclab/MOD1_Secure_Infrastructure.md

# FILE: MOD1_Secure_Infrastructure.md
# MODULE 1: SECURE INFRASTRUCTURE PROVISIONING

## Learning Objectives
By completing this module, you will:
- Configure VLAN-aware networking in Proxmox
- Deploy and configure pfSense as a virtual firewall/router
- Create isolated network segments using 802.1Q VLAN tagging
- Implement firewall rules to prevent malicious traffic from escaping the lab
- Validate network segmentation through connectivity testing

---

## Key Concepts

### Hypervisor Networking
**Proxmox uses Linux Bridges** (`vmbr0`, `vmbr1`, etc.) to connect virtual network interface cards (vNICs) to physical hardware. Think of a bridge as a virtual switch inside your hypervisor.

### VLAN Tagging (802.1Q)
**What is a VLAN?** A Virtual Local Area Network allows multiple isolated networks to coexist on the same physical infrastructure. Each VLAN has a unique ID (1-4094).

**Tagged vs Untagged Traffic:**
- **Untagged:** Normal traffic (like your home Wi-Fi) - no VLAN ID
- **Tagged:** Traffic with an 802.1Q header containing VLAN ID
- **Trunk Port:** Network port that carries multiple VLANs (tagged)
- **Access Port:** Network port for a single VLAN (untagged)

### The Virtual Firewall
**pfSense** will act as the default gateway for all lab VLANs, strictly controlling traffic flow between them. Without proper firewall rules, your attack traffic could leak into your home network!

---

## LAB 1.1: PROXMOX NETWORK CONFIGURATION

### Prerequisites
- Proxmox VE installed and accessible via web interface (https://PROXMOX-IP:8006)
- Physical network port connected to your home network

### Step-by-Step: Enable VLAN Awareness

```
1. Access Proxmox Web Interface:
   - Open browser: https://<PROXMOX-IP>:8006
   - Login with root credentials

2. Navigate to Network Configuration:
   - Click on your Proxmox node (e.g., "pve")
   - Click "System" > "Network"

3. Identify Your Bridge:
   - You should see "vmbr0" (default bridge)
   - Note which physical interface it's connected to (e.g., eno1, eth0)

4. Enable VLAN Awareness:
   - Select "vmbr0"
   - Click "Edit"
   - Check the box: "VLAN aware"
   - Comment: "VLAN-aware bridge for security lab"
   - Click "OK"

5. Apply Configuration:
   - Click "Apply Configuration" at the top
   - WARNING: This may briefly disconnect your Proxmox web interface
   - Wait 10 seconds, then refresh browser

6. Verify Configuration:
   - SSH into Proxmox host (or use Shell button in web GUI)
   - Run: cat /etc/network/interfaces
   - Verify "bridge-vlan-aware yes" appears under vmbr0
```

**Expected Output (Proxmox Bridge Config):**
```
auto vmbr0
iface vmbr0 inet static
    address 192.168.2.100/24
    gateway 192.168.2.1
    bridge-ports eno1
    bridge-stp off
    bridge-fd 0
    bridge-vlan-aware yes

# Note: Your Proxmox hypervisor management remains on 192.168.2.0/24 (VLAN 2)
# Lab VMs will use VLAN tags 100-400 for the 10.10.x.0/24 networks
# pfSense will route between the lab VLANs and provide internet via WAN
```

---

## LAB 1.2: PFSENSE VM DEPLOYMENT

### pfSense VM Specifications
- **CPU:** 2 cores
- **RAM:** 2048 MB (2 GB)
- **Disk:** 16 GB (thin provision)
- **Network Adapters:** 2
  - vNIC 0 (WAN): Bridged to vmbr0, VLAN Tag: 2 (connects to 192.168.2.0/24)
  - vNIC 1 (LAN): Bridged to vmbr0, no VLAN tag (will create subinterfaces for VLANs 100-400)

### Step-by-Step: Create pfSense VM

```
1. Download pfSense ISO:
   - Visit: https://www.pfsense.org/download/
   - Select: AMD64 (64-bit), DVD Image (ISO Installer)
   - Upload to Proxmox: Storage > ISO Images > Upload

2. Create Virtual Machine:
   - Click "Create VM" (top right)

   GENERAL TAB:
   - Node: (your Proxmox node)
   - VM ID: 100
   - Name: pfSense-Firewall
   - Click "Next"

   OS TAB:
   - ISO image: pfsense-CE-X.X.X-amd64.iso
   - Guest OS Type: Linux
   - Kernel: 6.x - 2.6 Kernel
   - Click "Next"

   SYSTEM TAB:
   - Graphic card: Default
   - Machine: Default (i440fx)
   - BIOS: Default (SeaBIOS)
   - Qemu Agent: Unchecked (for now)
   - Click "Next"

   DISKS TAB:
   - Bus/Device: SCSI / 0
   - Storage: local-lvm (or your storage)
   - Disk size: 16 GB
   - Click "Next"

   CPU TAB:
   - Sockets: 1
   - Cores: 2
   - Type: host (or kvm64)
   - Click "Next"

   MEMORY TAB:
   - Memory (MiB): 2048
   - Click "Next"

   NETWORK TAB (WAN Interface):
   - Bridge: vmbr0
   - VLAN Tag: 2 (connects to 192.168.2.0/24 management network)
   - Model: VirtIO (paravirtualized)
   - Click "Next"

   CONFIRM:
   - Start after created: Unchecked
   - Click "Finish"

3. Add Second Network Interface (LAN):
   - Select pfSense VM > Hardware
   - Click "Add" > "Network Device"
   - Bridge: vmbr0
   - VLAN Tag: <leave blank> (we'll tag inside pfSense)
   - Model: VirtIO
   - Click "Add"

4. Start pfSense Installation:
   - Select pfSense VM > Console
   - Click "Start"
   - Wait for boot menu
```

### pfSense Installation Process

```
1. Boot Menu:
   - Select: "1) Boot Multi User [Enter]"
   - Wait for FreeBSD kernel to load

2. Welcome Screen:
   - Accept: Press Enter

3. Install pfSense:
   - Select: "Install" > "OK"

4. Partitioning:
   - Select: "Auto (ZFS)" > "OK"
   - Select: "Stripe" > "OK"
   - Select: vtbd0 (your virtual disk) > Spacebar to select > "OK"
   - Confirm: "YES" (will erase disk)
   - Wait for installation (2-3 minutes)

5. Reboot:
   - Select: "No" (to manual configuration)
   - Select: "Reboot"
   - When rebooting starts: VM > Hardware > CD/DVD > "Do not use any media"
   - Wait for pfSense to boot

6. Interface Assignment:
   - Should VLANs be set up now? n (No - we'll do this via web GUI)
   - Enter WAN interface name: vtnet0
   - Enter LAN interface name: vtnet1
   - Do you want to proceed? y (Yes)

7. pfSense Menu:
   - You should now see the pfSense menu
   - Note the LAN IP address (default: 192.168.1.1)
```

---

## LAB 1.3: PFSENSE WEB INTERFACE SETUP

### Temporary Access to pfSense WebGUI

Since pfSense LAN is 192.168.1.1 but we want our management network on VLAN 100, we need temporary access:

```
OPTION A: Create Temporary VM in Proxmox
1. Create small Linux VM (Alpine or Ubuntu)
2. Set its vNIC to vmbr0, no VLAN tag
3. Configure static IP: 192.168.1.50/24
4. Open browser to: https://192.168.1.1
5. Default credentials: admin / pfsense

OPTION B: Configure via Console (Recommended)
1. In pfSense console menu, select: 2) Set interface(s) IP address
2. Select: 1 - WAN
3. Configure IPv4 address WAN interface via DHCP? n (No, static)
4. Enter new IPv4 address: 192.168.2.2
5. Enter subnet bit count: 24
6. Enter upstream gateway: 192.168.2.1
7. Configure IPv6? n (No)
8. Do you want to revert to HTTP? n (No, keep HTTPS)
9. Press Enter to complete

10. Return to menu, select: 2) Set interface(s) IP address
11. Select: 2 - LAN
12. Enter new IP: 10.10.1.1
13. Enter subnet: 24
14. No upstream gateway: <leave blank>
15. No DHCP server for now: <leave blank>
16. Do NOT configure IPv6: <leave blank>
17. Do you want to revert to HTTP? n (No, keep HTTPS)

Now access pfSense from Proxmox host (both on 192.168.2.0/24):
https://192.168.2.2 (via WAN interface)
or configure a temporary VM on VLAN 100 to access https://10.10.1.1
```

### pfSense Initial Wizard

```
1. Access WebGUI:
   - Browser: https://10.10.1.1
   - Accept self-signed certificate warning
   - Username: admin
   - Password: pfsense

2. Setup Wizard:
   - Click "Next"

   GENERAL INFORMATION:
   - Hostname: pfsense
   - Domain: apophis.local
   - Primary DNS: 8.8.8.8 (Google DNS)
   - Secondary DNS: 1.1.1.1 (Cloudflare DNS)
   - Uncheck "Override DNS"
   - Click "Next"

   TIME SERVER:
   - Time server hostname: pool.ntp.org
   - Timezone: (Select your timezone)
   - Click "Next"

   WAN CONFIGURATION:
   - Type: Static IP
   - IP Address: 192.168.2.2
   - Subnet Mask: 24 (/24)
   - Upstream Gateway: 192.168.2.1
   - Click "Next"

   LAN CONFIGURATION:
   - IP Address: 10.10.1.1
   - Subnet Mask: 24 (/24)
   - Click "Next"

   ADMIN PASSWORD:
   - Change default password from "pfsense" to strong password
   - Confirm password
   - Click "Next"

   RELOAD:
   - Click "Reload"
   - Wait for pfSense to apply configuration

3. Login with New Password:
   - Username: admin
   - Password: (your new password)
```

---

## LAB 1.4: VLAN INTERFACE CREATION

Now we create VLANs 200, 300, 400 for Red/Blue/Victim networks.

### Step-by-Step: Create VLANs

```
1. Navigate to VLAN Configuration:
   - Interfaces > Assignments > VLANs

2. Create VLAN 200 (Red Team):
   - Click "+ Add"
   - Parent Interface: vtnet1 (LAN interface)
   - VLAN Tag: 200
   - VLAN Priority: 0
   - Description: RED_TEAM
   - Click "Save"

3. Create VLAN 300 (Blue Team):
   - Click "+ Add"
   - Parent Interface: vtnet1
   - VLAN Tag: 300
   - Description: BLUE_TEAM
   - Click "Save"

4. Create VLAN 400 (Victim Network):
   - Click "+ Add"
   - Parent Interface: vtnet1
   - VLAN Tag: 400
   - Description: VICTIM_NET
   - Click "Save"

5. Verify VLANs:
   - You should see: vtnet1.200, vtnet1.300, vtnet1.400
```

### Assign VLANs to Interfaces

```
1. Navigate to Interface Assignments:
   - Interfaces > Assignments

2. Assign VLAN 200:
   - Available network ports: Select "vtnet1.200 (RED_TEAM)"
   - Click "+ Add"
   - New interface appears as "OPT1"

3. Assign VLAN 300:
   - Select "vtnet1.300 (BLUE_TEAM)"
   - Click "+ Add" (becomes OPT2)

4. Assign VLAN 400:
   - Select "vtnet1.400 (VICTIM_NET)"
   - Click "+ Add" (becomes OPT3)

5. Configure OPT1 (Red Team):
   - Click "OPT1"
   - Check "Enable interface"
   - Description: RED_TEAM
   - IPv4 Configuration Type: Static IPv4
   - IPv4 Address: 10.10.2.1 / 24
   - Click "Save"
   - Click "Apply Changes"

6. Configure OPT2 (Blue Team):
   - Click "OPT2"
   - Enable interface
   - Description: BLUE_TEAM
   - IPv4 Address: 10.10.3.1 / 24
   - Click "Save" > "Apply Changes"

7. Configure OPT3 (Victim Network):
   - Click "OPT3"
   - Enable interface
   - Description: VICTIM_NET
   - IPv4 Address: 10.10.4.1 / 24
   - Click "Save" > "Apply Changes"
```

---

## LAB 1.5: FIREWALL RULE CONFIGURATION

**Critical Security Principle:** Default Deny Everything, Explicitly Allow Only What's Needed

### Understanding pfSense Firewall Logic
- Rules are processed **top to bottom**
- **First match wins** (stops processing)
- Each interface has its own rule set
- Traffic is filtered on the **incoming interface**

### Step-by-Step: Configure Security Rules

```
1. Enable DHCP for Each VLAN:
   - Services > DHCP Server > RED_TEAM
   - Check "Enable DHCP server on RED_TEAM"
   - Range: 10.10.2.100 to 10.10.2.200
   - Click "Save"
   - Repeat for BLUE_TEAM (10.10.3.100 - .200)
   - Repeat for VICTIM_NET (10.10.4.100 - .200)

2. Configure RED_TEAM Firewall Rules:
   - Firewall > Rules > RED_TEAM

   DELETE DEFAULT "Allow All" RULE:
   - Click trash icon on default allow rule
   - Confirm deletion

   ADD RULE 1: Allow Red to Victim Network
   - Click "Add" (up arrow to add to top)
   - Action: Pass
   - Interface: RED_TEAM
   - Address Family: IPv4
   - Protocol: Any
   - Source: RED_TEAM net
   - Destination: VICTIM_NET net
   - Description: Allow Red Team to attack Victim Network
   - Click "Save"

   ADD RULE 2: Allow Red to Internet (for tool updates)
   - Click "Add"
   - Action: Pass
   - Interface: RED_TEAM
   - Protocol: Any
   - Source: RED_TEAM net
   - Destination: Any
   - Description: Allow Red Team internet access for tools
   - Click "Save"

   ADD RULE 3: Block Red to Everything Else (implicit, but good practice)
   - Click "Add" (add to bottom)
   - Action: Block
   - Interface: RED_TEAM
   - Protocol: Any
   - Source: Any
   - Destination: Any
   - Description: Block all other Red Team traffic
   - Click "Save"

   - Click "Apply Changes"

3. Configure BLUE_TEAM Firewall Rules:
   - Firewall > Rules > BLUE_TEAM
   - Delete default allow rule

   ADD RULE: Allow Blue to Monitor All Networks
   - Action: Pass
   - Interface: BLUE_TEAM
   - Protocol: Any
   - Source: BLUE_TEAM net
   - Destination: Any
   - Description: Allow Blue Team full network access
   - Click "Save" > "Apply Changes"

4. Configure VICTIM_NET Firewall Rules:
   - Firewall > Rules > VICTIM_NET
   - Delete default allow rule

   ADD RULE 1: Block Victim to Red Team
   - Action: Block
   - Interface: VICTIM_NET
   - Protocol: Any
   - Source: VICTIM_NET net
   - Destination: RED_TEAM net
   - Description: CRITICAL - Prevent victim from reaching attacker
   - Log: Check "Log packets matched by this rule"
   - Click "Save"

   ADD RULE 2: Block Victim to Blue Team
   - Action: Block
   - Source: VICTIM_NET net
   - Destination: BLUE_TEAM net
   - Description: Isolate victims from SOC network
   - Click "Save"

   ADD RULE 3: Block Victim to WAN (Internet)
   - Action: Block
   - Source: VICTIM_NET net
   - Destination: WAN net
   - Description: Prevent compromised systems from calling home
   - Log: Check
   - Click "Save"

   ADD RULE 4: Allow Victim to pfSense (for DNS, DHCP)
   - Action: Pass
   - Source: VICTIM_NET net
   - Destination: This Firewall (self)
   - Description: Allow access to pfSense services
   - Click "Save"

   ADD RULE 5: Block Victim Everything Else
   - Action: Block
   - Source: VICTIM_NET net
   - Destination: Any
   - Description: Default deny all victim traffic
   - Log: Check
   - Click "Save" > "Apply Changes"
```

---

## LAB 1.6: VALIDATION & TESTING

**CRITICAL: Do not proceed to Module 2 until all tests pass!**

### Test 1: Red Team to Victim Connectivity

```
1. Create Test VM in Proxmox:
   - Create Ubuntu Server VM
   - VM ID: 201
   - Name: Kali-Test
   - Hardware > Network > Edit: Bridge vmbr0, VLAN Tag: 200

2. Boot VM and verify network:
   - Login to VM console
   - Check IP: ip addr show
   - Should have: 10.10.2.x (from DHCP)

3. Test gateway reachability:
   - ping 10.10.2.1
   - Should succeed (pfSense RED_TEAM gateway)

4. Test Victim network reachability:
   - Create second VM with VLAN Tag: 400
   - Note its IP (10.10.4.x)
   - From Red Team VM: ping 10.10.4.x
   - Should succeed (Rule allows Red → Victim)
```

### Test 2: Victim to Red Team Blocked

```
1. From Victim VM (VLAN 400):
   - ping 10.10.2.1 (Red Team gateway)
   - Should FAIL (timeout)

2. Verify in pfSense logs:
   - Status > System Logs > Firewall
   - Should see: "Block" entries from 10.10.4.x to 10.10.2.x
```

### Test 3: Victim to Internet Blocked

```
1. From Victim VM:
   - ping 8.8.8.8
   - Should FAIL

2. Try DNS lookup:
   - nslookup google.com
   - Should timeout (no WAN access)
```

### Test 4: Red Team Internet Access

```
1. From Red Team VM:
   - ping 8.8.8.8
   - Should succeed

2. Update package lists:
   - sudo apt update
   - Should work (confirms internet access)
```

### Test 5: Isolation from Home Network

```
1. Find your home network device IP (e.g., your desktop):
   - Example: 192.168.1.50

2. From Red Team VM:
   - ping 192.168.1.50
   - Should FAIL (Red Team cannot reach home network)

3. From Victim VM:
   - ping 192.168.1.50
   - Should FAIL (critical security validation!)
```

---

## TROUBLESHOOTING GUIDE

### Issue: VM not getting DHCP address

```
Proxmox side:
- VM > Hardware > Network Device > Edit
- Verify: Bridge = vmbr0, VLAN Tag correct, "Connected" checked

pfSense side:
- Status > Services
- Verify DHCP service is running for that interface
- Services > DHCP Server > [Interface]
- Verify range is configured and enabled

Inside VM:
# Linux
sudo dhclient -r  # Release
sudo dhclient     # Renew

# Windows
ipconfig /release
ipconfig /renew
```

### Issue: Can't access pfSense WebGUI

```
1. Verify pfSense is running:
   - Proxmox > VM 100 > Console
   - Should see pfSense menu

2. Check which VM you're accessing from:
   - Must be on same VLAN or management network
   - If on VLAN 200: access https://10.10.2.1
   - If on management: access https://10.10.1.1

3. Disable HTTPS redirect temporarily:
   - pfSense console: Option 8 (Shell)
   - pfSsh.php playback disablehttpredirect
   - Try http://10.10.1.1
```

### Issue: VLAN tags not working

```
1. Verify Proxmox bridge is VLAN-aware:
   - SSH to Proxmox
   - grep -A5 "vmbr0" /etc/network/interfaces
   - Must show: bridge-vlan-aware yes

2. Verify VM has VLAN tag set:
   - Proxmox > VM > Hardware > Network Device
   - VLAN Tag field must have number (200, 300, 400)
   - NOT blank for tagged traffic

3. Restart networking:
   - Proxmox: systemctl restart networking (CAREFUL - may lose connection)
   - Or reboot VM
```

### Issue: Firewall rules not working

```
1. Check rule order:
   - Firewall > Rules > [Interface]
   - Remember: First match wins
   - Block rules should be BEFORE allow rules for specificity

2. Verify interface is correct:
   - Rule must be on the INCOMING interface
   - To block Red→Victim: Rule goes on RED_TEAM interface

3. Clear states:
   - Diagnostics > States > Reset States
   - Click "Reset" (clears connection state table)
   - Re-test

4. Enable logging:
   - Edit rule > Check "Log packets matched by this rule"
   - Save > Apply
   - Test traffic
   - Status > System Logs > Firewall (see if rule matched)
```

---

## PROFESSOR'S GUIDANCE

### Common Mistakes to Avoid

**1. Asymmetric Routing:**
- Ensure all VMs use pfSense as their gateway (10.10.X.1)
- Do NOT configure VMs with your home router as gateway

**2. Forgetting to Apply Changes:**
- pfSense requires clicking "Apply Changes" after rule modifications
- Red banner at top indicates unapplied changes

**3. Wrong VLAN Tag Placement:**
- Tags go on VM's network interface in Proxmox
- NOT on pfSense WAN interface
- pfSense LAN interface (vtnet1) should be untagged, then create VLAN subinterfaces

**4. Testing from Wrong VM:**
- If testing VLAN 200 rules, you must be in a VM with VLAN Tag 200
- Can't test from Proxmox host shell

### Why This Module is Critical

Every penetration test begins with a safe, isolated environment. If you skip proper network segmentation, you risk:
- Malware escaping to your home network
- Accidentally scanning your ISP's infrastructure (illegal)
- Bricking your personal devices with exploit tools

**Real-world parallel:** Enterprise networks use VLANs to separate:
- Guest Wi-Fi (untrusted)
- Employee workstations (medium trust)
- Server VLAN (high trust)
- Management VLAN (admin only)

Your lab mirrors this architecture. Master it here, understand it everywhere.

### Time Investment
- Initial setup: 2-4 hours
- Troubleshooting (first time): 1-3 hours
- Validation testing: 30 minutes

**Total: 4-8 hours**

### Next Steps
Once all validation tests pass:
1. Take Proxmox backup of pfSense VM: Backup > Backup Now
2. **Snapshot pfSense VM** (revert point if you misconfigure later)
3. Document your network diagram (draw VLANs, IP ranges, firewall rules)
4. Proceed to **MOD2: Reconnaissance & Network Traffic Analysis**

---

## KNOWLEDGE CHECK

Before proceeding, you should confidently answer:

1. **What is the purpose of VLAN tagging?**
   - Answer: Allows multiple isolated networks to share physical infrastructure

2. **Which pfSense interface do firewall rules apply to?**
   - Answer: The incoming interface (where traffic enters)

3. **Why must VICTIM_NET be blocked from reaching WAN?**
   - Answer: Prevents compromised systems from communicating with attacker C2 servers

4. **If a VM in VLAN 200 can't get DHCP, what are 3 things to check?**
   - Answer: (1) VLAN tag set in Proxmox, (2) DHCP enabled in pfSense, (3) VM cable "connected"

5. **What does "First match wins" mean in firewall rules?**
   - Answer: Rules are processed top-to-bottom; once a rule matches, processing stops

---

**END OF MODULE 1**

**Checklist before MOD2:**
- [ ] pfSense firewall is configured and accessible
- [ ] VLANs 200, 300, 400 are created and assigned
- [ ] Red Team VM can ping Victim network
- [ ] Victim VM cannot ping Red Team network
- [ ] Victim VM cannot ping internet
- [ ] Red Team VM can access internet
- [ ] pfSense firewall logs are recording blocked traffic
- [ ] Full Proxmox backup of pfSense VM exists