# Apophis Networking Security Lab - Network Diagram ## Physical Infrastructure Overview ``` ┌─────────────────┐ │ Internet/ISP │ └────────┬────────┘ │ ┌────────▼────────┐ │ Unifi Router │ │ (VLAN-aware) │ │ Gateway/DHCP │ └────────┬────────┘ │ │ Trunk Port │ (All VLANs tagged) │ ┌────────▼────────┐ │ Cisco Switch │ │ (Layer 2) │ │ VLAN 100-400 │ └────────┬────────┘ │ │ Trunk Port │ (All VLANs tagged) │ ┌────────▼────────┐ │ Proxmox Server │ │ (vmbr0) │ │ VLAN-aware │ │ bridge │ └─────────────────┘ │ ┌────────────────────┼────────────────────┐ │ │ │ VLAN 100 VLAN 200-400 pfSense VM (Management) (Security Lab VLANs) (Router/FW) ``` --- ## VLAN Topology & Segmentation ``` ┌─────────────────────────────────────────────────────────────────────────┐ │ Unifi Router (Physical) │ │ Internet Gateway │ │ Default VLAN 1 (Home) │ └─────────────────────────────────────────────────────────────────────────┘ │ Trunk (VLANs 100,200,300,400) │ ┌─────────────────────────────────────────────────────────────────────────┐ │ Cisco Switch (Physical) │ │ Trunk all VLANs to Proxmox │ └─────────────────────────────────────────────────────────────────────────┘ │ Trunk (VLANs 100,200,300,400) │ ┌─────────────────────────────────────────────────────────────────────────┐ │ Proxmox Server - vmbr0 Bridge │ │ (VLAN-aware enabled) │ └─────────────────────────────────────────────────────────────────────────┘ │ │ │ │ ┌────▼────┐ ┌───▼────┐ ┌────▼────┐ ┌────▼────┐ │ VLAN 100│ │VLAN 200│ │VLAN 300 │ │VLAN 400 │ │Management│ │Red Team│ │Blue Team│ │ Victim │ │10.10.1│ │10.10.2│ │10.10.3│ │10.10.4│ │ .0/24 │ │ .0/24 │ │ .0/24 │ │ .0/24 │ └─────────┘ └────────┘ └─────────┘ └─────────┘ ``` --- ## Detailed VLAN Configuration ### VLAN 100 - Management Network (10.10.1.0/24) **Purpose**: Hypervisor management and pfSense WAN interface ``` ┌──────────────────────────────────────────┐ │ VLAN 100 - Management │ │ 10.10.1.0/24 │ ├──────────────────────────────────────────┤ │ │ │ ┌────────────────────────────────┐ │ │ │ Proxmox Host (Physical) │ │ │ │ IP: 10.10.1.1 │ │ │ │ Web UI: https://10.10.1.1:8006 │ │ │ └────────────────────────────────┘ │ │ │ │ ┌────────────────────────────────┐ │ │ │ pfSense VM - WAN Interface │ │ │ │ IP: 10.10.1.2 │ │ │ │ Gateway to other VLANs │ │ │ │ Web UI: https://10.10.1.2 │ │ │ └────────────────────────────────┘ │ │ │ └──────────────────────────────────────────┘ ``` **Access**: Your management workstation connects here to access Proxmox and pfSense --- ### pfSense VM - Internal Router/Firewall **Role**: Routes traffic between VLANs 200, 300, 400 with firewall rules ``` ┌─────────────────────────────────────────────────────┐ │ pfSense VM (Router/FW) │ │ │ │ ┌───────────┐ ┌───────────┐ ┌───────────┐ │ │ │ vtnet0 │ │ vtnet1 │ │ vtnet2 │ ... │ │ │ VLAN 100 │ │ VLAN 200 │ │ VLAN 300 │ │ │ │ (WAN) │ │ (RED) │ │ (BLUE) │ │ │ │.100.2 │ │.200.1 │ │.300.1 │ │ │ └─────┬─────┘ └─────┬─────┘ └─────┬─────┘ │ │ │ │ │ │ │ │ ┌────▼──────────────▼────┐ │ │ └────────►│ Firewall Rules │ │ │ │ NAT Rules │ │ │ │ IDS/IPS (Suricata) │ │ │ └────────────────────────┘ │ │ │ │ vtnet3 → VLAN 400 (10.10.4.1) │ └─────────────────────────────────────────────────────┘ ``` **Network Interfaces**: - **vtnet0** (WAN): VLAN 100 - 10.10.1.2 → Management network - **vtnet1** (RED): VLAN 200 - 10.10.2.1 → Red Team gateway - **vtnet2** (BLUE): VLAN 300 - 10.10.3.1 → Blue Team gateway - **vtnet3** (VICTIM): VLAN 400 - 10.10.4.1 → Victim network gateway --- ### VLAN 200 - Red Team / Attacker Network (10.10.2.0/24) **Purpose**: Offensive security tools and attack infrastructure ``` ┌──────────────────────────────────────────┐ │ VLAN 200 - Red Team │ │ 10.10.2.0/24 │ ├──────────────────────────────────────────┤ │ │ │ Gateway: 10.10.2.1 (pfSense) │ │ DNS: 10.10.2.1 │ │ │ │ ┌────────────────────────────────┐ │ │ │ Kali Linux VM │ │ │ │ IP: 10.10.2.50 │ │ │ │ Hostname: kali-attacker │ │ │ │ │ │ │ │ Tools: │ │ │ │ • Nmap, Masscan │ │ │ │ • Metasploit Framework │ │ │ │ • Impacket (SMB/Kerberos) │ │ │ │ • BloodHound, Responder │ │ │ │ • Mimikatz, PowerSploit │ │ │ │ • Burp Suite, SQLMap │ │ │ │ • CrackMapExec, Evil-WinRM │ │ │ └────────────────────────────────┘ │ │ │ └──────────────────────────────────────────┘ ``` **Firewall Rules** (pfSense): - **Outbound**: Allow to VLAN 400 (victim network) - controlled by lab phase - **Inbound**: Deny all from other VLANs - **Logging**: All traffic logged for Blue Team analysis --- ### VLAN 300 - Blue Team / Monitoring Network (10.10.3.0/24) **Purpose**: Defensive security monitoring and SIEM ``` ┌──────────────────────────────────────────┐ │ VLAN 300 - Blue Team │ │ 10.10.3.0/24 │ ├──────────────────────────────────────────┤ │ │ │ Gateway: 10.10.3.1 (pfSense) │ │ DNS: 10.10.3.1 │ │ │ │ ┌────────────────────────────────┐ │ │ │ Security Onion VM │ │ │ │ IP: 10.10.3.100 │ │ │ │ Hostname: securityonion │ │ │ │ │ │ │ │ Components: │ │ │ │ • Kibana (SIEM) │ │ │ │ • Elasticsearch (logs) │ │ │ │ • Suricata (IDS/IPS) │ │ │ │ • Zeek/Bro (network analysis) │ │ │ │ • Stenographer (PCAP) │ │ │ │ • Wazuh (HIDS) │ │ │ │ │ │ │ │ Web UI: │ │ │ │ https://10.10.3.100 │ │ │ └────────────────────────────────┘ │ │ │ └──────────────────────────────────────────┘ ``` **Firewall Rules** (pfSense): - **Inbound**: Mirror/SPAN traffic from VLAN 400 for IDS monitoring - **Outbound**: Allow to Management VLAN (alerts/logs) - **Isolation**: No direct access to VLAN 200 or 400 --- ### VLAN 400 - Victim Network (10.10.4.0/24) **Purpose**: Vulnerable target systems for penetration testing ``` ┌────────────────────────────────────────────────────────────────┐ │ VLAN 400 - Victim Network │ │ 10.10.4.0/24 │ ├────────────────────────────────────────────────────────────────┤ │ │ │ Gateway: 10.10.4.1 (pfSense) │ │ DNS: 10.10.4.10 (DC01) │ │ Domain: apophis.local │ │ │ │ ┌──────────────────────────────────────────────────┐ │ │ │ DC01 - Domain Controller │ │ │ │ IP: 10.10.4.10 │ │ │ │ OS: Windows Server 2022 │ │ │ │ Services: AD DS, DNS, LDAP, Kerberos │ │ │ │ Domain: apophis.local │ │ │ └──────────────────────────────────────────────────┘ │ │ │ │ ┌──────────────────────────────────────────────────┐ │ │ │ WS01 - HR Workstation │ │ │ │ IP: 10.10.4.20 │ │ │ │ OS: Windows 10 Pro │ │ │ │ Domain: apophis.local\hruser │ │ │ │ Group: Domain Users │ │ │ └──────────────────────────────────────────────────┘ │ │ │ │ ┌──────────────────────────────────────────────────┐ │ │ │ WS02 - IT Admin Workstation │ │ │ │ IP: 10.10.4.21 │ │ │ │ OS: Windows 10 Pro │ │ │ │ Domain: apophis.local\itadmin │ │ │ │ Group: Domain Admins (privileged) │ │ │ └──────────────────────────────────────────────────┘ │ │ │ │ ┌──────────────────────────────────────────────────┐ │ │ │ WEB01 - Web Application Server │ │ │ │ IP: 10.10.4.30 │ │ │ │ OS: Ubuntu 22.04 LTS │ │ │ │ Services: DVWA (Docker), Apache, MySQL │ │ │ │ Ports: 80 (HTTP), 22 (SSH), 3306 (MySQL) │ │ │ └──────────────────────────────────────────────────┘ │ │ │ │ ┌──────────────────────────────────────────────────┐ │ │ │ FILE01 - Legacy File Server │ │ │ │ IP: 10.10.4.40 │ │ │ │ OS: Metasploitable 2 (Ubuntu 8.04) │ │ │ │ Services: FTP (vsftpd 2.3.4), SMB, SSH, MySQL │ │ │ │ Vulnerabilities: Multiple (intentional) │ │ │ └──────────────────────────────────────────────────┘ │ │ │ └────────────────────────────────────────────────────────────────┘ ``` **Firewall Rules** (pfSense): - **Default**: Allow internal communication within VLAN 400 - **Inbound from VLAN 200**: Deny by default (enable per-lab exercise) - **Outbound to Internet**: Allow (for updates/downloads) - **Logging**: All inter-VLAN traffic logged --- ## Traffic Flow Examples ### Example 1: Red Team Attack (MOD3 - Exploitation) ``` ┌──────────────┐ ┌──────────────┐ ┌──────────────┐ │ Kali Linux │────1───►│ pfSense │────2───►│ FILE01 │ │ 10.10.2.50 │ │ Firewall │ │ 10.10.4.40 │ │ VLAN 200 │ │ Rules Check │ │ VLAN 400 │ └──────────────┘ └──────────────┘ └──────────────┘ │ 3│ │ (Mirror/SPAN) │ │ ▼ ▼ ┌──────────────────┐ │ Security Onion │ │ 10.10.3.100 │ │ VLAN 300 │ │ (IDS Alerts) │ └──────────────────┘ ``` **Flow**: 1. Kali sends exploit to FILE01 (vsftpd backdoor) 2. pfSense allows (per lab rules) and logs connection 3. Security Onion captures traffic via SPAN port, Suricata generates alert --- ### Example 2: Lateral Movement (MOD5 - AD Attacks) ``` ┌──────────────┐ PSExec/SMB ┌──────────────┐ Kerberos ┌──────────────┐ │ Kali Linux │─────────────────►│ WS02 │───────────────►│ DC01 │ │ 10.10.2.50 │ (via pfSense) │ 10.10.4.21 │ TGT Request │ 10.10.4.10 │ │ VLAN 200 │ │ VLAN 400 │ │ VLAN 400 │ └──────────────┘ └──────────────┘ └──────────────┘ │ │ │ └──────────────────────────────────┴──────────────────────────────┘ │ (All logged by Security Onion) ``` **Flow**: 1. Kali uses stolen credentials to PSExec into WS02 2. From WS02, perform Kerberoasting against DC01 3. Security Onion logs all SMB and Kerberos traffic --- ### Example 3: Blue Team Forensics (MOD6 - Incident Response) ``` ┌──────────────────┐ ┌──────────────────┐ │ Your Workstation │──────Management──────────►│ Proxmox Console │ │ (VLAN 100) │ VLAN 100 │ 10.10.1.1 │ └──────────────────┘ └─────────┬────────┘ │ Take VM Snapshot Export disk image │ ┌───────────────────────────────────┘ │ ▼ ┌──────────────────┐ │ WS02 (Snapshot) │◄──── Forensic Analysis │ Disk Image │ • Autopsy │ Memory Dump │ • Volatility └──────────────────┘ • Timeline reconstruction ``` **Flow**: 1. Access Proxmox from Management VLAN 2. Create snapshots of compromised VMs 3. Export disk images for forensic analysis 4. Analyze with Autopsy/Volatility on separate forensics workstation --- ## Physical Switch Configuration (Cisco) ### Required VLAN Configuration ```cisco ! Create VLANs vlan 100 name Management vlan 200 name RedTeam vlan 300 name BlueTeam vlan 400 name Victim ! Trunk port to Proxmox server (assume GigabitEthernet0/1) interface GigabitEthernet0/1 description Trunk to Proxmox Server switchport mode trunk switchport trunk allowed vlan 100,200,300,400 switchport trunk native vlan 100 spanning-tree portfast trunk ! Trunk port to Unifi Router (assume GigabitEthernet0/24) interface GigabitEthernet0/24 description Trunk to Unifi Router switchport mode trunk switchport trunk allowed vlan 100,200,300,400 switchport trunk native vlan 1 ``` --- ## Unifi Router/Gateway Configuration ### VLAN Networks Setup ``` Network: Management (VLAN 100) ├─ VLAN ID: 100 ├─ Subnet: 10.10.1.0/24 ├─ Gateway: 10.10.1.254 (Unifi router) ├─ DHCP: Disabled (static IPs only) └─ Purpose: Proxmox management access Network: Red Team (VLAN 200) ├─ VLAN ID: 200 ├─ Subnet: 10.10.2.0/24 ├─ Gateway: 10.10.2.1 (pfSense handles routing) ├─ DHCP: Disabled (pfSense provides DHCP) └─ Purpose: Isolated attacker network Network: Blue Team (VLAN 300) ├─ VLAN ID: 300 ├─ Subnet: 10.10.3.0/24 ├─ Gateway: 10.10.3.1 (pfSense handles routing) ├─ DHCP: Disabled (static IP for Security Onion) └─ Purpose: Monitoring and SIEM Network: Victim (VLAN 400) ├─ VLAN ID: 400 ├─ Subnet: 10.10.4.0/24 ├─ Gateway: 10.10.4.1 (pfSense handles routing) ├─ DHCP: Provided by DC01 (10.10.4.10) └─ Purpose: Target systems ``` **Inter-VLAN Routing**: Handled by pfSense VM (VLANs 200-400) **Internet Access**: Routed through Unifi → pfSense NAT --- ## Proxmox Network Configuration ### Linux Bridge Configuration (vmbr0) ```bash # /etc/network/interfaces auto lo iface lo inet loopback # Physical interface auto ens18 iface ens18 inet manual # VLAN-aware bridge auto vmbr0 iface vmbr0 inet static address 10.10.1.1/24 gateway 10.10.1.254 bridge-ports ens18 bridge-stp off bridge-fd 0 bridge-vlan-aware yes bridge-vids 100 200 300 400 ``` ### VM Network Configuration Examples **pfSense VM**: - **Net0**: vmbr0, VLAN 100 (WAN/Management) - **Net1**: vmbr0, VLAN 200 (Red Team) - **Net2**: vmbr0, VLAN 300 (Blue Team) - **Net3**: vmbr0, VLAN 400 (Victim) **Kali Linux VM**: - **Net0**: vmbr0, VLAN 200 **Security Onion VM**: - **Net0**: vmbr0, VLAN 300 **DC01 / WS01 / WS02 / WEB01 / FILE01**: - **Net0**: vmbr0, VLAN 400 --- ## IP Address Allocation Table | VLAN | Network | Device | IP Address | Role | |------|----------------|-------------------|---------------|---------------------| | 100 | 10.10.1.0/24 | Proxmox Host | 10.10.1.1 | Hypervisor | | 100 | 10.10.1.0/24 | pfSense WAN | 10.10.1.2 | Internal router | | 100 | 10.10.1.0/24 | Unifi Router | 10.10.1.254 | Gateway/Internet | | 200 | 10.10.2.0/24 | pfSense (RED) | 10.10.2.1 | VLAN 200 gateway | | 200 | 10.10.2.0/24 | Kali Linux | 10.10.2.50 | Attacker workstation| | 300 | 10.10.3.0/24 | pfSense (BLUE) | 10.10.3.1 | VLAN 300 gateway | | 300 | 10.10.3.0/24 | Security Onion | 10.10.3.100 | SIEM/IDS | | 400 | 10.10.4.0/24 | pfSense (VICTIM) | 10.10.4.1 | VLAN 400 gateway | | 400 | 10.10.4.0/24 | DC01 | 10.10.4.10 | Domain Controller | | 400 | 10.10.4.0/24 | WS01 | 10.10.4.20 | HR Workstation | | 400 | 10.10.4.0/24 | WS02 | 10.10.4.21 | IT Admin Workstation| | 400 | 10.10.4.0/24 | WEB01 | 10.10.4.30 | Web App Server | | 400 | 10.10.4.0/24 | FILE01 | 10.10.4.40 | Legacy File Server | --- ## Security Isolation Matrix | From VLAN | To VLAN 100 | To VLAN 200 | To VLAN 300 | To VLAN 400 | Internet | |-----------|-------------|-------------|-------------|-------------|----------| | **100** (Mgmt) | ✅ Allow | ✅ Allow | ✅ Allow | ✅ Allow | ✅ Allow | | **200** (Red) | ❌ Deny | ✅ Allow | ❌ Deny | 🔶 Lab-based | ✅ Allow | | **300** (Blue) | ✅ Allow | ❌ Deny | ✅ Allow | 👁️ Monitor only | ✅ Allow | | **400** (Victim) | ❌ Deny | ❌ Deny | ❌ Deny | ✅ Allow | ✅ Allow | **Legend**: - ✅ Allow - Traffic permitted - ❌ Deny - Traffic blocked by default - 🔶 Lab-based - Enabled per exercise (pfSense rules) - 👁️ Monitor only - SPAN/mirror traffic for IDS --- ## Traffic Mirroring for IDS (Security Onion) To enable Security Onion to monitor VLAN 400 traffic: ### Option 1: pfSense Packet Capture ```bash # On pfSense, enable packet mirroring to Security Onion # Diagnostics → Packet Capture → Mirror to 10.10.3.100 ``` ### Option 2: Cisco Switch SPAN Port ```cisco ! Configure SPAN to mirror VLAN 400 to Security Onion monitoring port monitor session 1 source vlan 400 monitor session 1 destination interface GigabitEthernet0/10 ! Connect Security Onion monitoring interface to Gi0/10 ``` ### Option 3: Proxmox TAP Interface - Create virtual TAP between VLAN 400 bridge and Security Onion - Security Onion gets promiscuous interface for passive monitoring --- ## Quick Setup Checklist ### Physical Infrastructure - [ ] Connect Proxmox server to Cisco switch via trunk port - [ ] Connect Cisco switch to Unifi router via trunk port - [ ] Configure VLANs 100, 200, 300, 400 on Cisco switch - [ ] Enable VLAN-aware bridge on Proxmox (vmbr0) ### Unifi Router - [ ] Create VLAN networks (100, 200, 300, 400) - [ ] Set subnet for each VLAN (10.10.x.0/24) - [ ] Configure firewall rules (optional - pfSense handles most) ### Proxmox Configuration - [ ] Edit `/etc/network/interfaces` with VLAN-aware bridge - [ ] Reboot Proxmox host - [ ] Verify bridge with: `ip link show vmbr0` ### pfSense VM Deployment - [ ] Create pfSense VM with 4 network interfaces - [ ] Assign interfaces: vtnet0-3 to VLANs 100, 200, 300, 400 - [ ] Configure WAN (VLAN 100): 10.10.1.2 - [ ] Configure LAN interfaces for other VLANs (.1 addresses) - [ ] Set up firewall rules per module requirements ### VM Deployment - [ ] Deploy Kali Linux on VLAN 200 - [ ] Deploy Security Onion on VLAN 300 - [ ] Deploy victim systems on VLAN 400 (DC01, WS01, WS02, WEB01, FILE01) - [ ] Configure static IPs per allocation table - [ ] Join Windows systems to apophis.local domain ### Verification Tests - [ ] Ping test: Kali → pfSense (10.10.2.1) ✅ - [ ] Ping test: Kali → FILE01 (10.10.4.40) ❌ (blocked by default) - [ ] Ping test: Security Onion → pfSense (10.10.3.1) ✅ - [ ] DNS resolution: DC01 resolves apophis.local - [ ] IDS test: Generate Suricata alert from Kali scan - [ ] Web UI access: pfSense (10.10.1.2), Security Onion (10.10.3.100) --- ## Diagram for Visual Tools If you want to create a visual diagram, use these tools: ### Recommended Tools: 1. **Draw.io** (diagrams.net) - Free, exports to PNG/SVG 2. **Lucidchart** - Professional network diagrams 3. **Microsoft Visio** - Enterprise standard 4. **Netbox** - Network documentation platform ### Import Template: Copy this structure into your diagram tool: **Physical Layer**: - Internet → Unifi Router → Cisco Switch → Proxmox Server **Virtual Layer**: - 4 VLANs (100, 200, 300, 400) connected via pfSense VM - VMs grouped by VLAN with IP addresses **Visual Style** (Apophis Branding): - Use crimson (#D72638) for Red Team components - Use cyber blue (#0056B3) for Blue Team components - Use silver (#E0E0E2) for infrastructure - Use obsidian (#1B1B1E) for victim network - Sharp corners (no rounded edges) --- ## Troubleshooting ### Issue: VMs can't communicate across VLANs - **Check**: pfSense firewall rules allow traffic - **Check**: VLAN tags correctly assigned in Proxmox VM config - **Check**: Cisco switch trunk allows all VLANs ### Issue: Security Onion not seeing traffic - **Check**: SPAN/mirror configured on switch or pfSense - **Check**: Promiscuous mode enabled on monitoring interface - **Check**: Suricata/Zeek services running ### Issue: Domain join fails (VLAN 400) - **Check**: DC01 DNS configured (10.10.4.10) - **Check**: pfSense allows DNS/Kerberos (ports 53, 88, 389) - **Check**: Time sync between DC01 and workstations ### Issue: Kali can't reach victim network - **Expected**: By default, VLAN 200 → 400 is blocked - **Fix**: Enable pfSense rule per lab module requirements --- ## Notes - **Isolation**: Red Team (VLAN 200) is isolated from victim network by default - **Lab Control**: Enable/disable Red Team access via pfSense firewall rules per module - **Monitoring**: All inter-VLAN traffic logged for Blue Team analysis - **Internet Access**: All VLANs can reach Internet via Unifi router NAT (for updates) - **Management**: Access Proxmox/pfSense from VLAN 100 only **Security**: This lab is intentionally vulnerable. Do NOT expose to public Internet. --- ## Next Steps 1. **Review**: `.claude/MOD1_Secure_Infrastructure.md` for detailed pfSense setup 2. **Deploy**: Follow VM installation guides in each module 3. **Test**: Run connectivity tests before starting MOD2 4. **Snapshot**: Create baseline snapshots after initial setup **"Order from Chaos"** 🐍 - Apophis Networking Security Lab