31 KiB
31 KiB
Apophis Networking Security Lab - Network Diagram
Physical Infrastructure Overview
┌─────────────────┐
│ Internet/ISP │
└────────┬────────┘
│
┌────────▼────────┐
│ Unifi Router │
│ (VLAN-aware) │
│ Gateway/DHCP │
└────────┬────────┘
│
│ Trunk Port
│ (All VLANs tagged)
│
┌────────▼────────┐
│ Cisco Switch │
│ (Layer 2) │
│ VLAN 100-400 │
└────────┬────────┘
│
│ Trunk Port
│ (All VLANs tagged)
│
┌────────▼────────┐
│ Proxmox Server │
│ (vmbr0) │
│ VLAN-aware │
│ bridge │
└─────────────────┘
│
┌────────────────────┼────────────────────┐
│ │ │
VLAN 100 VLAN 200-400 pfSense VM
(Management) (Security Lab VLANs) (Router/FW)
VLAN Topology & Segmentation
┌─────────────────────────────────────────────────────────────────────────┐
│ Unifi Router (Physical) │
│ Internet Gateway │
│ Default VLAN 1 (Home) │
└─────────────────────────────────────────────────────────────────────────┘
│
Trunk (VLANs 100,200,300,400)
│
┌─────────────────────────────────────────────────────────────────────────┐
│ Cisco Switch (Physical) │
│ Trunk all VLANs to Proxmox │
└─────────────────────────────────────────────────────────────────────────┘
│
Trunk (VLANs 100,200,300,400)
│
┌─────────────────────────────────────────────────────────────────────────┐
│ Proxmox Server - vmbr0 Bridge │
│ (VLAN-aware enabled) │
└─────────────────────────────────────────────────────────────────────────┘
│ │ │ │
┌────▼────┐ ┌───▼────┐ ┌────▼────┐ ┌────▼────┐
│ VLAN 100│ │VLAN 200│ │VLAN 300 │ │VLAN 400 │
│Management│ │Red Team│ │Blue Team│ │ Victim │
│10.10.1│ │10.10.2│ │10.10.3│ │10.10.4│
│ .0/24 │ │ .0/24 │ │ .0/24 │ │ .0/24 │
└─────────┘ └────────┘ └─────────┘ └─────────┘
Detailed VLAN Configuration
VLAN 100 - Management Network (10.10.1.0/24)
Purpose: Hypervisor management and pfSense WAN interface
┌──────────────────────────────────────────┐
│ VLAN 100 - Management │
│ 10.10.1.0/24 │
├──────────────────────────────────────────┤
│ │
│ ┌────────────────────────────────┐ │
│ │ Proxmox Host (Physical) │ │
│ │ IP: 10.10.1.1 │ │
│ │ Web UI: https://10.10.1.1:8006 │ │
│ └────────────────────────────────┘ │
│ │
│ ┌────────────────────────────────┐ │
│ │ pfSense VM - WAN Interface │ │
│ │ IP: 10.10.1.2 │ │
│ │ Gateway to other VLANs │ │
│ │ Web UI: https://10.10.1.2 │ │
│ └────────────────────────────────┘ │
│ │
└──────────────────────────────────────────┘
Access: Your management workstation connects here to access Proxmox and pfSense
pfSense VM - Internal Router/Firewall
Role: Routes traffic between VLANs 200, 300, 400 with firewall rules
┌─────────────────────────────────────────────────────┐
│ pfSense VM (Router/FW) │
│ │
│ ┌───────────┐ ┌───────────┐ ┌───────────┐ │
│ │ vtnet0 │ │ vtnet1 │ │ vtnet2 │ ... │
│ │ VLAN 100 │ │ VLAN 200 │ │ VLAN 300 │ │
│ │ (WAN) │ │ (RED) │ │ (BLUE) │ │
│ │.100.2 │ │.200.1 │ │.300.1 │ │
│ └─────┬─────┘ └─────┬─────┘ └─────┬─────┘ │
│ │ │ │ │
│ │ ┌────▼──────────────▼────┐ │
│ └────────►│ Firewall Rules │ │
│ │ NAT Rules │ │
│ │ IDS/IPS (Suricata) │ │
│ └────────────────────────┘ │
│ │
│ vtnet3 → VLAN 400 (10.10.4.1) │
└─────────────────────────────────────────────────────┘
Network Interfaces:
- vtnet0 (WAN): VLAN 100 - 10.10.1.2 → Management network
- vtnet1 (RED): VLAN 200 - 10.10.2.1 → Red Team gateway
- vtnet2 (BLUE): VLAN 300 - 10.10.3.1 → Blue Team gateway
- vtnet3 (VICTIM): VLAN 400 - 10.10.4.1 → Victim network gateway
VLAN 200 - Red Team / Attacker Network (10.10.2.0/24)
Purpose: Offensive security tools and attack infrastructure
┌──────────────────────────────────────────┐
│ VLAN 200 - Red Team │
│ 10.10.2.0/24 │
├──────────────────────────────────────────┤
│ │
│ Gateway: 10.10.2.1 (pfSense) │
│ DNS: 10.10.2.1 │
│ │
│ ┌────────────────────────────────┐ │
│ │ Kali Linux VM │ │
│ │ IP: 10.10.2.50 │ │
│ │ Hostname: kali-attacker │ │
│ │ │ │
│ │ Tools: │ │
│ │ • Nmap, Masscan │ │
│ │ • Metasploit Framework │ │
│ │ • Impacket (SMB/Kerberos) │ │
│ │ • BloodHound, Responder │ │
│ │ • Mimikatz, PowerSploit │ │
│ │ • Burp Suite, SQLMap │ │
│ │ • CrackMapExec, Evil-WinRM │ │
│ └────────────────────────────────┘ │
│ │
└──────────────────────────────────────────┘
Firewall Rules (pfSense):
- Outbound: Allow to VLAN 400 (victim network) - controlled by lab phase
- Inbound: Deny all from other VLANs
- Logging: All traffic logged for Blue Team analysis
VLAN 300 - Blue Team / Monitoring Network (10.10.3.0/24)
Purpose: Defensive security monitoring and SIEM
┌──────────────────────────────────────────┐
│ VLAN 300 - Blue Team │
│ 10.10.3.0/24 │
├──────────────────────────────────────────┤
│ │
│ Gateway: 10.10.3.1 (pfSense) │
│ DNS: 10.10.3.1 │
│ │
│ ┌────────────────────────────────┐ │
│ │ Security Onion VM │ │
│ │ IP: 10.10.3.100 │ │
│ │ Hostname: securityonion │ │
│ │ │ │
│ │ Components: │ │
│ │ • Kibana (SIEM) │ │
│ │ • Elasticsearch (logs) │ │
│ │ • Suricata (IDS/IPS) │ │
│ │ • Zeek/Bro (network analysis) │ │
│ │ • Stenographer (PCAP) │ │
│ │ • Wazuh (HIDS) │ │
│ │ │ │
│ │ Web UI: │ │
│ │ https://10.10.3.100 │ │
│ └────────────────────────────────┘ │
│ │
└──────────────────────────────────────────┘
Firewall Rules (pfSense):
- Inbound: Mirror/SPAN traffic from VLAN 400 for IDS monitoring
- Outbound: Allow to Management VLAN (alerts/logs)
- Isolation: No direct access to VLAN 200 or 400
VLAN 400 - Victim Network (10.10.4.0/24)
Purpose: Vulnerable target systems for penetration testing
┌────────────────────────────────────────────────────────────────┐
│ VLAN 400 - Victim Network │
│ 10.10.4.0/24 │
├────────────────────────────────────────────────────────────────┤
│ │
│ Gateway: 10.10.4.1 (pfSense) │
│ DNS: 10.10.4.10 (DC01) │
│ Domain: apophis.local │
│ │
│ ┌──────────────────────────────────────────────────┐ │
│ │ DC01 - Domain Controller │ │
│ │ IP: 10.10.4.10 │ │
│ │ OS: Windows Server 2022 │ │
│ │ Services: AD DS, DNS, LDAP, Kerberos │ │
│ │ Domain: apophis.local │ │
│ └──────────────────────────────────────────────────┘ │
│ │
│ ┌──────────────────────────────────────────────────┐ │
│ │ WS01 - HR Workstation │ │
│ │ IP: 10.10.4.20 │ │
│ │ OS: Windows 10 Pro │ │
│ │ Domain: apophis.local\hruser │ │
│ │ Group: Domain Users │ │
│ └──────────────────────────────────────────────────┘ │
│ │
│ ┌──────────────────────────────────────────────────┐ │
│ │ WS02 - IT Admin Workstation │ │
│ │ IP: 10.10.4.21 │ │
│ │ OS: Windows 10 Pro │ │
│ │ Domain: apophis.local\itadmin │ │
│ │ Group: Domain Admins (privileged) │ │
│ └──────────────────────────────────────────────────┘ │
│ │
│ ┌──────────────────────────────────────────────────┐ │
│ │ WEB01 - Web Application Server │ │
│ │ IP: 10.10.4.30 │ │
│ │ OS: Ubuntu 22.04 LTS │ │
│ │ Services: DVWA (Docker), Apache, MySQL │ │
│ │ Ports: 80 (HTTP), 22 (SSH), 3306 (MySQL) │ │
│ └──────────────────────────────────────────────────┘ │
│ │
│ ┌──────────────────────────────────────────────────┐ │
│ │ FILE01 - Legacy File Server │ │
│ │ IP: 10.10.4.40 │ │
│ │ OS: Metasploitable 2 (Ubuntu 8.04) │ │
│ │ Services: FTP (vsftpd 2.3.4), SMB, SSH, MySQL │ │
│ │ Vulnerabilities: Multiple (intentional) │ │
│ └──────────────────────────────────────────────────┘ │
│ │
└────────────────────────────────────────────────────────────────┘
Firewall Rules (pfSense):
- Default: Allow internal communication within VLAN 400
- Inbound from VLAN 200: Deny by default (enable per-lab exercise)
- Outbound to Internet: Allow (for updates/downloads)
- Logging: All inter-VLAN traffic logged
Traffic Flow Examples
Example 1: Red Team Attack (MOD3 - Exploitation)
┌──────────────┐ ┌──────────────┐ ┌──────────────┐
│ Kali Linux │────1───►│ pfSense │────2───►│ FILE01 │
│ 10.10.2.50 │ │ Firewall │ │ 10.10.4.40 │
│ VLAN 200 │ │ Rules Check │ │ VLAN 400 │
└──────────────┘ └──────────────┘ └──────────────┘
│
3│ │ (Mirror/SPAN)
│ │
▼ ▼
┌──────────────────┐
│ Security Onion │
│ 10.10.3.100 │
│ VLAN 300 │
│ (IDS Alerts) │
└──────────────────┘
Flow:
- Kali sends exploit to FILE01 (vsftpd backdoor)
- pfSense allows (per lab rules) and logs connection
- Security Onion captures traffic via SPAN port, Suricata generates alert
Example 2: Lateral Movement (MOD5 - AD Attacks)
┌──────────────┐ PSExec/SMB ┌──────────────┐ Kerberos ┌──────────────┐
│ Kali Linux │─────────────────►│ WS02 │───────────────►│ DC01 │
│ 10.10.2.50 │ (via pfSense) │ 10.10.4.21 │ TGT Request │ 10.10.4.10 │
│ VLAN 200 │ │ VLAN 400 │ │ VLAN 400 │
└──────────────┘ └──────────────┘ └──────────────┘
│ │ │
└──────────────────────────────────┴──────────────────────────────┘
│
(All logged by
Security Onion)
Flow:
- Kali uses stolen credentials to PSExec into WS02
- From WS02, perform Kerberoasting against DC01
- Security Onion logs all SMB and Kerberos traffic
Example 3: Blue Team Forensics (MOD6 - Incident Response)
┌──────────────────┐ ┌──────────────────┐
│ Your Workstation │──────Management──────────►│ Proxmox Console │
│ (VLAN 100) │ VLAN 100 │ 10.10.1.1 │
└──────────────────┘ └─────────┬────────┘
│
Take VM Snapshot
Export disk image
│
┌───────────────────────────────────┘
│
▼
┌──────────────────┐
│ WS02 (Snapshot) │◄──── Forensic Analysis
│ Disk Image │ • Autopsy
│ Memory Dump │ • Volatility
└──────────────────┘ • Timeline reconstruction
Flow:
- Access Proxmox from Management VLAN
- Create snapshots of compromised VMs
- Export disk images for forensic analysis
- Analyze with Autopsy/Volatility on separate forensics workstation
Physical Switch Configuration (Cisco)
Required VLAN Configuration
! Create VLANs
vlan 100
name Management
vlan 200
name RedTeam
vlan 300
name BlueTeam
vlan 400
name Victim
! Trunk port to Proxmox server (assume GigabitEthernet0/1)
interface GigabitEthernet0/1
description Trunk to Proxmox Server
switchport mode trunk
switchport trunk allowed vlan 100,200,300,400
switchport trunk native vlan 100
spanning-tree portfast trunk
! Trunk port to Unifi Router (assume GigabitEthernet0/24)
interface GigabitEthernet0/24
description Trunk to Unifi Router
switchport mode trunk
switchport trunk allowed vlan 100,200,300,400
switchport trunk native vlan 1
Unifi Router/Gateway Configuration
VLAN Networks Setup
Network: Management (VLAN 100)
├─ VLAN ID: 100
├─ Subnet: 10.10.1.0/24
├─ Gateway: 10.10.1.254 (Unifi router)
├─ DHCP: Disabled (static IPs only)
└─ Purpose: Proxmox management access
Network: Red Team (VLAN 200)
├─ VLAN ID: 200
├─ Subnet: 10.10.2.0/24
├─ Gateway: 10.10.2.1 (pfSense handles routing)
├─ DHCP: Disabled (pfSense provides DHCP)
└─ Purpose: Isolated attacker network
Network: Blue Team (VLAN 300)
├─ VLAN ID: 300
├─ Subnet: 10.10.3.0/24
├─ Gateway: 10.10.3.1 (pfSense handles routing)
├─ DHCP: Disabled (static IP for Security Onion)
└─ Purpose: Monitoring and SIEM
Network: Victim (VLAN 400)
├─ VLAN ID: 400
├─ Subnet: 10.10.4.0/24
├─ Gateway: 10.10.4.1 (pfSense handles routing)
├─ DHCP: Provided by DC01 (10.10.4.10)
└─ Purpose: Target systems
Inter-VLAN Routing: Handled by pfSense VM (VLANs 200-400) Internet Access: Routed through Unifi → pfSense NAT
Proxmox Network Configuration
Linux Bridge Configuration (vmbr0)
# /etc/network/interfaces
auto lo
iface lo inet loopback
# Physical interface
auto ens18
iface ens18 inet manual
# VLAN-aware bridge
auto vmbr0
iface vmbr0 inet static
address 10.10.1.1/24
gateway 10.10.1.254
bridge-ports ens18
bridge-stp off
bridge-fd 0
bridge-vlan-aware yes
bridge-vids 100 200 300 400
VM Network Configuration Examples
pfSense VM:
- Net0: vmbr0, VLAN 100 (WAN/Management)
- Net1: vmbr0, VLAN 200 (Red Team)
- Net2: vmbr0, VLAN 300 (Blue Team)
- Net3: vmbr0, VLAN 400 (Victim)
Kali Linux VM:
- Net0: vmbr0, VLAN 200
Security Onion VM:
- Net0: vmbr0, VLAN 300
DC01 / WS01 / WS02 / WEB01 / FILE01:
- Net0: vmbr0, VLAN 400
IP Address Allocation Table
| VLAN | Network | Device | IP Address | Role |
|---|---|---|---|---|
| 100 | 10.10.1.0/24 | Proxmox Host | 10.10.1.1 | Hypervisor |
| 100 | 10.10.1.0/24 | pfSense WAN | 10.10.1.2 | Internal router |
| 100 | 10.10.1.0/24 | Unifi Router | 10.10.1.254 | Gateway/Internet |
| 200 | 10.10.2.0/24 | pfSense (RED) | 10.10.2.1 | VLAN 200 gateway |
| 200 | 10.10.2.0/24 | Kali Linux | 10.10.2.50 | Attacker workstation |
| 300 | 10.10.3.0/24 | pfSense (BLUE) | 10.10.3.1 | VLAN 300 gateway |
| 300 | 10.10.3.0/24 | Security Onion | 10.10.3.100 | SIEM/IDS |
| 400 | 10.10.4.0/24 | pfSense (VICTIM) | 10.10.4.1 | VLAN 400 gateway |
| 400 | 10.10.4.0/24 | DC01 | 10.10.4.10 | Domain Controller |
| 400 | 10.10.4.0/24 | WS01 | 10.10.4.20 | HR Workstation |
| 400 | 10.10.4.0/24 | WS02 | 10.10.4.21 | IT Admin Workstation |
| 400 | 10.10.4.0/24 | WEB01 | 10.10.4.30 | Web App Server |
| 400 | 10.10.4.0/24 | FILE01 | 10.10.4.40 | Legacy File Server |
Security Isolation Matrix
| From VLAN | To VLAN 100 | To VLAN 200 | To VLAN 300 | To VLAN 400 | Internet |
|---|---|---|---|---|---|
| 100 (Mgmt) | ✅ Allow | ✅ Allow | ✅ Allow | ✅ Allow | ✅ Allow |
| 200 (Red) | ❌ Deny | ✅ Allow | ❌ Deny | 🔶 Lab-based | ✅ Allow |
| 300 (Blue) | ✅ Allow | ❌ Deny | ✅ Allow | 👁️ Monitor only | ✅ Allow |
| 400 (Victim) | ❌ Deny | ❌ Deny | ❌ Deny | ✅ Allow | ✅ Allow |
Legend:
- ✅ Allow - Traffic permitted
- ❌ Deny - Traffic blocked by default
- 🔶 Lab-based - Enabled per exercise (pfSense rules)
- 👁️ Monitor only - SPAN/mirror traffic for IDS
Traffic Mirroring for IDS (Security Onion)
To enable Security Onion to monitor VLAN 400 traffic:
Option 1: pfSense Packet Capture
# On pfSense, enable packet mirroring to Security Onion
# Diagnostics → Packet Capture → Mirror to 10.10.3.100
Option 2: Cisco Switch SPAN Port
! Configure SPAN to mirror VLAN 400 to Security Onion monitoring port
monitor session 1 source vlan 400
monitor session 1 destination interface GigabitEthernet0/10
! Connect Security Onion monitoring interface to Gi0/10
Option 3: Proxmox TAP Interface
- Create virtual TAP between VLAN 400 bridge and Security Onion
- Security Onion gets promiscuous interface for passive monitoring
Quick Setup Checklist
Physical Infrastructure
- Connect Proxmox server to Cisco switch via trunk port
- Connect Cisco switch to Unifi router via trunk port
- Configure VLANs 100, 200, 300, 400 on Cisco switch
- Enable VLAN-aware bridge on Proxmox (vmbr0)
Unifi Router
- Create VLAN networks (100, 200, 300, 400)
- Set subnet for each VLAN (10.10.x.0/24)
- Configure firewall rules (optional - pfSense handles most)
Proxmox Configuration
- Edit
/etc/network/interfaceswith VLAN-aware bridge - Reboot Proxmox host
- Verify bridge with:
ip link show vmbr0
pfSense VM Deployment
- Create pfSense VM with 4 network interfaces
- Assign interfaces: vtnet0-3 to VLANs 100, 200, 300, 400
- Configure WAN (VLAN 100): 10.10.1.2
- Configure LAN interfaces for other VLANs (.1 addresses)
- Set up firewall rules per module requirements
VM Deployment
- Deploy Kali Linux on VLAN 200
- Deploy Security Onion on VLAN 300
- Deploy victim systems on VLAN 400 (DC01, WS01, WS02, WEB01, FILE01)
- Configure static IPs per allocation table
- Join Windows systems to apophis.local domain
Verification Tests
- Ping test: Kali → pfSense (10.10.2.1) ✅
- Ping test: Kali → FILE01 (10.10.4.40) ❌ (blocked by default)
- Ping test: Security Onion → pfSense (10.10.3.1) ✅
- DNS resolution: DC01 resolves apophis.local
- IDS test: Generate Suricata alert from Kali scan
- Web UI access: pfSense (10.10.1.2), Security Onion (10.10.3.100)
Diagram for Visual Tools
If you want to create a visual diagram, use these tools:
Recommended Tools:
- Draw.io (diagrams.net) - Free, exports to PNG/SVG
- Lucidchart - Professional network diagrams
- Microsoft Visio - Enterprise standard
- Netbox - Network documentation platform
Import Template:
Copy this structure into your diagram tool:
Physical Layer:
- Internet → Unifi Router → Cisco Switch → Proxmox Server
Virtual Layer:
- 4 VLANs (100, 200, 300, 400) connected via pfSense VM
- VMs grouped by VLAN with IP addresses
Visual Style (Apophis Branding):
- Use crimson (#D72638) for Red Team components
- Use cyber blue (#0056B3) for Blue Team components
- Use silver (#E0E0E2) for infrastructure
- Use obsidian (#1B1B1E) for victim network
- Sharp corners (no rounded edges)
Troubleshooting
Issue: VMs can't communicate across VLANs
- Check: pfSense firewall rules allow traffic
- Check: VLAN tags correctly assigned in Proxmox VM config
- Check: Cisco switch trunk allows all VLANs
Issue: Security Onion not seeing traffic
- Check: SPAN/mirror configured on switch or pfSense
- Check: Promiscuous mode enabled on monitoring interface
- Check: Suricata/Zeek services running
Issue: Domain join fails (VLAN 400)
- Check: DC01 DNS configured (10.10.4.10)
- Check: pfSense allows DNS/Kerberos (ports 53, 88, 389)
- Check: Time sync between DC01 and workstations
Issue: Kali can't reach victim network
- Expected: By default, VLAN 200 → 400 is blocked
- Fix: Enable pfSense rule per lab module requirements
Notes
- Isolation: Red Team (VLAN 200) is isolated from victim network by default
- Lab Control: Enable/disable Red Team access via pfSense firewall rules per module
- Monitoring: All inter-VLAN traffic logged for Blue Team analysis
- Internet Access: All VLANs can reach Internet via Unifi router NAT (for updates)
- Management: Access Proxmox/pfSense from VLAN 100 only
Security: This lab is intentionally vulnerable. Do NOT expose to public Internet.
Next Steps
- Review:
.claude/MOD1_Secure_Infrastructure.mdfor detailed pfSense setup - Deploy: Follow VM installation guides in each module
- Test: Run connectivity tests before starting MOD2
- Snapshot: Create baseline snapshots after initial setup
"Order from Chaos" 🐍 - Apophis Networking Security Lab