Results 1 to 10 of 13
Enjoy an ad free experience by logging in. Not a member yet? Register.
- 09-19-2012 #1
Before I spend the money I'd apprciate a little feedback...
I can't do what I want with just what I currently have. I think I'll need to spend about ~$200 ($150 + shipping for everything I don't already have).
I've learned so much since the last time I posted on this topic a few days ago that I decided to start a new thread on the subject.
I *think* this will work. If not please poke holes in it before I spend the cash on an old PC / cables / switches.
I have already checked for linux compatibility and all is good
Note: Things got a little borked when I converted it from text to image so that it wouldn't be completely jacked up when I posted it.
Just to be clear: The modem is wired to the gateway. The wireless router and the two switches are wired from the gateway.
Last edited by Steven_G; 09-19-2012 at 05:31 AM. Reason: Clarification
- 09-19-2012 #2
Looks OK to me. A couple of questions:
- Do you need a DMZ? If you could run those services on your LAN you might get away with one less switch and trade off some flexibility.
- Would your wireless LAN be better shared off of your DMZ switch to make the access rules easier? Could you serve your wireless clients better by running it off the main LAN switch?
- 09-19-2012 #3
My goal is to come as close as possible (with what I can afford) to emulating an enterprise class network.
I've gotten so deep in to this I've even checked out my fuse box to see how many amps I can pull b/c I was considering taking the guts of a bunch of old junk PCs and building a beowulf cluster. But, using an old PC for a gatway and adding some NICs and switches is far cheaper and easier.
This will be both a learning experience and a tool. I'm a 30 year end user. I know nothing about networking. The design is based on the most complicated network that IPCop is designed to handle.
I figure it will probably take me ~6 months to build / configure the systems and master the involved skills.
Then I use the systems to study for about a 1/2 dozens certs.
The 1/2 dozen certs will qualify me to enter a fast track school where I can get a MS Info Sec in ~4-5 years. As I go through school I can use my net to learn / practice.
As of now I don't know poop from squat about hoooking two PCs together. As a matter of fact I've always been the anti-networking guy. I rip out everything network related and lock the machine down so hard that it will only connect on port 80 for speed and security. I've even gone so far as to install custom XML templates in the LGPE to permanently disable IPv6 in W7U. (I'll be starting with a fresh W7Uinstall. I have to learn how to secure the sloppy stuff too b/c corporate America is not going to let me do stuff like kill IPv6 just b/c it's a crappy protocol.)
Also, the switches are small business gizmos put out by netgear a few years ago. They are combo router / switch / firewalls.
I put the E mail, Web and DNS in the DMZ b/c that's what IPCop said to do. I figured the host *nix system could also be the DNS server with the two VMs being the web and the e mail servers. Or maybe the host will be the web server? IDK yet. I'll have to see what works best. But the load on the whole system will be very light as it will just be for me to learn and test.
On the internal network I forgot to add in the *nix admin VM. I think I am overloading that host. I think I will have to also use the old 1501 and maybe the netbook on the internal net as well. The 1501 can handle the host and one light load VM and the netbook can handle something light and headless.
But, If I use those then somewhere down the line I will have to buy something to be the attack / audit / pen testing machine. But, I'll worry about that later.
Right now I just want to make sure that the basic principles of both the physical and virtual networks are sound before I go drop $200 on a solution that won't work.
- 09-19-2012 #4
If the exercise is about configuring the network services and making things work across subnet boundaries, etc. then you may be able to dispense with much of the wiring. Use one main machine on the internal LAN as file server, and run a series of small VMs on it to do the services.
What I'd do, if I were going to do this might be something like this:
Create the LAN with a hub connected to the server, the firewall. Set up main server, add half a dozen small/light VMs to it, get it connected to the internet through the IPCop/Smoothwall/whatever firewall.
Add a physical machine to the network - use static IP addresses, ensure it can talk to the internet. Add your wireless network to your main LAN and configure that using static IP addresses in the first instance.
Start adding services, probably in this order: DNS, DHCP (with dynamic updates to DNS), Mail, Web sites, NIS/YP/Windwos Domain for network-based logon. Install and configure each of these services on a separate VM on the main server. They'll be so lightly loaded you'll be able to get away with lots of them provided care is taken with disk space. Somewhere along the line the Wireless point and desktop will be moved over to use DHCP.
Introduce the DMZ, add a physical server in there, and set up the security on it all. Migrate the Web and email VMs onto the DMZ server, then lock those down too. Contrary to what you've been told, your DNS server for your LAN doesn't need to be in your DMZ. If the firewall stops access to it from your DNS machine from the internet and DMZ, then it's fine running on its own VM server inside your lan. Mine runs in a chroot jail on my server (this is the standard configuration that comes with bind on CentOS).
If you do that, you've pretty much been through the pain of growing a small LAN into something representing a small corporate network. After this lot, you can look further to things like using LDAP and adding other corporate services like code repositories (git, SVN, et. al.) document management systems, shared calendaring, etc.
- 09-19-2012 #5
OK, that's a lot to chew on and a lot of it is over my head. But, that's cool. It just means that I have some stuff to go look up and learn about. Thanks for the feedback.
But, I need to ask:
The focus of where I want to be is in the security end of things. Hense an MS in Info Sec. As I understand it this means I will need to be a jack of all trades and master of security, but not necessarily other things. From what I have read I will need to get down the basics of network admin and design across all areas of a network and some basic programming and some testing / auditing + some other stuff. One of the certs I will be going for a few years from now actually has physical security as one of the components; which I've done at semi-high level for the last 15 years. (DOD civilian security contract employee.)
With that in mind: Do I need to get as deep in to the admining side of things as you suggest to be able to truly understand and test / secure these systems?
- 09-19-2012 #6
I don't mean to overstep or seem rude, but if you art going to put this much time and money into it, why not go to a university and get a BS in something like CIT (computer Information technology). You can study network admin in that major, and would look way better than some certs. It is never too late to go to school either. I am 35 and attending university for a computer science degree.
Like I said, I don't mean to be rude or anything, but if you plan on getting a job doing this, the degree would be more valuable and get a lot more offers.
- 09-19-2012 #7
You'll probably end up looking at packet traces for data running over real networks, captured in your test environment. And you'll probably want to dispense with the IPCop system early on, so you can take personal responsibility of the packet filtering going on - this is where you'll learn what is what. The tools are different between Linux and commercial OS's but the principles are the same.
- 09-19-2012 #8
I will be going to school; just not a traditional one.
The school I want to go to won't admit you unless you already have either an AS in Comp Sci or a handful of certs (less than 3 years old) picked from their list.
Then you take classes like MCITP, Cisco CCNA, CISSP, CEH, CFHI and many others. They combine these with a few electives and roll it in to a BS or MS. It's a fast track school. It takes (once you qualify to enroll) ~2 years for a BS and about ~4 for a MS. I should have my MS about 5 years from now counting my prep time to get the certs to qualify to enroll.
Unlike any other school that I know of these guys give you college credit for the certs. You graduate with a degree and about 15 of the most coveted certs in the industry.
I've scoped these guy out. This is not UoP. They are legit. They are an accredited university. They have lots of programs. The programs are certified by about 30 different tech companies and federal agencies. Everybody from Sun, Dell and MS to the NSA.
From what I've read their MS in Info Sec + the ability to get a clearance (which I already have) is pretty much all you need to walk in to an entry level job at the NSA.
I read lots of guy who have been in the industry forever. This is the way they spin it: Without a degree no one will look at your resume. Without certs you won't get an interview. Without experience it's hard to get an entry level job and impossible to get a good one. They recommend that after you've been in school a while and have a clue that you volunteer IT admin services to charities so that you have real world experience on your resume. So I will. (Still looking in to this one. They say it can be done, but I'm not seeing where.)
Hoepfully all of this will mean that in 5 years I can go from being a $25k a year physical security guard to a 100-150K a year computer "security guard".
If the guys I read are right then you'll have a harder time finding work with a "traditional" degree, no certs and no experience than I will doing it in 1/2 the time at 1/2 the cost.
- 09-19-2012 #9
I have certs, but with a BS in comp sci and hopefully a BS in mathematics shortly after, I won't have to look at another network lol. I want to code. I want to write code for drivers, I want to be a database programmer, etc... Companies don't accept certs for that kind of job, so a "traditional" degree suits what I want to do just fine, and it will only take me 3 years to get a BS in CS.
I do understand why you are doing it the way you are, I would just do it differently for me, but I am also not in the same situation you are (whatever that may be). UoP is an accredited school btw, just not respected by anyone doing any kind of hiring. I am going to a 4 year state college because my place of business closed and the govt is paying for it, so I will be in no debt and they will pay me a weekly paycheck just to go and pass my classes.
Anyway, good luck and if I can help with your project just let me know.
Last edited by gruven; 09-19-2012 at 09:12 PM.
- 09-19-2012 #10