This Real-World Network Architecture and CyberSecurity Lab aims to establish a controlled environment simulating and detecting cyber attacks, setup up and secure Routers, Switches using security best practices, User provisioning and deprovisioning, as well as other system administration responsibilities. The primary focus was to ingest and analyze logs within a Security Information and Event Management (SIEM) system, generating test telemetry to mimic real world attack scenarios, perform system and network documentation.
This hands-on experience was designed to deepen understanding of network security, Network architecture, attack patterns, and defensive strategies.
- Advanced understanding of SIEM concepts and practical application.
- Proficient in analyzing and interpreting network logs.
- Enhanced knowledge of network protocols and security vulnerabilities
- Development of critical thinking and problem-solving skills in cybersecurity and networks.
- Proficient with cisco IOS to configure Routers and Switches
- (Snort, Suricata, PfBlockNG) Security Information and Event Management (SIEM) system log ingestion, Analysis and Blocking Malicious IPs.
- Network analysis tools (Wireshark, Advanced IP Scanner) for capturing and examining network traffic.
- Network Documentation (Packet Tracer, GitHub)
- Firewall tool (Pfsense) for protecting the network.
- Cisco Router (csr1000v) for routing packets
- Windows 11 Ent Client for client machines
- Windows 2016 Core Server for DHCP, DNS and WINS IP configurations to client machines as well as Windows Server as a Router
- Windows 2016 GUI Server for managing the network (Router, Firewalls, and computers)
- VPN that is setup to be Point-to-Point.
- Active Directory Domain Service (Forest and Child Domain), Redundant Domain Controllers for Authentication, Authorization and Availability.
- Pfsense Firewall and created Firewall Rules, blocking unnecessary ports.
- Routing rules Blocking specific Ip Addresses.
- Hyper-V Virtualization using Virtual Network Adapters to connect all Virtual Machines in this lab.
Ref 1: Network Diagram
Ref 2: Hyper-V Manager - Hosting all of the Virtual Machines used in this Project
The Final Network Architecture including (Security Operations Center, Attack Network, System Administration, Virtual Private Networks, Office & Corporate Envrironments, and the Intermediary Devices Cisco Router Csr1000v and Windows Routing)
Ref 3: Windows VPN Server on LAN 4 to setup the PFsense-FW3
We ned an IP Address to communicate to other end-point devices. IN this case its the firewall. The default gateway is the Pfsense Firewall. The is directlt connected to the PFsense, so it is faster to configure it using this server than configuring the WDS01 and routers just to get to the Firewall to get internet.
Ref 4: Pfsense Firewall IP address setup
This allows up to get access to the Pfsense web interface to further do firewall configurations, rules and download packages.
Our VPN server is directly connected to LAN 4, as well as the LAN interface side of the Pfsense-FW3. The WAN interface side of the Pfsense-FW3 is automatically getting a IP Address from the Internet Service Provider and using NAT to translate internal IP addresses into a single address for connecting out onto the internet.
Ref 5: Pfsense Web Interface on HTTP
Ref 6: Pfsense Web Interface for firewall configurations - Setting DNS, and Domain
Ref 7: Setting the Timezone for my current location
Ref 8: Updating Pfsense to its latest version to mitigate vulnerability in the software
Ref 9: Change the default PFsense web interface to use HTTPS instead of HTTP
Pfsense-FW1 Setting up TCP & UDP Aliases and Firewall Rules to be able to access the internet on the LAN interface
Ref 10: Creating a TCP group of Ports called an Alias to use for convenience instead of having single Port rules.
Ref 11: Creating a UDP group Alias.
Ref 12: Using the TCP Aliase in a firewall Rule to Allow Traffic on these ports
Ref 13: Using the UDP Aliase in a firewall Rule to Allow Traffic on these ports
Ref 14: Creating a Rule to Allow ICMP Traffic (Echo Request, Echo Reply, Destination Unreachable, Time Exceeded and Parameter Problem on the LAN Interface ) For pinging
Ref 15: Reject ANY traffic that is not on the Allow Rules
Ref 16: Install PFBlockerNG Package
Ref 17: The DNS Url and IP Address Block list created by PFBlockerNG
PFBlocker assigns many Ip Address Url lists such as IBlock Lists into a single Alias and choosing a Rule action to block Counrties, DNS and IP Block list Ranges.
It aggregates several IP and DNS block lists into a single Alias that can be checked.
This Stops traffic before the DNS Name resolution is even complete. Reducing the processing.
Ref 18: Installed Snort
Ref 19: Snort Running on Both Interfaces WAN & LAN
Ref 20: LAN Configuration of Snort
Ref 21: WAN Configuration in snort
Ref 22: Snort Global Configurations 1
Ref 23: Snort Global Configurations 2
Ref 24: Snort Global Configurations 3
Ref 25: Create a Passlist on snort to allow your internal network to flow threw and not get blocked
Ref 26: Snort Pass List
Ref 27: If you realize you don't have internet or you can't ping the firewall, you were maybe blocked.
Remove yourself from the block list by just clicking the "x" on the right side. Now you should be able to ping and have internel access.
Ref 28: Include the Pass list on the snort LAN interface
Snort does signature based and Protocol Based Detection
Snort shows alerts and Blocks suspected IP Addresses
sconfig
Change the Computer Name
Update the timezone if necessary
Ref 29: Allow Remote Management and update the IP Adrdesses of Each INterface
- winrm Quickconfig
- set-netfirewallrule -Profile Public,Private,Domain -DisplayGroup "Windows Remote Management" -Enabled True
Ref 30: Rename Net Adapter Name
- rename-Netadapter -name "Ethernet 2" -newname "LAN1"
- rename-Netadapter -name "Ethernet" -newname "LAN4"
- rename-Netadapter -name "Ethernet 3" -newname "LAN6"
And then Set the IP Addresses for Each LAN Interface:
- new-netipaddress -InterfaceAlias LAN1 -Ipaddress 192.168.1.254 -PrefixLength 24
- new-netipaddress -InterfaceAlias LAN4 -Ipaddress 192.168.4.253 -PrefixLength 24 -DefaultGateway 192.168.4.254
- new-netipaddress -InterfaceAlias LAN6 -Ipaddress 192.168.6.254 -PrefixLength 24
Ref 31: Setting up default routes for unknown destinations for LAN 1 and LAN 6
- netsh interface ipv4 show interfaces
- netsh interface ipv4 add route 0.0.0.0/0 "LAN1" 192.168.4.254
- netsh interface ipv4 add route 0.0.0.0/0 "LAN6" 192.168.4.254
- route print
Shows the Name and index
Set default route
Set default route
Verify that the default route has been set correctly
Disable IP Version 6 on the Interfaces
- disable-NetAdapterBinding -Name LAN1 -ComponentID ms_tcpip6
- disable-NetAdapterBinding -Name LAN4 -ComponentID ms_tcpip6
- disable-NetAdapterBinding -Name LAN6 -ComponentID ms_tcpip6
- route print
Verify that the default route has been set correctly
Ref 32: Add roles and Features to setup this Core server as a router
Ref 33: Choose The Role for "Routing"
Ref 34: Add Remote management tools to the WDS01 Management and Deployment Server
Ref 35: Setup routing on the LANR1-4-6 Server. Choose "Custom Configuration" and then "LAN Routing"
Ref 36: Setup Static Routes, So packets can get through the router and onto the other side
Ref 37: Setup the IP Addresses for (GigabitEthernet1) LAN1 and (GigabitEthernet2) LAN 5 Interfaces on the Router
Ref 38: Setup Passwords for enable mode
Also encrypt the plain text passwords on running-config using "service password-encryption"
Ref 39: Setup Line VTY (Virtual Teletype)
Ref 40: Created usernames and passwords
for those users using the password policy for string passwords and over 20 characters and only allow username and password to login
Ref 41: Setup SSH on the Router
SSH allows for encryted traffic in both directions for confidentiality
Ref 42: Setup Static Routes
Allows for communication with the other Networks in our infrastructure.
Ref 43: Cisco Routing table with A Static Route for unknown destinations "Last Resort"
Ref 44: Setup ACLs
This was setup for the furture in case of malicious IP on the network that needs to be blocked. To mitigate risk.
Ref 45: Pfsense copyright Acceptance to accept
Ref 46: Installation of Pfsense
Ref 47: Choose Manual Disk Setup (experts)
This method is the only one that works so far while using Pfsense.
Ref 48: Auto Disk setup
This created three partitions (da0p1 da0p2, da0p3)
Ref 49: Commit these changes
Ref 50: Extracting the files and installing them on the disk.
Ref 51: Installation of Pfsense is Complete
After the installation is complete we will go to the shell.
Ref 52: Halt Pfsense
We need some tiem to remove the ISO before Pfsense Reboots, Otherwise we will get the screen to Install Pfsense again.
Eject the Pfsense ISO disk at this time.
After ISO is ejected. CLick any key to continue with the reboot.
Ref 53: Pfsense Initial Screen after reboot
Only the default LAN ip address is setup. We will change this to our internal IP Addresses.
Ref 54: WAN interface IP Address setup
This is pointing to the internet
Ref 55: Setup the LAN and WAN Ip Addresses
Now we will have access to the Pfsense web interface from within the LAN network that is directly connected
Ref 56:
The configuration process will be the same as Pfsense-FW2 expect for the IPS/IDS system
Then we will setup Active Directory, DHCP,DNS and WINS Server. then add a redundant DC02 controller for Availability purposes.
Ref 57: Updating the Firewall TCP Alias to include Active directory ports on the LAN
Updating the Firewall rule to allow Active Directory Services Inbound on TCP ports on the WAN interface
Ref 58: Updating the Firewall UDP Alias to include Active directory ports on the LAN
Updating the Firewall rule to allow Active Directory Services Inbound on TCP ports on the WAN interface
Ref 59: Created the Randomly allocated port used by Active Directory to use inside of TCP_Standard_Outbound
The use of both a main firewall connected to the internet and an internal firewall within a network serves to enhance security through multiple layers of protection. Here’s a breakdown of their roles:
Main Firewall (Perimeter Firewall):
Purpose: Acts as the first line of defense between the external world (the internet) and your internal network. Functions: Traffic Filtering: Monitors and controls incoming and outgoing traffic based on predefined security rules, allowing or blocking traffic based on IP addresses, ports, and protocols. Attack Prevention: Protects against external threats such as DDoS attacks, malware, and unauthorized access attempts. VPN Termination: Often handles VPN connections for remote users or branch offices. Network Address Translation (NAT): Hides internal IP addresses from external entities and translates them into public addresses. Internal Firewall (Internal or Layer 2/3 Firewall):
Purpose: Provides additional security within the internal network, protecting different segments or departments from each other. Functions: Segmenting the Network: Divides the network into segments (e.g., by department, sensitivity level, or function) to limit the spread of threats within the network. Access Control: Enforces policies for traffic between different internal segments, ensuring that only authorized users and devices can communicate across boundaries. Monitoring and Logging: Tracks internal network activity and detects unusual patterns or potential threats that might not be visible to the perimeter firewall. Threat Containment: Helps in isolating compromised systems or preventing lateral movement by attackers within the network. Benefits of This Dual Firewall Approach:
Defense in Depth: By having multiple layers of security, you reduce the risk of a single point of failure. Even if an attacker bypasses the perimeter firewall, the internal firewall can still offer protection. Granular Control: Internal firewalls allow for more precise control of traffic between different segments of your network, which is useful for implementing strict security policies and minimizing risks. Reduced Impact of Breaches: In the event of a security breach, internal firewalls can limit the scope of damage by preventing attackers from easily moving within the network. Compliance and Best Practices: Many regulatory frameworks and security best practices recommend or require the use of multiple layers of firewalls and network segmentation. In summary, the main firewall secures the boundary between the external internet and your internal network, while the internal firewall enhances security within the network, providing additional control and segmentation. This layered approach helps in building a more resilient and secure network infrastructure.
Ref 60: DC01 IP Address configuration
Ref 61: DC01 remove ipv6 binding and allow remote management from the firewall
Ref 62: Added DC01 to Server Manager
Ref 63: Install Active Directory DS and DNS Roles
Ref 64: Created a new forest
Promote ot Domain Controller
Ref 65: Removing ipv6 and updating DNS
After successful Installation of ADDS update the ip configuration removing ipv6 and updating DNS
Ref 66: Join the Domain from the WDS01 VM
Ref 67: Setup DNS Server REverse Lookup Zones
Ref 68: Added DHCP and WINS to DC02
Ref 69: Adding DHCP Scopes for issuing IP Addresses and IP Configurations
Ref 70: DC01 Added IP Address Ranges for all Subnets
Ref 71: Added the Domain namd and DNS Ip Addresses
Ref 72: WINS Server setup
Ref 73: Added DC02 to Server Manager
Ref 74: Promoting DC02 as a Domain Controller
Installed Active Directory Domain Srevices and DNS Roles at the same times.
Ref 75: DC02 will replicate resources from DC01
Ref 76: Update the forwarders
Ref 77: DC02 DNS Zones were Replicated automatically from DC01
Ref 78: Replicate from DC01 for names and computers
Ref 79: Recored names of connected computers
Ref 80: Active Registrations then click find now - this will be replicated between DC01 and DC02
Ref 81: Showing that we successfully setup two domain controllers for avalability purposes
Ref 82: Splitting the Scopes of DC01 so that it is a shared resoponsibility between DC01 and DC02 50/50
Ref 83: Setting the Percentage split to 50/50
Ref 84: After the Scopes are Split on DC01 DHCP Server - We need to activate all the scopes on DC02 DHCP Server to have Redundant DHCP
Ref 85: DC02 - Restart the DHCP service and now our scopes are split and activated
The Green check shows it is running and Activated
Ref 86: Make sure the DHCP Relay Agent now has our DC01 and DC02 ip addresses so that if computers need to get IP configurations, The router will send ttheir request to those Servers.
Ref 87: Added a mapped drive to the DC01 and DC02 secret shared Folders \\DC01.giovanni.cspec\C$
Ref 88: Download the Splunk Enterprise Free trial from their website
Splunk: https://www.splunk.com/en_us/download/splunk-enterprise.html
Ref 89: Splunk downloaded and installed on the SOC Analyst COmputer on LAN 2
Ref 90: Setop the Receiving Port of 9997
This allows for computers to send logs to this computer using their port of 8089 and we will receive it on port 9997
Ref 91: Settup port 9997 for recieving Logs
Ref 92: Lets create an index to store our logs
This is like a bucket for logs
Ref 93: Create an index called endpoint
Ref 94: the "endpoint" index was successfully created
Ref 95: Create a "New Rule" and Select Program
This should be done on both the Splunk Server and the Client VMs, so logs are not denied or dropped
Ref 96: Locate Splunk within Program Files
Ref 97: Choose Splunk
Ref 98: Select the Bin (Binary) Folder
this is where the executable files live
Ref 99: Choose "Splunkd.exe"
Ref 100: Confirmation that its this program
Ref 101: Allow the Connection
Ref 102: Apply to all Profiles
Ref 103: Give it a Name "Splunkd Allow Inbound"
For Splunk ports to allow, You can Allow additionally Port 8089
Ref 104: Download SPlunk Universal Forwarder
Splunk Universal Forwarder: https://www.splunk.com/en_us/download/universal-forwarder.html
Ref 105: The Download is complete on the PC4 Computer
Ref 106: Run the Setup
Then Click "Next"
Ref 107: Add username and Password
Leave the Generate Random Password checked
Ref 108: Set the Deployment Server to IP Address of the SOC Analyst computer
We did not setup a deployment server, But we can Put it for in the future we want to create one.
Ref 109: Set the Receiving Indexer
This is also going to be our Splunk Server
Ref 110: Microsoft SysInternals website
Sysmon: https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon
Ref 111: Github - Select sysmonconfig.xml
Ref 112: inside the file to see its contents
Ref 113: Select Raw
Ref 114: Right click and Save as
Ref 115: Save it as xml and "Extract all"
Sysmon Config: https://github.com/olafhartong/sysmon-modular
Sysmon Config Raw: https://raw.githubusercontent.com/olafhartong/sysmon-modular/master/sysmonconfig.xml
Ref 116: Copy the address
Copy the Address for later on on Powershell
Ref 117:
Installing Sysmon and Specifying a configuration file
cd C:\Users\Administrator.GIOVANNI\Downloads\Sysmon
.\Sysmon64.exe -i ..\sysmonconfig.xml
Now this will install Sysmon for you once you Select "Agree"
Ref 118: where to find the input.conf file
** DO NOT EDIT the "input.conf" File under Defaults
Ref 119: input.conf
You could copy this file but we will create a new file
Open "Notepad" with administrative privileges
Save the file as "input.conf"
Ref 120: Save the File with the Events to forward configurations
Instructing SPlunk Forwarders to push Events relating to "Application", "Security", "System" and "Sysmon"
This will be in the Endpoint index
** "Remember to Save" **
[WinEventLog://Application]
index = endpoint
disabled = false
[WinEventLog://Security]
index = endpoint
disabled = false
[WinEventLog://System]
index = endpoint
disabled = false
[WinEventLog://Microsoft-Windows-Sysmon/Operational]
index = endpoint
disabled = false
renderXml = true
source = XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
Ref 121: Go to properties to change the Log on as Field
Ref 122: NT Service
with this login - Splunk might not be able to collect logs, due to some of the permissions
Ref 123: Select "Local System Account" and then Select "Apply"
The new logon wont take into effect until we restart the Splunk Service
This is what we will do because we also updated our "inputs.conf" file
Ref 124: Now the Splunk service will log on as "Local System". This is exactly what we want
Ref 125: Stop the Splunk Service
Restarting the Service seems to be getting an error. So Select Stop
Ref 126: Start the Splunk Service
Sysmon and Splunk Universal Forwarder Running and pushing logs
Ref 127: Both services are running
Ref 128: Log into the Soc Analyst Splunk Server
Remember we've created the index "endpoint" earlier. Now all of the events are being sent over to that index
Click "Search"
Ref 129: Out PC4 is Pushing Events to our SOC Analyst Splunk Enterprise Server
Ref 130: Setting Add Data
Ref 131: Select forwarders
Ref 132: Our Computers are here
Ref 133: Enable Forward Monitoring
Ref 134: Installed suricata from the Package Manager page
Ref 135: Suricata 7.0.6 installation complete
Ref 136: Setting up Suricata Global Settings Part 1
Ref 137: Setting up Suricata Global Settings Part 2
Ref 138: Configure Suricata Global settings Part 3 - Create a Maxmind account
Ref 139: Configure Suricata Global settings Part 4 - Generate a new Maxmind license key
Ref 140: Configure Suricata Global settings Part 5 - Confirm the Generation of new license key
Ref 141: Configure Suricata Global settings Part 5 - Add the Maxmind License Key and Account ID to Suricata
Ref 142: Configure Suricata Global settings Part 5 - Save Global Setting
Ref 143: Configure Suricata Global settings Part 5
If you get errors, Uncheck this "Install snort rules" check box. This requires snort signup.
Ref 144: Update Suricata
Update Suricata rules to pull the signature data onto your instance of Suricata.
Ref 145: Create WAN Interface and Settings
Ref 146: Create WAN Interface and Settings - Part 2
Ref 147: Create WAN Interface and Settings - Part 3 - Save the Settings
Ref 148: Create WAN Interface and Catagories
Then Save the Settings
Ref 149: Start suricata for on the WAN Interface
Ref 150: Create LAN Interface and Settings
Create LAN interface - Use the Same settings except do not check "Block offenders"
Ref 151: Create LAN Interface and Catagories
Ref 115: Start suricata for on the LAN Interface
Ref 116: To verify that Suricata is working,
Notice that I was actually on my WDS01 to configure everything so far, But Now I am on the PC4 as the WDS01 HTTP was Blocked by Suricata
Ref 118: To take someone off the Block list - Click the x button

























































































































































